[pmwiki-users] [SEMI-SOLVED] Read page text variable before including authuser script...
Petko Yotov
5ko at 5ko.fr
Wed Mar 8 01:54:41 PST 2023
On 08/03/2023 10:28, pmwiki.johnny1000 at spamgourmet.com wrote:
>>> I would like to populate the $AuthUser array with usernames and
>>> passwords from other PmWiki pages than SiteAdmin.AuthUser.
>>
>> You can have usernames and passwords in pages other than
>> SiteAdmin.AuthUser.
>>
>> Something like this in config.php, before including authuser.php:
>>
>> $AuthUserPageFmt = array('SiteAdmin.AuthUser',
>> 'SiteAdmin.OtherUsers');
>>
>> This will have AuthUser check in all listed pages, with the same
>> expected format as documented. If there are repetitions, later values
>> will replace previous ones.
>
> Thank you. Petko, as usual, for a fast and helpful answer :o)
>
> $AuthUserPageFmt was exactly what I needed for this functionality.
>
> For others looking for something like the same functionality, this
> code in config.php will authenticate through individual
> <group>.<username> pages, in stead of through the default single
> SiteAdmin.AuthUser page:
>
> if ($_POST['authid']) {
> $AuthUserPageFmt = array("SomeGroup.{$_POST['authid']}");
> }
I'd advise to sanitize the user input and reduce the chance of opening
vulnerabilities now or in the future. Something like this:
# Strip unexpected characters except dash, letters, digits:
$uname = preg_replace('/[^-a-zA-Z0-9]+/', '', $_POST['authid']);
# only add the page if there is something left (prevents from
# parsing SomeGroup.SomeGroup or SomeGroup.HomePage):
if($uname)
# Also check centrally managed users in SiteAdmin.AuthUser:
$AuthUserPageFmt = array("SomeGroup.$uname", 'SiteAdmin.AuthUser');
Petko
More information about the pmwiki-users
mailing list