[pmwiki-users] Rethinking passwords and authorization

Ryan R. Varick rvarick at gmail.com
Mon Oct 9 17:02:42 CDT 2006


I've always kind of wondered why the syntax is as the way it is
anyway.  I certainly think it would be more intuitive if there were a
set of common prefixes, like

  password:quick
  user:alice (or id:alice, if that's preferred)
  group:authors

I don't know if this would make parsing any easier, but I don't think
the current system is "the best we can do" with regard to legibility.

Ryan



On 10/9/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> I looking at how to provide a "list of all pages with
> passwords" capability, as well as a few other features, it
> occurs to me that *maybe* we should just revamp the entire
> password system we're using to become a little more regular.
>
> At the moment things get a bit complex because we have three
> ways of authorizing access:
>
>    - based on a password              ("secret_pw")
>    - based on an authenticated id     ("id:alice")
>    - based on membership in a group   ("@authors")
>
> So, someone can use ?action=attr to set an edit password like:
>
>     quick id:alice @authors id:bob
>
> and this means that "alice", "bob", anyone in the "@authors" group,
> or anyone who knows the password "quick" is allowed to edit
> the page.
>
> The above looks clean, but we start to run into difficulty
> when people expect to be able to mix the syntax at will:
>
>     id:alice,bob, at authors quick
>
> This gets very difficult for PmWiki to parse.  It will get worse
> when we try to allow userids with spaces in them:
>
>     id:"Alice Adams", at authors,"Bob Barker" "multi word password"
>
> or when we try to revoke access:
>
>     @authors id:"Alice Adams",-carol,"Bob Barker"
>
> Does anyone have any suggestions for how we might clean up
> the syntax a bit?  Or is this about the best we can do given
> the overall flexibility desired?
>
> Just for background:  I think we need to be able specify
> authorization based on (1) knowledge of a password, (2) authenticated
> identity (userid), and/or (3) membership in a group.  It would also be
> nice to have a way to revoke access based on userid or group
> membership (e.g., "everyone in this group except XYZ").
>
> Thanks in advance for any suggestions,
>
> Pm
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>




More information about the pmwiki-users mailing list