<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><DIV><DIV>On Sep 20, 2006, at 12:28 PM, Ben Wilson wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The advantage of the wiki page approach is the ease of integrating a</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">client's web site theme with the data. My biggest complaint with most</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">CMS-type products is the impossible to manage theme. This is usually</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">because the design either calls for too many templates or CSS markup.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">For example, I've tinkered with Vanilla Forum, but just changing the</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">colors can be a royal pain. Contrast those with PmWiki's Incredibly</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Friendly Skin Format (IFSF).</DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>It's not that it can't be done. It's that people don't do it right.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>If you work correctly with Smarty templating, for example, code is distinctly separated from template. I'm trying to remember which projects used Smarty templating. I'm using it in my own OSS software now.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Blogger also got it right -- skinning Blogger is an absolute dream.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>So while PmWiki certainly raised the bar for me on how templating SHOULD be done, it doesn't mean that no one else has it right.<BR><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><BLOCKQUOTE type="cite"> <BLOCKQUOTE type="cite"><BLOCKQUOTE type="cite"></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I'm almost done with my mysql authentication extension for PmWiki.</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">As opposed to my mySQL authentication extension? Hmm, that was one of</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the Mini Summer of Code projects that didn't get finished. That is,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">there is something out there, but not entirely user friendly.</DIV></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; ">Before I started I asked the list if anyone had something that does what I needed. I took the AuthUserDBase recipe and made a version that is stand-alone. AuthUserDBase is great for single-sign-on with an established system, but has no user-sign-up features, no validation email authentication, etc. I added all that in. People can forget passwords, re-sign up, change their password and email address, etc. </DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; ">It's done. I can't show off the wiki it's on yet but I'll be uploading it to the cookbook very soon. Once the wiki is done, I can show it off but in the meantime I may have to put up a wiki for demoing it. Maybe I'll dust off my "crissbio" wiki, since user authentication FINALLY handles what I needed to have the tiered authentication I wanted wAAAAAAy back when...</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; ">One question on that though: Can AuthUser handle groups as members of other groups? It would make life SO much easier. I'll look it up.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR class="khtml-block-placeholder"></DIV><BLOCKQUOTE type="cite"> <BLOCKQUOTE type="cite"></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-style-span"><FONT class="Apple-style-span" color="#006312">I</FONT> put my wiki.d outside the web directory. So, while the directory</SPAN></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">permissions are wide open, they are harder to access. Additionally, I</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">have a cron that keeps files 666. In an ecommerce context, I would</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">think security demands moving wiki.d out of the web directory.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Anything less in this day-and-age is tantamount to reckless behavior</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">(i.e. knew the risk but ignored it).</DIV></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; ">666 will not stop someone who has legitimate business on your server from illegitimately trasversing your user directories. I wasn't talking about the risk of accessibility of files to the web, but of files to your fellow-server-users in this day and age where some people are running on shared hosting servers.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; ">Many hosting services expel people who do such things. Some people aren't afraid of expulsion.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR class="khtml-block-placeholder"></DIV><BLOCKQUOTE type="cite"> <BLOCKQUOTE type="cite"></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">pain ends in December.</DIV></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; ">The best of luck!!</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR class="khtml-block-placeholder"></DIV><BLOCKQUOTE type="cite"> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">If the variable is stored IN the page text see note above about 777</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">permissions.</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Agreed, which is why I recommend moving wiki.d out and croning page</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">permissions to 666. For what it's worth, I had a PmWiki running with a</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">named PHP calendar program on a web server that had a non-hardened</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">kernel. That site was hacked---because of the calendar program. Pm is</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">pretty hard-core about fixing security issues as he becomes aware of</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">them.</DIV></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; ">As long as the files are in a directory that people can get in -- required for the webserver to find the files -- people can find your directory and look at your text. Just not directly via the web. They can do it indirectly via the same web server you use, or by FTP change directories until they're in your directory. (Chrooted users being an exception, but I've seen webhosts NOT set up CHROOTed.)</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR class="khtml-block-placeholder"></DIV><BLOCKQUOTE type="cite"> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">While not everyone has MySQL or other databases, there is a good</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">reason for them, especially in these contexts.<SPAN class="Apple-converted-space"> </SPAN>On a shared hosting</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">server you can't have files in the directory that are readable/</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">writable ONLY by the webserver or you can't clean your own webfiles.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">You can't add yourself to the webserver group (which I do on my own</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">servers so I can 770 or 660...)</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I'm not saying _don't_ go mySQL, but as PmWiki is file-based, it would</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">be nice to have an ecommerce recipe that fit in with file-base. <BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I never said to put the products in mysql. Just the user info.</DIV><BR><BLOCKQUOTE type="cite"><BLOCKQUOTE type="cite"></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">When talking plaintext/cyphertext, we're talking a function of the web</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">server, right? Again, I assume any ecommerce project would imploy SSL.</DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>It's actually not really needed. In the case of a service like PayPal, the user doesn't even need to log in to your site or give you shipping info -- PayPal can email that info to you when the order is completed. -- just match the order number to the invoice and shipping info.</DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">When talking user pages, isn't that also a matter of security? I mean,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">anybody could code an ecommerce mySQL project that allows customer</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">87623 to view customer 8675309 by changing the query string.<BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>In theory, unless they check authentication for each transaction.</DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "> It's when</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">you add a checksum that says that only customer 8675309 (or an</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">administrator) can view that customer's information that security is</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">added.[1] We reach the same degree of security via PmWiki by setting</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the read, edit and admin variables of a page, and moving wiki.d out of</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the web directory. (Also, mySQL AuthUser to better manage hundreds of</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">users.)</DIV></BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; ">I didn't care as much about orders as customer info -- or customer info tagged to the order...for all those adult novelty stores that are certain to crop up out of PmWiki's shopping cart system ;) (j/k)</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR class="khtml-block-placeholder"></DIV><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I once queried how to set it up so that group permissions are based on</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the user's name. Thus, user BenWilson could have a group BenWilson</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">were page default permissions are restricted to him. Then, I could</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">open up the wiki to my school's student body. It should be no small</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">feat to do the same for a user.</DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>That there FastData thing might work for something like this. Maybe. That would be nice.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Actually maybe you can do it via config.php with something like (clean up as needed):</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>if (($Group != Site Main PmWiki (etc) ) && ($Author == $Group)) {</DIV><DIV>$DefaultPasswords['edit'] = "id=$Author";</DIV><DIV>} else {</DIV><DIV>$DefaultPasswords['edit'] = "@admins";</DIV><DIV>}</DIV><DIV>or does that open up a security problem. Maybe preceeded by a if stating !Site !Main !PmWiki etc.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">[1]: Why is the ID 8675309? Think of the song . . . "Jenny, Jenny, who</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">should I turn to? 8-6-7-5-3-0-nai-e-ain." Okay, maybe you only get it</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">if you were in your teens or tweens in the early 80s.</DIV></BLOCKQUOTE></DIV><BR><DIV>I'm young enough to remember that. Then again, my kids may even know it :P</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Crisses</DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR></BODY></HTML>