Try to explain editor loophole to viewing restrictions

author: https://social.mayfirst.org/mjray <mjray@web> 2018-02-05 06:51:48 -0400
committer: admin <admin@branchable.com> 2018-02-05 06:51:48 -0400
commit: 36bb1f6dc74bcd8d81e0f0471897d109e0bd5282 (patch)
tree: 4ce02f055152cd8b24d0e22c47a8b9d290a202e6 /doc/todo
parent: c4042853b3bb8ef68654fd38adfa50a4b7220f4b (diff)
download: ikiwiki-36bb1f6dc74bcd8d81e0f0471897d109e0bd5282.tar
ikiwiki-36bb1f6dc74bcd8d81e0f0471897d109e0bd5282.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/todo/Restrict_page_viewing.mdwn b/doc/todo/Restrict_page_viewing.mdwn
index 20b59cb13..d40cee6d1 100644
--- a/doc/todo/Restrict_page_viewing.mdwn
+++ b/doc/todo/Restrict_page_viewing.mdwn
@@ -40,3 +40,7 @@ much more maintainable htaccess file.
 
 >>>>> If you use the httpauth and the cgiauthurl method, you can restrict a path 
 >>>>> like /private/* to be accessible only under the authenticated request uri.
+
+>>>>>> Note that if editing is enabled, then you should set the restriction in locked_pages too
+>>>>>> or they may be able to view pages by editing the page= value in the editor's
+>>>>>> query string. --[mjr](http://mjr.towers.org.uk/)
author	https://social.mayfirst.org/mjray <mjray@web>	2018-02-05 06:51:48 -0400
committer	admin <admin@branchable.com>	2018-02-05 06:51:48 -0400
commit	36bb1f6dc74bcd8d81e0f0471897d109e0bd5282 (patch)
tree	4ce02f055152cd8b24d0e22c47a8b9d290a202e6 /doc/todo
parent	c4042853b3bb8ef68654fd38adfa50a4b7220f4b (diff)
download	ikiwiki-36bb1f6dc74bcd8d81e0f0471897d109e0bd5282.tar ikiwiki-36bb1f6dc74bcd8d81e0f0471897d109e0bd5282.tar.gz