[pmwiki-devel] Help with understanding an authentication problem

[Peter Bowers]

On Sun, May 24, 2009 at 1:53 AM, John Rankin <john.rankin at affinity.co.nz>wrote:

> It seems to me that we ought to be able to define a custom
> $AuthFunction that checks the IP address of the requestor,
> rather than asking for a username and password. Then the
> custom auth function can authenticate the request based on
> the fact that it comes from an IP address pmwiki trusts.
> It may have to grant "admin" rights, especially where the
> request is retrieving multiple pmwiki pages.
>

Something along these lines might work (UNTESTED - basically just making a
wrapper for PmWikiAuth())...

$AuthFunction = 'MyAuthFunction';
$PrivilegedIP = array('/^100\.100\.100\.[0-9]*$/', '/^89\.90\.91\.92$/');

function MyAuthFunction($pagename, $level, $authprompt, $since)
{
   global $PrivilegedIP;
   if (!in_array($action, array('edit', 'attr')))
      foreach ($PrivilegedIP as $IPPat)
         if (preg_match($IPPat, $_SERVER['REMOTE_ADDR']))
            return true;
   return PmWikiAuth($pagename, $level, $authprompt, $since);
}

You'll note I've made a quick attempt to disallow editing and
attribute-setting using this "Privileged IP" authentication.  If that's not
desirable then just delete the line with "if (!in_array...".  If there are
other actions I'm thinking of that should not be available then just edit
the array (or, better yet, change it into a configurable var).

I *think* I've read that $_SERVER['REMOTE_ADDR'] can be spoofed, so be aware
that this opens a potential security hole.  That's why I've made a
rudimentary effort to allow only browsing using this form of authentication.

-Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-devel/attachments/20090524/30480a10/attachment.html