[pmwiki-users] authentication problems (built-in and authuser)

Patrick R. Michaud pmichaud at pobox.com
Thu Nov 24 19:52:38 CST 2005

On Thu, Nov 24, 2005 at 11:05:42AM -0500, Bronwyn Boltwood wrote:
> Here's what happened when I played with our test installation some more.

Okay, I'll walk through the same test on 

> 1. edited Site.Login to have text of:
>    (:if auth edit:)
>    %green%Welcome, '''{$Author}'''
>    (:ifend:)
>    (:if auth admin:)
>    %blue%You have admin rights.
>    (:ifend:)
> 2. set attributes on Site.Login to have read password of id:* and was
>    logged out by system.
> 3. logged in as bronwyn successfully; logged out.

Okay so far, but see below.

>    4. tried to log in as gerry.  no welcome message or logout stuff in
>    sidebar.  reload page -- same.  went to homepage, and now I can see that
>    I'm logged in as gerry. 

This is actually correct behavior, although as things are set up it's not
instantly obvious why.  The "gerry" account doesn't have edit permission 
to the Site.* pages, because of the edit password set in Site.GroupAttributes.  
So, (:if auth edit:) isn't true for "gerry" on any of the pages in the
Site group.  Using (:if authid:) is a much better test to determine
if someone is authenticated.

>    5. went back to login page.  no welcome message as there should be, but
>    not asked for password.  logout block in sidebar is gone again.

Correct, since gerry has read permission to Site.Login there's no password
prompt.  Since gerry doesn't have edit or admin permission, there were
no messages displayed. 

>    6. hit edit.  was asked for name and password.  gave gerry's credentials,
>    submitted, page reloads still wanting credentials.  tried bronwyn account
>    just in case.  same thing.  tried webmaster and pat accounts; same.

Aha!  This is the same problem as PITS #00551, which I also couldn't
resolve until now.  The problem turns out to be that after any
unsuccessful login, the system always continued to use the first username
that was entered even if a new one was entered.  This bug will be fixed
for 2.1.beta4, and should resolve a lot of the oddities you've been

>    Contrary to points 4, 5, and 7, I should be getting the welcome message
>    and other sections wrapped in (:if auth edit:) even as a lowly user, but
>    I'm not.  

Yes, but not for pages in the Site group, which are still blocked against
editing except to admins.

>    I wonder how hard it is to have error messages for "bad password and
>    username combination" and "insufficient rights".  They'd be helpful.

I'm working on this for the updated authuser script.  Unsuccessful
authentications will probably display "incorrect username/password
combination", while unsuccessful authorizations will display 
something like "(read|edit|attr|admin) privileges required by 
(site|group|page)".  Although I haven't figured out a good way to
i18n that yet.  :-|

> > PmWiki 2.1 will have ?action=login available, which will display
> > Site.AuthForm under the current url.  I think I'll do this for
> > 2.1.beta4.
> Cool.  Not too far away then.  Hopefully before I need to give my "how to
> edit" tutorial?  :)

Well, 2.1.beta4 (just released) contains the bugfix for the previous
item, so hopefully 2.1.beta5.  Depends on how much work I get done
this evening... :-)

>      Is there some url redirection taking place in the Apache
>      configuration somewhere...?  
>    I'm not certain, but I have a guess.  I have a regular account with add-on
>    domains (rather than a proper reseller's account), and grinningfrog is an
>    add-on domain.  

I ran a few tests on your site and figure it out -- apparently your
site automatically gzips (compresses) the output to reduce bandwidth
back to the browser, and when this happens the REDIRECT_* variables
get set.  So, this may be an unrelated issue now.

Anyway, see if 2.1.beta4 improves things on your site.  It seems to
have fixed things on the authtest install at pmichaud.com.


More information about the pmwiki-users mailing list