"Edit This Page" is a feature which lets you have a link on the published HTML page that will bring up the page in the wikiCalc spreadsheet editor when clicked. This lets you look at a published page in the browser, make one click and start editing, and then in three clicks (one on the Publish tab, one on the Publish and Done Editing button, and then one final one on the Resume button) be back viewing the published page as HTML. This is inspired by blogging tools like Userland's Radio and most wiki systems.
The Edit This Page functionality is accessed by using special HTML code in the published page that invokes the wikiCalc program running on a server and provides it appropriate information. It is designed mainly for remote-server use of wikiCalc.
The Edit This Page HTML code invokes the URL For Editing with appropriate arguments. The URL For Editing is a Site setting. You can set it by going to the Page tab, clicking the Manage Sites button, and then clicking the Edit button next to the appropriate site information. This URL is the one used for invoking the editing code for wikiCalc on your system. If you are editing using a remote server, this URL will refer to the Perl program on the server. This is similar to the URL you see in the browser when doing normal wikiCalc editing, i.e., something like http://www.domain.com/cgi-bin/wikicalccgi.pl. (If you are editing locally, this URL can be on the client computer, such as "http://127.0.0.1:6556", though Edit This Page is mainly designed for remote-served use of wikiCalc.)
If the browser accessing the page is not logged in as a user with read/write privileges to the page's site a login page will be displayed allowing you to login before continuing.
The general idea of invoking wikiCalc with Edit This Page is a URL like this:
http://www.domain.com/cgi-bin/wikicalccgi.pl?arguments
The arguments set the "editthispage" and "etpurl" values. The "editthispage" value is of the form "sitename/pagename". The "etpurl" is optional, and if present is the URL to return to to resume viewing the regular HTML page, i.e., the URL of the page with the Edit This Page link.
The HTML templates that come with the wikiCalc installation by default will create Edit This Page links on HTML pages if the URL For Editing is non-blank. They do this by using the special symbol "{{editthispagehtml}}". If the URL For Editing is set, this symbol will be replaced by the "editthispagehtml" text which, by default, is the following template code:
<form name="wkcformetp" method="POST" action="{{editurl}}"
style="margin:0px;">
<input type="hidden" name="editthispage"
value="{{sitename}}/{{pagename}}">
<input type="hidden" name="etpurl" value="">
<a href="" onclick="document.wkcformetp.etpurl.value=
location.href;document.wkcformetp.submit();return false;">
<span class="smaller">Edit This Page</span>
</a>
</form>
(This code is wrapped to fit in the margins here. The actual code is missing some of the line breaks.)
This code does an HTTP POST to the URL For Editing with appropriate arguments. This keeps the address line of the browser clear of those arguments in line with the way wikiCalc uses HTTP POST to pass its arguments.
The Edit This Page facility makes use of the normal wikiCalc program running with full ability to access its files. By giving people the Edit This Page HTML code, you are also giving them the URL for running wikiCalc. Make sure you are aware of the security implications of this.
Normally you can "hide" the use of wikiCalc by not using a common URL for the program (e.g., put the system in a directory under cgi-bin that is not easily guessed and renaming wikicalc.pl to something else) or using other access control (such as .htaccess), and by not allowing "Edit This Page" links on the HTML pages. When you have Edit This Page links these techniques may not work.
You may need to depend upon the wikiCalc access control system to provide the security you desire. It is very simple and may not be up to the task depending upon your needs. Make sure you don't give Admin access (or perhaps any access) to untrusted users.
Also, be careful about giving access to the WKCcallableUtilities.pl program. If you are not using it, do not put it on the server or do not give it execute permission. It is a powerful program that can make HTTP access to other websites.
For some people, doing all editing locally provides the most security because there is no need to maintain code running on the remote server. (For others, this may be considered less secure because it uses FTP and because the FTP password resides on personal computers.) It is possible to have a URL for Editing of "http://127.0.0.1:6556" (the local URL for editing) so that even when run locally you can have "Edit This Page" links on pages served from a remote website.
Periodically check the bug list and do web searches to see if any wikiCalc vulnerabilities have been reported here or elsewhere.