[Pmwiki-users] inching slowly towards user-based authorization
Bob Dively
dive
Wed Jun 16 13:32:00 CDT 2004
Patrick R. Michaud <pmichaud at pobox.com> wrote:
> Here's a possible baby-step in that direction. First, let's assume
> we can already authenticate an author; i.e., we have some sort of system
> where we're reasonably certain of an author's identity, such as using
> .htaccess files, passwords on author profile pages, queries to
> centralized identity servers via LDAP, etc., and the authentication
> components could be cookbook modules.
Another thing to consider is making some info from the authentication
process available for processing later. I'm thinking specifically of a
user's name (as opposed to a user's id) for use in the Author box on the
action=edit page. Is that something that could be done via
InlineReplacements or whatever its 2.0 equivalent is? I'm guessing that
this is going to be Cookbook material, but I thought I'd mention it anyway.
> Once we've established an author's identity, the question is how to
> decide what actions that author can perform. I propose extending the
> existing password field to allow strings of the form
> "author:alice,bob,...", which would allow alice, bob, and others to
> perform whatever operations the field controls. This can be combined
> with the existing password system, such that if a page (or group or
> site) has an edit password of "twinkie author:alice,bob", then alice,
> bob, and anyone who knows the password "twinkie" would be able to edit
> the page. Some more examples:
>
> author:alice only alice
> author:alice,bob only alice and bob
> author:everyone everyone that has been authenticated
> <blank> everyone, authenticated or not
> kiwi grape passwords "kiwi" and "grape"
> author:alice kiwi alice and everyone with "kiwi"
> password author:everyone kiwi
> author:everyone,-bob everyone authenticated except bob
I think that this is excellent. As someone else pointed out, I do think
that "*" would be better than "everyone" (but then maybe that's not a good
idea because * implies knowledge about wildcard expansion that maybe not
everyone has).
Questions: why "author:"? Isn't the string "twinkie author:alice,bob"
already attached to the edit password and if so why not just "users:"?
Also, if some sort of parent/child relationship between pages is developed,
will the child inherit the parents security attributes?
> As a follow-up step we could see about adding groups of users; e.g.,
> "author:@editors" (or perhaps just "author:editors") would allow
> access to anyone in the "editors" group, where this group is defined
> somewhere else--probably in Profiles/Editors.
I know that this is not fully fleshed out just yet, but I did want to note
that having some way to easily implement users groups will be absolutely
key.
More information about the pmwiki-users
mailing list