Pikchr

Link to wiki sandbox page on the home page
Login
Chronological

Link to wiki sandbox page on the home page

(1) By Stephan Beal (stephan) on 2020-09-13 00:06:17 [link] [source]

@Richard,

The pikchr home page, under "try it out", links to the wikiedit?name=Sandbox, but that page won't currently open for users without WrWiki permissions.

That's fixed in:

https://fossil-scm.org/home/info/bff3df00b80ffe47

/wikiedit now allows anyone with at least RdWiki rights to open it. They still cannot save anything, and running a preview works only for the special-case Sandbox page - preview on all other pages currently requires WrWrite access (we can relax that restriction if you like, but there would seem to be little need to allow non-write users the ability to make local edits they cannot save).

Users without at least RdWiki permissions cannot open wikiedit because that would give them access to the list of wiki pages, which they otherwise wouldn't be granted via the older pages. The wikiedit ajax routes have also been hardened in that regard: it was previously possible to leak wiki content to non-RdWiki users who had decoded the wikiedit-internal ajax APIs and applied them (via their browser dev console) to sites where they lacked RdWiki access.

(2) By sean (sean__) on 2020-09-13 00:54:15 in reply to 1 [link] [source]

When I attempt to preview the other wiki pages, I get this message:

2020-09-13 00:49:09 UTC: Exception: Error: Requires wiki-write permissions.

Replication steps

  1. visit https://fossil-scm.org/pikchr/wikiedit?name=Sandbox
  2. Click wiki page list
  3. Load advantages page
  4. Click preview

Notice I didn't change anything in the page and it still denies a preview.

This is probably expected, and if I want to view the page, I can use the [viewer] link.

Perhaps a small enhancement later on could be the hide the preview tab if the user doesn't have write permissions?

(3) By Stephan Beal (stephan) on 2020-09-13 01:10:38 in reply to 2 [source]

Perhaps a small enhancement later on could be the hide the preview tab if the user doesn't have write permissions?

i'm not really convinced that we should disable preview for users with only RdWiki access. It was done that way for reasons of "better safe than sorry," but after having seen wikiedit in action for a while, it seems perfectly reasonable to me to use it as a wiki reader, too. Saving still won't work without WrWiki access, but there would seem to be no harm in allowing a read user to post a preview - we now do the same thing with pikchrshow.

i'll make that change (allow preview with only RdWiki access) momentarily, and if Richard objects he can glare menacingly and i'll revert it.

(4) By sean (sean__) on 2020-09-13 01:15:15 in reply to 3 [link] [source]

it seems perfectly reasonable to me to use it as a wiki reader, too. Saving still won't work without WrWiki access, but there would seem to be no harm in allowing a read user to post a preview - we now do the same thing with pikchrshow.

That's a perfectly legitimate point. Perhaps in the status bar it could say something like "Loaded in read only" or "Unable to save" or even nothing at all. ;)

(5) By Stephan Beal (stephan) on 2020-09-13 01:19:20 in reply to 4 [link] [source]

That's a perfectly legitimate point. Perhaps in the status bar it could say something like "Loaded in read only" or "Unable to save" or even nothing at all. ;)

The app doesn't really know whether a save can work until it tries, and those permissions may literally come and go during the lifetime of that page's session (that's how i tested these changes - adding/removing nobody's wiki rights while that user used wikiedit in another browser).

https://fossil-scm.org/fossil/info/18dee26eee8da715

removes the write-access requirement for preview requests. With that change, for non-write users wikiedit will work just fine until they try to save something, at which point it will complain loudly.