[pmwiki-devel] Login and function PmWikiAuth

marc gmane at auxbuss.com
Sat Jan 6 11:40:28 CST 2007 

marc said...
> marc said...
> > Patrick R. Michaud said...
> > > On Wed, Dec 20, 2006 at 06:47:53PM -0000, marc wrote:
> > > > marc said...
> > > > > Hi,
> > > > > 
> > > > > I prefer to use a login form in the sidebar - just username and password 
> > > > > - along with authuser and authuserdb. This works fine except  when an 
> > > > > invalid login occurs. In this case $AuthPromptFmt is opened in the main 
> > > > > page.
> > > > > 
> > > > > This look a bit odd, because there are then two login prompts on the 
> > > > > page: one in the sidebar and one on the main page.
> > > > > 
> > > > > What I am trying to achieve is to retain the main page unchanged, and 
> > > > > simply report login/page access errors in the sidebar form.
> > > > > 
> > > > > I can see that this is handled by the last lines of PmWikiAuth(), but 
> > > > > can't think of a way to change this in situ to do what I want.
> > > > > 
> > > > > Is the best way to copy PmWikiAuth() with appropriate changes, and point 
> > > > > to it via $AuthFunction? Or, more likely, am I way off base? 
> > > > 
> > > > <bump>
> > > > 
> > > > Please let me know if I've not explained the issue well enough. 
> > > 
> > > It's explained well enough -- I don't have a quick answer (but
> > > I'm thinking about it).
> > > 
> > > It seems as though putting 
> > > 
> > >     (:redirect {*$FullName}:)
> > > 
> > > into Site.AuthForm might get pretty close -- i.e., whenever
> > > someone requests a protected action, it returns them to the
> > > 'view' of the page.  But I'm not sure how to get a login/page access
> > > error message into the sidebar in that case.
> > 
> > By replacing Site.AuthForm with 
> > 
> >     (:redirect {*$FullName}:)
> > 
> > oddly, the text of the markup is displayed, e.g.
> > 
> >     (:redirect Testing.AdminOnlyPage:) 
> > 
> > rather than it being actioned. Same effect when I change the redirect 
> > to, say:
> > 
> >     (:redirect Main.HomePage:)
> > 
> > Although, in this case, when I go to Site.AuthForm, I am redirected.
> 
> Any further ideas how to fix this?
> 
> When combined with another issue I reported on the other list[1], I'm 
> wondering whether I should rewrite the login handler[2].
> 
> [1]
>   In many places on pages with non-user-editable text, I want:
>     (:if ! auth admin:)(:noaction:)(:ifend:)
>   This works fine in local/Site.php and other places. However, when
>   authorisation is required and the login form appears, I can't find a 
>   way to stop PageActions from being displayed. Is this possible?
> 
> [2]
>   $HandleActions = 'login' => 'HandleLoginB');
> 
>   function HandleLoginA($pagename, $auth = 'login') {
>     global $AuthId, $DefaultPasswords;
>     unset($DefaultPasswords['admin']);
>     $prompt = @(!$_POST['authpw'] || ($AuthId != $_POST['authid']));
>     $page = RetrieveAuthPage($pagename, $auth, $prompt, 
>             READPAGE_CURRENT);
>     Redirect($pagename);
>   }
> 
> Are there any obvious gotchas that I need to avoid while doing this that 
> anyone can point out? Thanks.

Hmmm! I'm a bit stuck here. The failed logins hit the exit() at the end 
of PmWikiAuth, while a successful login returns from the above 
RetrieveAuthPage and thus completes the Redirect(). So, there doesn't 
seem to be anything obvious I can do here. And I would prefer not to 
have to hack PmWikiAuth(); it being fairly central to things.

One idea is to replace exit() in PmWikiAuth with:

  if ($level == 'login')
    return false;
  else
    PrintFmt($pagename,$AuthPromptFmt);
  exit;

Perhaps then the login handler could be something like:

  $HandleActions['login'] = 'HandleLoginAux';
  function HandleLoginAux($pagename, $auth = 'login') {
    global $AuthId, $DefaultPasswords; $HandleActions;
    $fn = $HandleActions['browse'];
    unset($DefaultPasswords['admin']);
    $prompt = @(!$_POST['authpw'] || ($AuthId != $_POST['authid']));
    if (! $page = RetrieveAuthPage($pagename, $auth, $prompt, 
          READPAGE_CURRENT))
      $GLOBALS['InvalidLogin'] = 1; # to display messages
    return $fn($pagename);
  }

This is nothing more than a nasty hack, though; although, it mostly 
works. One big problem is that permissions are not updated until a move 
is made to another page. More hacking could fix that, I guess, but I'm 
sure there must be a better way.

It also means that $AuthPromptFmt is displayed when someone tries to 
access a page for which they need additional permissions. But I can live 
with that behaviour in that context.

In addition, it solves the
  (:if ! auth admin:)(:noaction:)(:if:)
problem - albeit by avoiding the problem page. (I would still like fix 
this, though, since it still appears when someone tries to access a page 
for which they need additional permissions, and I don't want it there.)

Hope all that makes sense :-|

-- 
Cheers,
Marc

More information about the pmwiki-devel mailing list