Try to explain editor loophole to viewing restrictions

author https://social.mayfirst.org/mjray <mjray@web>

Mon, 5 Feb 2018 10:51:48 +0000 (06:51 -0400)

committer admin <admin@branchable.com>

Mon, 5 Feb 2018 10:51:48 +0000 (06:51 -0400)
author https://social.mayfirst.org/mjray <mjray@web>
Mon, 5 Feb 2018 10:51:48 +0000 (06:51 -0400)
committer admin <admin@branchable.com>
Mon, 5 Feb 2018 10:51:48 +0000 (06:51 -0400)
diff --git a/doc/todo/Restrict_page_viewing.mdwn b/doc/todo/Restrict_page_viewing.mdwn

index 20b59cb13f396566a4d33f7fa21c203caacbdec0..d40cee6d1bb9013f6273a1bb8a7e7b07c1fe8b2e 100644 (file)
--- a/doc/todo/Restrict_page_viewing.mdwn
+++ b/doc/todo/Restrict_page_viewing.mdwn
@@ -40,3 +40,7 @@ much more maintainable htaccess file.
  
  >>>>> If you use the httpauth and the cgiauthurl method, you can restrict a path 
  >>>>> like /private/* to be accessible only under the authenticated request uri.
+
+>>>>>> Note that if editing is enabled, then you should set the restriction in locked_pages too
+>>>>>> or they may be able to view pages by editing the page= value in the editor's
+>>>>>> query string. --[mjr](http://mjr.towers.org.uk/)
author	https://social.mayfirst.org/mjray <mjray@web>
	Mon, 5 Feb 2018 10:51:48 +0000 (06:51 -0400)
committer	admin <admin@branchable.com>
	Mon, 5 Feb 2018 10:51:48 +0000 (06:51 -0400)