DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:phprestrict

phprestrict Plugin

Compatible with DokuWiki

  • 2017-02-19 "Frusterick Manners" yes
  • 2016-06-26 "Elenor Of Tsort" yes
  • 2015-08-10 "Detritus" yes
  • 2014-09-29 "Hrun" unknown

plugin Restrict PHP inclusion to pages by namespace or name

Last updated on
2016-11-23
Provides
Action
Repository
Source

Tagged with php, security

Installation

Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin. Refer to Plugins on how to install plugins manually.

Examples/Usage

A simple action plugin that overrides the current DokuWiki Allow-PHP mechanism and allows you to enable PHP on specific pages and namespaces. You can also disable the ability to view the source of PHP-enabled pages.

Configuration and Settings

Use the configuration manager to specify the pages and namespaces you want PHP to be permitted on, and use the ACL to define what users have the ability to accidentally delete your wiki (grin).

In the plugin»phprestrict»paths field, enter one or more paths, separated by commas or newlines. PHP will only be permitted if the page matches one of the paths.

  • namespace:pagename – permits PHP on a specific page in a namespace
  • namespace:prefix* – permits PHP on a range of pages in a namespace.
  • namespace: – permits PHP on all pages in a namespace.

The plugin»phprestrict»hide setting lets you disable view-source, export and revision history on pages where PHP is enabled (whether or not they actually have PHP on them). This is the default since you don't want people reading your code.

Change Log

  • 2016-05-30
    • Initial release
  • 2016-06-07
    • 1.1; minor cleanups, added disabling of revision history. Fixed problem with extra level of folder nesting in the GIT repository (newbie mistake)
  • 2016-11-23
    • Pointfix: Disabled execution of <PHP> content on history pages (which would permit execution of old/obsolete code if the history pages were visible or the history page url was known).

FAQ

Forum

Discussion

This is my first DokuWiki plugin. Your feedback is appreciated.

2016-09-14 (Wild Dagger) : Hello, many thanks for this plug-in !!!! I expected this kind of extension. Is it possible to develop a disabling some php functions ? (I think “phpinfo();” for example)

2016-09-14 (MadOverlord) : I don't know if is possible, and it is a bit out of scope. The whole point of the plugin is that it lets you restrict who can use PHP by specifying where PHP is allowed and then using the ACL to restrict who can edit those pages. If you let a bad-actor have access to PHP, having them be able to execute phpinfo(); is the least of your problems!

2016-09-14 (Wild Dagger) : Thank you for the quick response, how can we help you to translate the plug-in?

2016-09-14 (MadOverlord) : I do not understand what you mean by 'translate the plug-in'. You will have to be more explicit. All the code is available in the plugin download and on github: https://github.com/RJWoodhead/dokuwiki-plugin-phprestrict

2016-09-14 (Wild Dagger) : /lang/en/settings.php or more to other language.

2016-09-14 (MadOverlord) : If you wish to add support in the settings for another language, just submit a pull request to add a land/xx/settings.php file

2016-09-14 (Wild Dagger) : Thank you MadOverlord :) What do you mean about “Disable view/export/revisions on PHP-enabled pages” ?

When i enable the option (in Release 2016-06-26a “Elenor of Tsort” with default template) :

  • A simple user with Read permission (ACL):
    • ?do=export_raw → Command disabled: export_raw
    • ?export_xhtml → works (does not show the php code)
    • ?do=export_xhtml → works (does not show the php code)
    • ?export_xhtmlbody → works (does not show the php code)
    • ?do=export_xhtmlbody → works (does not show the php code)
    • ?do=edit → works (show the source code)
    • I have not tested the revised options

2016-09-14 (MadOverlord) Wild Dagger : I believe you may have given the user additional permissions. For the default (non-logged in user) with read access, when I try ?do=edit, I get “Command disabled: source”. If the user is granted edit access, he can obviously edit the page and see the source – that is intended.

2016-09-14 (Wild Dagger) Thank you for all these details, I'll enable 'View source' in 'Actions to disable in DokuWiki' for my closed dokuwiki ;-) and if I understand the option “Disable view / export / revisions on PHP-enabled pages?” in your plug-in is only for public dokuwiki (no register). Good plug-in but I think that some users would like to see the sources (excluding php pages) in closed dokuwiki. ( not me ;-) )

plugin/phprestrict.txt · Last modified: 2017-03-04 13:45 by MadOverlord