[pmwiki-users] password prompt problems perplex people - redux

Neil Herber nospam at eton.ca
Sun Mar 26 12:54:17 CST 2006 

I am posting this again because I did not make it clear on my 
original post that I was looking for a possible solution to this problem.

On site X, visitors are required to enter a read password to access 
the site.  If they later click on an edit link, they get a nice 
prompt for an edit password. But if they try to edit a page in the 
Site group, my prompt logic falls on its face.

At the top of Site.AuthForm I have:

(:if !auth read:)'''$[A password is required to read this page]'''
(:if [ auth read and !auth edit ] :)'''$[An edit password is required]'''
(:if [ auth read and auth edit ] :)'''$[This request requires an 
admin password]'''
(:if:)

The thinking behind this logic is:

(:if !auth read:) - this must be the first attempt to look at the 
wiki, so they need to enter the read password, so prompt for a read password

(:if [ auth read and !auth edit ] :) - they have a read password but 
they don't have an edit password, and the only way they would get to 
this point is if they were trying to edit, so ask for an edit password.

(:if [ auth read and auth edit ] :) - they are being asked for a 
password, but they already have both a read and an edit password, so 
they must need an admin password - ask for that.

There are 2 problems with this logic:
1) If the action they are performing requires an admin password and 
they only have a read password, they get a prompt for an edit password.
2) The third line "admin" password test does not work as expected on 
the Site group, though it does seem to work on other groups. On the 
Site group it continuously displays "An edit password is required" 
when it actually requires an admin password.

I think both problems are a result of the way PmWiki does the tests 
for authorization levels. It is not directly testing to see if the 
user has already entered a read or edit password, it is testing the 
contents of the user's password array against the passwords 
authorized to allow the requested action on the page in question. Is 
my interpretation close to correct?

If it is correct, then I cannot think of any way to test for the 
"admin" case in a structure like the one I have shown above.

I think the best I can do is check for the group, and if it is Site, 
ask for an admin password.

Comments, alternate solutions, and corrections gratefully received!


Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668

More information about the pmwiki-users mailing list