[Pmwiki-users] inching slowly towards user-based authorization

Bob Dively dive
Wed Jun 16 13:32:00 CDT 2004


Patrick R. Michaud <pmichaud at pobox.com> wrote:

> Here's a possible baby-step in that direction.  First, let's assume
> we can already authenticate an author; i.e., we have some sort of system
> where we're reasonably certain of an author's identity, such as using
> .htaccess files, passwords on author profile pages, queries to
> centralized identity servers via LDAP, etc., and the authentication
> components could be cookbook modules.

Another thing to consider is making some info from the authentication
process available for processing later. I'm thinking specifically of a
user's name (as opposed to a user's id) for use in the Author box on the
action=edit page. Is that something that could be done via
InlineReplacements or whatever its 2.0 equivalent is? I'm guessing that
this is going to be Cookbook material, but I thought I'd mention it anyway.

> Once we've established an author's identity, the question is how to
> decide what actions that author can perform.  I propose extending the
> existing password field to allow strings of the form
> "author:alice,bob,...", which would allow alice, bob, and others to
> perform whatever operations the field controls.  This can be combined
> with the existing password system, such that if a page (or group or
> site) has an edit password of "twinkie author:alice,bob", then alice,
> bob, and anyone who knows the password "twinkie" would be able to edit
> the page.  Some more examples:
>
>     author:alice                    only alice
>     author:alice,bob                only alice and bob
>     author:everyone                 everyone that has been authenticated
>     <blank>                         everyone, authenticated or not
>     kiwi grape                      passwords "kiwi" and "grape"
>     author:alice kiwi               alice and everyone with "kiwi"
>     password author:everyone kiwi
>     author:everyone,-bob            everyone authenticated except bob

I think that this is excellent. As someone else pointed out, I do think
that "*" would be better than "everyone" (but then maybe that's not a good
idea because * implies knowledge about wildcard expansion that maybe not
everyone has).

Questions: why "author:"? Isn't the string "twinkie author:alice,bob"
already attached to the edit password and if so why not just "users:"?
Also, if some sort of parent/child relationship between pages is developed,
will the child inherit the parents security attributes?

> As a follow-up step we could see about adding groups of users; e.g.,
> "author:@editors" (or perhaps just "author:editors") would allow
> access to anyone in the "editors" group, where this group is defined
> somewhere else--probably in Profiles/Editors.

I know that this is not fully fleshed out just yet, but I did want to note
that having some way to easily implement users groups will be absolutely
key.




More information about the pmwiki-users mailing list