[pmwiki-users] Rethinking passwords and authorization

Patrick R. Michaud pmichaud at pobox.com
Tue Oct 10 13:06:49 CDT 2006


On Mon, Oct 09, 2006 at 04:03:23PM -0700, Syv Ritch wrote:
> On Mon, 9 Oct 2006 16:29:33 -0500
> "Patrick R. Michaud" <pmichaud at pobox.com> wrote:
> > Just for background:  I think we need to be able specify
> > authorization based on (1) knowledge of a password, (2)
> > authenticated identity (userid), and/or (3) membership in a
> > group.  It would also be nice to have a way to revoke access
> > based on userid or group membership (e.g., "everyone in this
> > group except XYZ").
> 
> I think something like:
> 
> 1. All passwords stored in a md5sum file, protected by ... either
> htaccess or something else in Pm
> 2. An access file that has all the read/writes accesses like:
> pagename   who          what
> *	Everybody	Read		-- Everybody can read everything
> xyz	groupabc	Read + Edit	-- Only people belonging to group abc can RW
> namespace  group123     Read + Upload	-- group 123 can read/upload page in namespace...
> page123    person123    Read + Edit	-- only person 123 can read/edit page 123
> 
> This will give 1 place and it's very flexible. And as usual in ACL go though all, and 
> apply the most restrictive ACL.

I have several issues with this approach:

1.  Moving a page file from one wiki to another (or renaming the page)
    doesn't take the access control permissions with it.

2.  Having centralized ACLs doesn't work for WikiFarms that have
    shared pages.

3.  The scheme above doesn't seem to allow protecting pages by 
    shared passwords -- only by authorized identities.


For a variety of reasons I think it's important that access control information
remain associated with the pagefile and not factored out into a separate location.
This isn't to say that we cannot have a "centralized access control" option,
but it needs to be possible to have the access control in the page file itself.

Pm




More information about the pmwiki-users mailing list