[pmwiki-users] authuser forcing Author name stopped working?
Neil Herber
nospam at eton.ca
Fri Jul 8 09:03:24 CDT 2005
At 2005-07-08 01:06 AM -0500, Patrick R. Michaud is rumored to have said:
>What Neil is looking for is a way to prevent anyone from using
>usernames in the authentication records if they aren't
>authenticated as that particular user. That's a fair amount
>trickier, because it's really a form of negative authentication
>("if you know the shared password, you can claim to be
>anyone except Neil or Bob"). But it's probably something
>worth solving, since being able to password-protect the use of
>specific author names is likely to be desired...
This is what I am trying to do, but it is not important enough to me (or
the rest of the world, I suspect) to have people spend any more time on it.
The way authuser.php now works is correct - it does not indicate that an
author is authenticated unless both the user name and password match. It
does not prevent anyone from spoofing a particular author name, but neither
does PmWiki without authuser.php. Authors can sign any name they like.
I had 3 goals in mind:
1) Lightly protect the wiki with a shared password
2) Allow users with existing HTTP-Auth passwords to continue using them (no
need to use the shared password)
3) Capture the username from the login form and use it to set the author name
This all works now courtesy of these extra config.php lines:
include_once("$FarmD/scripts/authuser.php");
if (@$_POST['authid']) {
$Author = $_POST['authid'];
setcookie('author', $Author, 0, '/');
}
On fields where I really want to authenticate users, I use HTTP-Auth and
force the author name to the authenticated name.
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list