[pmwiki-users] authuser

OBUTEX / Hladůvka admin at obutex.com
Tue Mar 21 11:13:37 CST 2006


Hi all,
I have had similar problem, when I loged in as an user with admin rights 
and after as a common user
without closing the browser (MSIE) then I usuallly could access 
functions that are  forbiden  to  a common user.

My site allowes to read only to loged in users, all other actions are 
allowed only to users with membership @admin.
This is set in Site.SiteAttributes.
Any exeptions are set by Somegroup.GroupAttributes or pageattributes.
Each user is defined in Site.AuthUser (including his membership)

my local/config.php contains these sections concerned to authorization
#-------------------
## DefaultPasswords
$DefaultPasswords['admin'] = '@admins';
$DefaultPasswords['read'] = 'id:*';
# ------------------------------------------
## Define usernames and passwords.
$AuthUser['Admin'] = crypt('somepwd');

## Enable authentication based on username.
include_once('scripts/authuser.php');

## Let Author = AuthId
if (@$AuthId) $Author = $AuthId;

# ------------------------------------------
## membership
$Conditions['member'] = '@$GLOBALS["AuthList"][$condparm] > 0';
#Then you can do:
#   (:if member @staffwarehouse:)info for warehouse
#   (:if member @staffbookkeepers:)info for bookkeepers
#   (:if:)
#The above "member" condition also works to identify specific
#usernames, thus
#   (:if member id:alice :)Hello, Alice
#   (:if member id:bob   :)Hello, Bob
#   (:if member @editors :)You're allowed to edit pages
# ------------------------------------------

There is no .htpasswd file so I can maintain everything by Site.AuthUser 
page. 8-)

I found that with such a configuration the access to the site has to be 
done
using the URL 
http://some_domain/path_to_instalation_folder/index.php/some_group/some_page
(the page then asks for login).
If I used http://some_domain/path_to_instalation_folder
then only Admin could log in and after that a normal user could be loged 
in (without closing the browser)

I hope, this info is useful for you.
Best regards,
Jiri

 

Patrick R. Michaud napsal(a):
> On Tue, Mar 21, 2006 at 10:46:18AM -0500, Rene Paquin wrote:
>   
>>    Yes that does fix it.  Thank you.  However i notice that with the
>>    following configuration when I log in as rene/testing I can access the
>>    admin area.  I shouldnt be able to do that am I correct? 
>>     
>>    ## Enable authentication based on username.
>>     ## Define usernames and passwords.
>>     $AuthUser['rene'] = crypt('testing');
>>    $DefaultPasswords['edit'] = 'id:*';
>>    $DefaultPasswords['read'] = 'id:*';
>>    $DefaultPasswords['admin'] = crypt('admin');
>>    include_once('scripts/authuser.php');
>>     
>
> Depends on what you mean by "access the admin area"?  Normally
> the Site.* pages are publicly readable.  Also, once you enter the 
> admin password ('admin'), you have admin privileges until you 
> log out or change a page's password somewhere -- even if you 
> log in as another account.
>
> Pm
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
>
> __________ Informace od NOD32 1.1453 (20060321) __________
>
> Tato zprava byla proverena antivirovym systemem NOD32.
> http://www.nod32.cz
>
>
>
>   

-- 
OBUTEX s.r.o
Ing.Jiří Hladůvka
Zlatovská 22
911 01 Trenčín

tel.: +421 (0)32 6587000
mailto:admin at obutex.com

http://www.obutex.com






More information about the pmwiki-users mailing list