[Pmwiki-users] inching slowly towards user-based authorization

Patrick R. Michaud pmichaud
Wed Jun 16 11:04:03 CDT 2004


Currently PmWiki uses a password-based scheme to protect access to
pages; i.e., someone knows an appropriate password, he/she gets access
to the page.  Many have asked for the ability to have a user-based
scheme instead, where an author goes through a "login" authorization
sequence and then future accesses are based on the author's identity
instead of knowing a specific password.

Here's a possible baby-step in that direction.  First, let's assume
we can already authenticate an author; i.e., we have some sort of system
where we're reasonably certain of an author's identity, such as using
.htaccess files, passwords on author profile pages, queries to centralized
identity servers via LDAP, etc., and the authentication components could
be cookbook modules.

Once we've established an author's identity, the question is how to decide
what actions that author can perform.  I propose extending the existing
password field to allow strings of the form "author:alice,bob,...", which
would allow alice, bob, and others to perform whatever operations the
field controls.  This can be combined with the existing password system,
such that if a page (or group or site) has an edit password of
"twinkie author:alice,bob", then alice, bob, and anyone who knows the
password "twinkie" would be able to edit the page.  Some more examples:

    author:alice                    only alice
    author:alice,bob                only alice and bob
    author:everyone                 everyone that has been authenticated
    <blank>                         everyone, authenticated or not
    kiwi grape                      passwords "kiwi" and "grape"
    author:alice kiwi               alice and everyone with "kiwi" password
    author:everyone kiwi
    author:everyone,-bob            everyone authenticated except bob

As a follow-up step we could see about adding groups of users; e.g.,
"author:@editors" (or perhaps just "author:editors") would allow
access to anyone in the "editors" group, where this group is defined
somewhere else--probably in Profiles/Editors.

This approach allows PmWiki's simple-to-use-and-understand password-based
authorization system to continue to work, while providing a workable 
and relatively simple system for user-based authorization.

Comments?

Pm



More information about the pmwiki-users mailing list