[pmwiki-users] Rethinking passwords and authorization

Sandy sandy at onebit.ca
Wed Oct 11 10:09:30 CDT 2006 

Patrick R. Michaud wrote:
> On Mon, Oct 09, 2006 at 04:03:23PM -0700, Syv Ritch wrote:
>> On Mon, 9 Oct 2006 16:29:33 -0500
>> "Patrick R. Michaud" <pmichaud at pobox.com> wrote:
>>> Just for background:  I think we need to be able specify
>>> authorization based on (1) knowledge of a password, (2)
>>> authenticated identity (userid), and/or (3) membership in a
>>> group.  It would also be nice to have a way to revoke access
>>> based on userid or group membership (e.g., "everyone in this
>>> group except XYZ").
>> I think something like:
>>
>> 1. All passwords stored in a md5sum file, protected by ... either
>> htaccess or something else in Pm
>> 2. An access file that has all the read/writes accesses like:
>> pagename   who          what
>> *	Everybody	Read		-- Everybody can read everything
>> xyz	groupabc	Read + Edit	-- Only people belonging to group abc can RW
>> namespace  group123     Read + Upload	-- group 123 can read/upload page in namespace...
>> page123    person123    Read + Edit	-- only person 123 can read/edit page 123
>>
>> This will give 1 place and it's very flexible. And as usual in ACL go though all, and 
>> apply the most restrictive ACL.
> 
> I have several issues with this approach:
> 
> 1.  Moving a page file from one wiki to another (or renaming the page)
>     doesn't take the access control permissions with it.
> 
> 2.  Having centralized ACLs doesn't work for WikiFarms that have
>     shared pages.
> 
> 3.  The scheme above doesn't seem to allow protecting pages by 
>     shared passwords -- only by authorized identities.
> 
> 
> For a variety of reasons I think it's important that access control information
> remain associated with the pagefile and not factored out into a separate location.
> This isn't to say that we cannot have a "centralized access control" option,
> but it needs to be possible to have the access control in the page file itself.
> 
> Pm

Does this mean that in the current system, if I change access for a 
group, each page is updated? Can't, because I might change it through 
config.php rather than action=attr.

Sandy

More information about the pmwiki-users mailing list