[pmwiki-users] Rethinking passwords and authorization

Patrick R. Michaud pmichaud at pobox.com
Wed Oct 18 11:07:26 CDT 2006 

On Wed, Oct 18, 2006 at 09:30:10AM -0400, Ryan R. Varick wrote:
> I had to think about this before I saw the problem, but I agree that
> it could introduce problems.  My suggestion would be to craft the UI
> such that it makes expectations explicit.  I think Neil's idea has
> potential.  Personally, I find the whole thing confusing and would
> prefer to do away with prefixes altogether.  Boxes for each "level"
> have several advantages:
> 
> 1) Easily programmable - one box for non-AuthUser installations, three
> for AuthUser-enabled sites.
> 
> 2) Clear(er) UI - Authors no longer have to learn a syntax (simple
> though it may appear) along with the PmWiki authentication system. [...]
> 
> 3) Parsing - Input is already neatly sorted into separate form fields.
> Frontent prefixes aren't needed, nor are quotes.  Commas are
> sufficient to separate individual entries.
> 
> Overall, it seems like a good approach to me.  What are the downsides?

1.  How would someone in a non-AuthUser installation enter things like 
    '@nopass', '@lock', and '@_site_edit' (which are currently treated
    as pseudo-groups)?

2.  This adds a lot of complexity to the UI and to the internal
    authorization code, since it would have to validate and evaluate
    three separate attributes per authorization level instead of one
    per authorization level as it does now.  A significant amount of
    code refactoring would probably need to be done.

3.  Even if we have separate boxes on ?action=attr, we still need
    a syntax or mechanism to be able to specify group memberships
    in the Site.AuthUser page, where we don't really have the luxury
    of a special UI.  

Pm

> 
> On 10/10/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >On Mon, Oct 09, 2006 at 10:31:46PM -0400, Neil Herber wrote:
> >> At 2006-10-09  06:02 PM -0400, Ryan R. Varick is rumored to have said:
> >> >I've always kind of wondered why the syntax is as the way it is
> >> >anyway.  I certainly think it would be more intuitive if there were a
> >> >set of common prefixes, like
> >> >
> >> >  password:quick
> >> >  user:alice (or id:alice, if that's preferred)
> >> >  group:authors
> >>
> >> This makes much more sense to me than the current "id:"  "@" and
> >> nothing prefixes.
> >>
> >> pw:
> >> id:
> >> gp:
> >>
> >> are short and directly identifiable.
> >>
> >> Something like:
> >>
> >> gp: Alpha -id:Fred +pw:zebra
> >>
> >> would mean the Alpha group, except for Fred, plus anyone who knows
> >> the password zebra.
> >
> >The main difficulty with requiring a prefix for passwords
> >is that it doesn't quite work from an author perspective with a
> >non-AuthUser-based PmWiki.
> >
> >In other words, on the ?action=attr form, how do we explain to
> >authors/admins that in order to set a password they have to
> >prefix it with "pw:"?  I think that many authors will be confused
> >about why the prefix is needed, since PmWiki already "knows"
> >that it's a password field.
> >
> >Pm

More information about the pmwiki-users mailing list