[pmwiki-devel] Login and function PmWikiAuth

marc gmane at auxbuss.com
Thu Jan 11 14:26:31 CST 2007 

marc said...
> marc said...
> > marc said...
> > > Patrick R. Michaud said...
> > > > On Wed, Dec 20, 2006 at 06:47:53PM -0000, marc wrote:
> > > > > marc said...
> > > > > > Hi,
> > > > > > 
> > > > > > I prefer to use a login form in the sidebar - just username and password 
> > > > > > - along with authuser and authuserdb. This works fine except  when an 
> > > > > > invalid login occurs. In this case $AuthPromptFmt is opened in the main 
> > > > > > page.
> > > > > > 
> > > > > > This look a bit odd, because there are then two login prompts on the 
> > > > > > page: one in the sidebar and one on the main page.
> > > > > > 
> > > > > > What I am trying to achieve is to retain the main page unchanged, and 
> > > > > > simply report login/page access errors in the sidebar form.
> > > > > > 
> > > > > > I can see that this is handled by the last lines of PmWikiAuth(), but 
> > > > > > can't think of a way to change this in situ to do what I want.
> > > > > > 
> > > > > > Is the best way to copy PmWikiAuth() with appropriate changes, and point 
> > > > > > to it via $AuthFunction? Or, more likely, am I way off base? 
> > > > > 
> > > > > <bump>
> > > > > 
> > > > > Please let me know if I've not explained the issue well enough. 
> > > > 
> > > > It's explained well enough -- I don't have a quick answer (but
> > > > I'm thinking about it).
> > > > 
> > > > It seems as though putting 
> > > > 
> > > >     (:redirect {*$FullName}:)
> > > > 
> > > > into Site.AuthForm might get pretty close -- i.e., whenever
> > > > someone requests a protected action, it returns them to the
> > > > 'view' of the page.  But I'm not sure how to get a login/page access
> > > > error message into the sidebar in that case.
> > > 
> > > By replacing Site.AuthForm with 
> > > 
> > >     (:redirect {*$FullName}:)
> > > 
> > > oddly, the text of the markup is displayed, e.g.
> > > 
> > >     (:redirect Testing.AdminOnlyPage:) 
> > > 
> > > rather than it being actioned. Same effect when I change the redirect 
> > > to, say:
> > > 
> > >     (:redirect Main.HomePage:)
> > > 
> > > Although, in this case, when I go to Site.AuthForm, I am redirected.
> > 
> > Any further ideas how to fix this?
> > 
> > When combined with another issue I reported on the other list[1], I'm 
> > wondering whether I should rewrite the login handler[2].
> > 
> > [1]
> >   In many places on pages with non-user-editable text, I want:
> >     (:if ! auth admin:)(:noaction:)(:ifend:)
> >   This works fine in local/Site.php and other places. However, when
> >   authorisation is required and the login form appears, I can't find a 
> >   way to stop PageActions from being displayed. Is this possible?
> > 
> > [2]
> >   $HandleActions = 'login' => 'HandleLoginB');
> > 
> >   function HandleLoginA($pagename, $auth = 'login') {
> >     global $AuthId, $DefaultPasswords;
> >     unset($DefaultPasswords['admin']);
> >     $prompt = @(!$_POST['authpw'] || ($AuthId != $_POST['authid']));
> >     $page = RetrieveAuthPage($pagename, $auth, $prompt, 
> >             READPAGE_CURRENT);
> >     Redirect($pagename);
> >   }
> > 
> > Are there any obvious gotchas that I need to avoid while doing this that 
> > anyone can point out? Thanks.
> 
> Hmmm! I'm a bit stuck here. The failed logins hit the exit() at the end 
> of PmWikiAuth, while a successful login returns from the above 
> RetrieveAuthPage and thus completes the Redirect(). So, there doesn't 
> seem to be anything obvious I can do here. And I would prefer not to 
> have to hack PmWikiAuth(); it being fairly central to things.
> 
> One idea is to replace exit() in PmWikiAuth with:
> 
>   if ($level == 'login')
>     return false;
>   else
>     PrintFmt($pagename,$AuthPromptFmt);
>   exit;
> 
> Perhaps then the login handler could be something like:
> 
>   $HandleActions['login'] = 'HandleLoginAux';
>   function HandleLoginAux($pagename, $auth = 'login') {
>     global $AuthId, $DefaultPasswords; $HandleActions;
>     $fn = $HandleActions['browse'];
>     unset($DefaultPasswords['admin']);
>     $prompt = @(!$_POST['authpw'] || ($AuthId != $_POST['authid']));
>     if (! $page = RetrieveAuthPage($pagename, $auth, $prompt, 
>           READPAGE_CURRENT))
>       $GLOBALS['InvalidLogin'] = 1; # to display messages
>     return $fn($pagename);
>   }
> 
> This is nothing more than a nasty hack, though; although, it mostly 
> works. One big problem is that permissions are not updated until a move 
> is made to another page. More hacking could fix that, I guess, but I'm 
> sure there must be a better way.
> 
> It also means that $AuthPromptFmt is displayed when someone tries to 
> access a page for which they need additional permissions. But I can live 
> with that behaviour in that context.
> 
> In addition, it solves the
>   (:if ! auth admin:)(:noaction:)(:if:)
> problem - albeit by avoiding the problem page. (I would still like fix 
> this, though, since it still appears when someone tries to access a page 
> for which they need additional permissions, and I don't want it there.)

<bump>

-- 
Cheers,
Marc

More information about the pmwiki-devel mailing list