[pmwiki-users] Rethinking passwords and authorization
Patrick R. Michaud
pmichaud at pobox.com
Tue Oct 10 13:06:49 CDT 2006
On Mon, Oct 09, 2006 at 04:03:23PM -0700, Syv Ritch wrote:
> On Mon, 9 Oct 2006 16:29:33 -0500
> "Patrick R. Michaud" <pmichaud at pobox.com> wrote:
> > Just for background: I think we need to be able specify
> > authorization based on (1) knowledge of a password, (2)
> > authenticated identity (userid), and/or (3) membership in a
> > group. It would also be nice to have a way to revoke access
> > based on userid or group membership (e.g., "everyone in this
> > group except XYZ").
> I think something like:
> 1. All passwords stored in a md5sum file, protected by ... either
> htaccess or something else in Pm
> 2. An access file that has all the read/writes accesses like:
> pagename who what
> * Everybody Read -- Everybody can read everything
> xyz groupabc Read + Edit -- Only people belonging to group abc can RW
> namespace group123 Read + Upload -- group 123 can read/upload page in namespace...
> page123 person123 Read + Edit -- only person 123 can read/edit page 123
> This will give 1 place and it's very flexible. And as usual in ACL go though all, and
> apply the most restrictive ACL.
I have several issues with this approach:
1. Moving a page file from one wiki to another (or renaming the page)
doesn't take the access control permissions with it.
2. Having centralized ACLs doesn't work for WikiFarms that have
3. The scheme above doesn't seem to allow protecting pages by
shared passwords -- only by authorized identities.
For a variety of reasons I think it's important that access control information
remain associated with the pagefile and not factored out into a separate location.
This isn't to say that we cannot have a "centralized access control" option,
but it needs to be possible to have the access control in the page file itself.
More information about the pmwiki-users