[pmwiki-users] action=login gives bogus error msg
Tegan Dowling
tmdowling at gmail.com
Wed Nov 15 23:11:11 CST 2006
On 11/15/06, Russ Fink <russfink at hotmail.com> wrote:
> User "admin" not accepted by ?action=login for any page, under Pmwiki
> version 2.1.26, using AuthUser.
>
> Steps:
>
> 1. Configure system for AuthUser. Create a couple of users, and a group
> "@admins" that includes the users. For instance, create "russ" and put him
> in the @admins group.
> 2. Set up site-wide default passwords to "@admins" group in the
> config.php script for edit and attr, leave "read" blank.
> 3. Preliminary - Go to Main.HomePage?action=logout to start.
> 1. I visit Site.AuthUser?action=attr - I am asked for a password,
> good. Do not do anything, just verify not already admin, witnessed by the
> fact that it wants a password. I have this page locked to all but admin.
> 2. I try Main.HomePage?action=edit and am asked for a password.
> Again, I didn't log in, just verified I need a password to continue.
> 4. Problem Steps - Go to Main.HomePage?action=logout, then
> Main.HomePage?action=login.
> 1. Log in as "admin" - What I get back is "Name/password not
> recognized"
> 2. Without logging out, I try Site.AuthUser?action=attr again -
> this time, I am not asked for a password. This tells me that the previous
> "name/pass not recognized" is in error, and that I am actually logged in as
> admin.
> 3. I go to Main.HomePage?action=logout, then
> Main.HomePage?action=login. I log in as "russ" then try to edit main:
> Main.HomePage?action=edit and this works.
> 5. It works correctly when the action target is not "login." For
> instance, I go to Main.HomePage?action=logout, then
> Main.HomePage?action=edit, it asks for a password, I log in as "admin" and
> it works.
>
> My config.php snippet:
>
> # RAF * use AuthUser; force logged in user to prepopulate in
> # change form
> include_once("$FarmD/scripts/authuser.php");
> $Author = $AuthId;
>
> # RAF * prevent groups w/o password; see
> # Cookbook:LimitWikiGroups, opt 2
> $rc = FmtPageName('$Group.RecentChanges', $pagename);
> if (!PageExists($rc))
> $DefaultPasswords['edit'] = $DefaultPasswords['admin'];
>
> # RAF * establish site-wide default passwords per groups
> # $DefaultPasswords['read'] = '';
> $DefaultPasswords['edit'] = '@admins';
> $DefaultPasswords['attr'] = '@admins';
> $DefaultPasswords['upload'] = '@admins';
>
> What am I doing wrong?
>
Yeah, I asked about this on July 1 and July 11, following up on a
thread that Jon Haupt initiated on June 9 entitled "Author setting in
two different ways", in which he requested and received code from PM
that would "use the username field (from the authentication form) to
set the author cookie if one hasn't already been set" (it works
nicely).
Same deal:
If a user reaches the AuthForm via ?action=login, and enters a good
password that was globally set via local/config.php OR set on the
originating group/page via ?action=attr (and so isn't associated with
a username), then the AuthForm remains on-screen, with the 'not
recognized' message, even though the password is actually
acknowledged, in the sense that the user proves to be empowered
appropriately.
More information about the pmwiki-users
mailing list