[pmwiki-users] Rethinking passwords and authorization
Patrick R. Michaud
pmichaud at pobox.com
Mon Oct 9 16:29:33 CDT 2006
I looking at how to provide a "list of all pages with
passwords" capability, as well as a few other features, it
occurs to me that *maybe* we should just revamp the entire
password system we're using to become a little more regular.
At the moment things get a bit complex because we have three
ways of authorizing access:
- based on a password ("secret_pw")
- based on an authenticated id ("id:alice")
- based on membership in a group ("@authors")
So, someone can use ?action=attr to set an edit password like:
quick id:alice @authors id:bob
and this means that "alice", "bob", anyone in the "@authors" group,
or anyone who knows the password "quick" is allowed to edit
the page.
The above looks clean, but we start to run into difficulty
when people expect to be able to mix the syntax at will:
id:alice,bob, at authors quick
This gets very difficult for PmWiki to parse. It will get worse
when we try to allow userids with spaces in them:
id:"Alice Adams", at authors,"Bob Barker" "multi word password"
or when we try to revoke access:
@authors id:"Alice Adams",-carol,"Bob Barker"
Does anyone have any suggestions for how we might clean up
the syntax a bit? Or is this about the best we can do given
the overall flexibility desired?
Just for background: I think we need to be able specify
authorization based on (1) knowledge of a password, (2) authenticated
identity (userid), and/or (3) membership in a group. It would also be
nice to have a way to revoke access based on userid or group
membership (e.g., "everyone in this group except XYZ").
Thanks in advance for any suggestions,
Pm
More information about the pmwiki-users
mailing list