[Pmwiki-users] Easily Hackable?
Patrick R. Michaud
pmichaud
Sat Apr 3 15:09:23 CST 2004
On Sat, Apr 03, 2004 at 02:34:26PM -0700, H. Fox wrote:
>
> >Sure, it'd be no problem to do this. But it's still an issue of "how
> >to specify authorization" -- i.e., how should we specify which
> >names/groups are able to perform which operations on which pages?
>
> I'm not experienced enough to have a definitive answer. I was thinking
> along this line: You could treat a HtGroup as a pseudo-user and do it
> however its done now... if that makes any sense.
Re: "...do it however it's done now..."
I think the point I'm trying to make (perhaps ineffectively) is that
it's *not* being done now-- PmWiki doesn't have a way to authorize
access to pages based on a user's identity. PmWiki authorizes access to
pages based on what a user knows--i.e., a shared secret of some sort.
Most of the postings I've seen related to the topic of user-based
control seem to focus on the issue of solving user authentication (easy),
but then hand-wave the issue of mapping user identity to allowable
actions as being a trivially or already solved problem, which it's not.
Of course, if one is willing to accept that access should be of
the all-or-nothing type (an authenticated user is either allowed to
edit/access any page or none at all), then it becomes an easy-to-solve
problem. But I suspect that people will really want to be able to
limit access to groups, pages, or operations based on user identity,
and I'm having trouble seeing what the admin-interface for such a
system should look like.
(K. Zadorozhny proposes one possibility in http://www.pmichaud.com/pipermail/pmwiki-users_pmichaud.com/2004-April/004138.html but I'm not sure how I feel about the interface yet.)
Pm
More information about the pmwiki-users
mailing list