[pmwiki-users] Re: pmwiki-2.0.beta29 out, needs testers and feedback
Patrick R. Michaud
pmichaud at pobox.com
Tue Apr 12 08:01:08 CDT 2005
On Tue, Apr 12, 2005 at 09:00:33AM +0200, chr at home.se wrote:
> On Mon, 11 Apr 2005, Patrick R. Michaud wrote:
> Just some minor coments/suggestions:
> > Multiple passwords (separated by spaces) can now be set on pages and groups,
> > thus entering "one two" for an edit password will means that either "one" or
> > "two" will be accepted. Because of this, passwords cannot contain
> > spaces (I hope this won't be a major loss -- let me know if it will).
> What are the actual restrictions on the passwords? Any character but
> space? If commas aren't allowed, maybe "one,two" could be useful for
> separating passwords?
Any character but space and colon (well, colons *can* be embedded in
certain situations). "one,two" for separating passwords isn't helpful
because it makes it much harder to parse "id:alice,bob".
> > At present the only supported form of authentication is to make use of
> > whatever is provided by the webserver in the REMOTE_USER variable
> > (usually achieved with .htaccess/.htpasswd files -- more on this below),
> I use .htaccess/.htpasswd/.htgroup to control access through the group
> that the user belongs to. Is there some variable like REMOTE_GROUP? Here's
> an example of a .htaccess file that I use:
> AuthName "Development server"
> AuthType Basic
> AuthUserFile /srv/www/htdocs/.htpasswd
> AuthGroupFile /srv/www/htdocs/.htgroup
> Require group Internal
Nope, CGI scripts don't know anything about authenticating groups;
they only know about authenticating individuals. Webservers such as
Apache can allow access (i.e., authorization) based on an individual's
membership in a particular group.
> > But, assuming there's already some mechanism in place for identifying
> > and authenticating someone, pages can specify a password field of
> > "id:xyz", which means to allow only user "xyz" the specified access.
> Perhaps this could be extended to allow a field with "group:Internal"?
I'm saving this for future expansion, yes. However, since the webserver
doesn't pass group information down to its CGI scripts, it's up to
PmWiki to implement mechanisms for maintaining/determining group
memberships, and because of the way things are currently put together it
may be an expensive operation to implement. (Most systems say
"group XYZ has members alice, bob, charles" where PmWiki currently needs
"alice is a member of groups ABC and XYZ".)
More information about the pmwiki-users