[Pmwiki-users] Easily Hackable?

Patrick R. Michaud pmichaud
Sat Apr 3 15:09:23 CST 2004


On Sat, Apr 03, 2004 at 02:34:26PM -0700, H. Fox wrote:
> 
> >Sure, it'd be no problem to do this.  But it's still an issue of "how
> >to specify authorization"  -- i.e., how should we specify which
> >names/groups are able to perform which operations on which pages?
> 
> I'm not experienced enough to have a definitive answer.  I was thinking 
> along this line:  You could treat a HtGroup as a pseudo-user and do it 
> however its done now... if that makes any sense.

Re: "...do it however it's done now..."

I think the point I'm trying to make (perhaps ineffectively) is that 
it's *not* being done now-- PmWiki doesn't have a way to authorize 
access to pages based on a user's identity.  PmWiki authorizes access to 
pages based on what a user knows--i.e., a shared secret of some sort.  
Most of the postings I've seen related to the topic of user-based
control seem to focus on the issue of solving user authentication (easy), 
but then hand-wave the issue of mapping user identity to allowable
actions as being a trivially or already solved problem, which it's not.

Of course, if one is willing to accept that access should be of
the all-or-nothing type (an authenticated user is either allowed to
edit/access any page or none at all), then it becomes an easy-to-solve
problem.  But I suspect that people will really want to be able to 
limit access to groups, pages, or operations based on user identity, 
and I'm having trouble seeing what the admin-interface for such a 
system should look like.

(K. Zadorozhny proposes one possibility in http://www.pmichaud.com/pipermail/pmwiki-users_pmichaud.com/2004-April/004138.html but I'm not sure how I feel about the interface yet.)

Pm



More information about the pmwiki-users mailing list