[pmwiki-users] Self registration

Patrick R. Michaud pmichaud at pobox.com
Thu Jan 22 14:59:52 CST 2009

On Thu, Jan 22, 2009 at 08:50:54PM +0100, kirpi at kirpi.it wrote:
> > having all of the information on the SiteAdmin.AuthUser page can
> > make it very cluttered for an admin to view/modify; putting
> > info in profile page (with pagelist commands for displaying
> > summary) keeps SiteAdmin.AuthUser itself clean
> Yes, but:
> a) just like one can write a pagelist to extract data from different
> Profile pages, couldn't one with about the same ease put together a
> few lines of code to tidy extract (and, why not, handle) data
> extracted from SiteAdmin.AuthUser?

This misses the point I was aiming at.  At some point an administrator
may need to manipulate SiteAdmin.AuthUser directly (e.g., to remove
someone's account), and if there are hundreds of user records in
the SiteAdmin.AuthUser page it's more difficult to do this.
If it's in Profile.XYZ then it's easy to locate and manipulate

Also, SiteAdmin.AuthUser stores more information than just usernames
and passwords, it also stores group memberships.  Keeping group
memberships in individual profile pages would also be much simpler.

> b) Let's imagine we have 10000 users: would a (:pagelist:) work in
> gathering data from Profiles? Or would it be easier to store 10000
> lines in one file? I have no experience, but maybe the second is
> safer?

With 10,000 users, I would think that storing information separately
would be far more important.  Granted, (:pagelist:) might be slow
or impossible in that case, but getting a complete list of user 
accounts is also rare.  And at least the (:pagelist:) version would
give you the option of selecting records based on some criteria,
while we'd need some very custom code to extract individual entries
from AuthUser.

Put another way:  Apache offers the ability to keep usernames and
passwords in .htpasswd files, but those quickly degrade in performance
as there get to be a larger number of entries.  In such cases Apache
recommends moving to something that allows better random-access
rather than sequentially scanning a large .htpasswd file (on every
authentication request).

As far as safety, I personally would feel much safer with such a
large password database spread out over many files than in a single
(essentially text) file.  

> > a small mistake in SiteAdmin.AuthUser can suddenly wipe out lots
> > of accounts
> Same as it is right now, isn't it?
> There is no way to setup some redundancy of any kind?

My message was in response to the question of "why would storing
user information in profile pages be better"; while a small mistake
in SiteAdmin.AuthUser could wipe out the entire database -- a small
mistake in a user's profile page would affect only that one user.


More information about the pmwiki-users mailing list