Security Configuration

By default Fox is prohibited from posting to any page. $FoxPagePermissions need to be set with page patterns and associated actions for Fox to be able to do anything, with only a few exceptions!

An admin can set a number of variables to control some posting permissions, as local configurations, sitewide in config.php or restricted to groups or pages. All Fox configuration variables need to be set before including the fox.php script. Do not use local/Group.php or local/Group.Name.php files for setting configuration variables, if you use include_once( in config.php, as such customisation files will only be loaded after config.php! Use conditionals in config.php instead. See the example below.

$FoxAuth = 'edit';
By default users with edit permission are allowed to post. Set $FoxAuth = 'read'; to open posting to pages which are edit protected. Set $FoxAuth = 'ALWAYS'; to allow posting even to pages which are read protected (private pages). Consider setting $FoxAuth to the right level for just the pages you need, using conditionals in config.php, before including fox.php. If you want logged in users to post, but not allow them to edit pages, consider adding a new authorisation level: Adding AuthLevels?
$EnablePostDirectives = false;
By default users are not allowed to post directives of form (:...:). Set $EnablePostDirectives = true; to allow posting of directives.
$EnableFoxUrlInput = false;
By default input via url parameters is not permitted. Setting it to 'true' will allow such input.
$EnableAccessCode = false;
By default a special random generated access code is not required. Set $EnableAccessCode = true; to require use of access code. You need to provide also a hidden accesscode field and a text field named access for a user to enter the access code displayed, via a page variable {$AccessCode}.
$EnableFoxDeleteMsg = false;
Set to true if you want a delete confirmation message displayed when clicking any delete links or buttons. If desired, change $FoxDeleteMsg, the default confirmation message, which is:
$FoxDeleteMsg = 'Please confirm: Do you want to delete this post?';
$FoxPagePermissions['namepattern'] = 'action';
This is an array of page name patterns as keys and allowed or disallowed Fox actions as values. By default it is prohibited to post to any pages. The admin needs to add patterns and associated actions in order for Fox to be permitted posting or deleting posts etc. Page name patterns can be added to SiteAdmin.FoxConfig (you need to create this page, see example below) or to a local config file (for instance config.php) using
$FoxPagePermissions['namepattern'] = "actionname,actionname,..";. Action names are add, replace, ptv, copy, newedit, delete, pagedelete, mail, all, none. all meaning all Fox actions are allowed, none meaning no Fox actions are allowed. See examples in box below.
Fox is allowed to post to the page which contains the form (current page) and to other pages if certain string patterns are present in the page. Fox looks for strings (:foxprepend, (:foxappend or (:foxallow and for (:fox formname .
$FoxConfigPageFmt = '$SiteAdminGroup.FoxConfig';
Default page for page permission patterns (you need to create it if you want it, alternatively add to the FoxPagePermissions array). Add each patterns on a new line, like Test.*: add,delete (this will allow posting and deleting of posts (via Fox delete links) to any page in the Test group). These patterns are read as part of $FoxPagePermissions.

Configuration example for config.php:

# allow comment posting for all visitors in group 'Public'
$group = PageVar($pagename, '$Group');
if ($group=='Public') {
   $FoxAuth = 'read';
   $FoxPagePermissions['Public.*'] = 'add';
# allow all foxactions on all pages for admin 
if (CondAuth($pagename,'admin')) {
   $EnableFoxUrlInput = 'true';
   $FoxPagePermissions['*.*'] = 'all'; 

Page permission example using SiteAdmin.FoxConfig:

# allow adding or deleting posts for pages in Test group:
Test.*: add,delete
# allow adding but deny deleting posts for pages in Data group:
Data.*: add,-delete
# Deny any Fox actions in SiteAdmin group:
SiteAdmin.*: none
# Allow all actions on all pages (if you can trust all editors)
*.*: all

<< Installation | Index | Fox Markup >>