[pmwiki-users] more on action=login not grok admin
tmdowling at gmail.com
Fri Nov 24 15:23:15 CST 2006
On 11/16/06, Tegan Dowling <tmdowling at gmail.com> wrote:
> On 11/16/06, Russ Fink <russfink at hotmail.com> wrote:
> > I'm writing some conditional markup, and realized that authid is true for
> > any legitimate user authenticated /except/ admin. To that end, I find I
> > need to put "[ auth admin || authid ]" in all (:if:) clauses where I think I
> > should just be able to get away with "(:if authid:)".
> > I still have the following problem. Per some suggestions, I moved the
> > authuser.php after I set all my passwords, and that didn't change anything.
> > I tried using "Admin" instead of "admin," no change. Finally, one user
> > suggested that this problem was asked in July, and the asker received some
> > code for it. Can someone e-mail me that fix, and better, can that just get
> > committed into the main distro?
> > Here is my message again.
> > User "admin" not accepted by ?action=login for any page, under Pmwiki
> > version 2.1.26, using AuthUser.
> > Steps:
> > 1. Configure system for AuthUser. Create a couple of users, and a group
> > "@admins" that includes the users. For instance, create "russ" and put him
> > in the @admins group.
> > 2. Set up site-wide default passwords to "@admins" group in the
> > config.php script for edit and attr, leave "read" blank.
> > 3. Preliminary - Go to Main.HomePage?action=logout to start.
> > 1. I visit Site.AuthUser?action=attr - I am asked for a password,
> > good. Do not do anything, just verify not already admin, witnessed by the
> > fact that it wants a password. I have this page locked to all but admin.
> > 2. I try Main.HomePage?action=edit and am asked for a password.
> > Again, I didn't log in, just verified I need a password to continue.
> > 4. Problem Steps - Go to Main.HomePage?action=logout, then
> > Main.HomePage?action=login.
> > 1. Log in as "admin" - What I get back is "Name/password not
> > recognized"
> > 2. Without logging out, I try Site.AuthUser?action=attr again -
> > this time, I am not asked for a password. This tells me that the previous
> > "name/pass not recognized" is in error, and that I am actually logged in as
> > admin.
> > 3. I go to Main.HomePage?action=logout, then
> > Main.HomePage?action=login. I log in as "russ" then try to edit main:
> > Main.HomePage?action=edit and this works.
> > 5. It works correctly when the action target is not "login." For
> > instance, I go to Main.HomePage?action=logout, then
> > Main.HomePage?action=edit, it asks for a password, I log in as "admin" and
> > it works.
> Russ: Here's a portion of the thread from June 9, entitled "Author
> setting in two different ways"
> > On 6/9/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > > On Fri, Jun 09, 2006 at 12:02:27PM -0500, Jon Haupt wrote:
> > > > Hi there,
> > > >
> > > > So I'm using AuthUser and enforcing author tracking on my wiki.
> > > > Everything works fine except that one group on my wiki has a simple
> > > > read/edit password (so it doesn't require authenticated ID). The
> > > > problem here is if they type in an author name, this isn't copied to
> > > > $Author like an $AuthId is. Is there a way to do this so that either
> > > > way, the author cookie is automatically set if they enter one (whether
> > > > it's an authenticated ID or just a name to go with the password)?
> > >
> > > It's not pretty, but try the following in local/config.php:
> > >
> > > if (@$_POST['authid'] && !@$_COOKIE['author'])
> > > $_POST['author'] = $_POST['authid'];
> > >
> > > This will use the username field (from the authentication form)
> > > to set the author cookie if one hasn't already been set.
> I followed up on July 1 and July 11, raising what I think is the same
> issue that you're having. When we're trying to use BOTH the native
> password-only authentication scheme AND the AuthUser user
> authentication scheme on the same wiki, the rules governing the
> Site/AuthForm page don't quite apply in the password-only situation,
> and we get a message that appears to be denial of login, even though
> administrative-level access is in fact provided.
More information about the pmwiki-users