[Pmwiki-users] inching slowly towards user-based authorization
Patrick R. Michaud
Wed Jun 16 11:04:03 CDT 2004
Currently PmWiki uses a password-based scheme to protect access to
pages; i.e., someone knows an appropriate password, he/she gets access
to the page. Many have asked for the ability to have a user-based
scheme instead, where an author goes through a "login" authorization
sequence and then future accesses are based on the author's identity
instead of knowing a specific password.
Here's a possible baby-step in that direction. First, let's assume
we can already authenticate an author; i.e., we have some sort of system
where we're reasonably certain of an author's identity, such as using
.htaccess files, passwords on author profile pages, queries to centralized
identity servers via LDAP, etc., and the authentication components could
be cookbook modules.
Once we've established an author's identity, the question is how to decide
what actions that author can perform. I propose extending the existing
password field to allow strings of the form "author:alice,bob,...", which
would allow alice, bob, and others to perform whatever operations the
field controls. This can be combined with the existing password system,
such that if a page (or group or site) has an edit password of
"twinkie author:alice,bob", then alice, bob, and anyone who knows the
password "twinkie" would be able to edit the page. Some more examples:
author:alice only alice
author:alice,bob only alice and bob
author:everyone everyone that has been authenticated
<blank> everyone, authenticated or not
kiwi grape passwords "kiwi" and "grape"
author:alice kiwi alice and everyone with "kiwi" password
author:everyone,-bob everyone authenticated except bob
As a follow-up step we could see about adding groups of users; e.g.,
"author:@editors" (or perhaps just "author:editors") would allow
access to anyone in the "editors" group, where this group is defined
somewhere else--probably in Profiles/Editors.
This approach allows PmWiki's simple-to-use-and-understand password-based
authorization system to continue to work, while providing a workable
and relatively simple system for user-based authorization.
More information about the pmwiki-users