[pmwiki-devel] Help with understanding an authentication problem

John Rankin john.rankin at affinity.co.nz
Mon May 25 16:46:00 CDT 2009 

On Sunday, 24 May 2009 7:40 PM, Peter Bowers <pbowers at pobox.com> wrote:
>On Sun, May 24, 2009 at 1:53 AM, John Rankin <john.rankin at affinity.co.nz> wrote:
> It seems to me that we ought to be able to define a custom
> $AuthFunction that checks the IP address of the requestor,
> rather than asking for a username and password. Then the
> custom auth function can authenticate the request based on
> the fact that it comes from an IP address pmwiki trusts.
> It may have to grant "admin" rights, especially where the
> request is retrieving multiple pmwiki pages.
>
>
>Something along these lines might work (UNTESTED - basically
>just making a wrapper for PmWikiAuth())...

The logic looks good -- I made a couple of suggestions below,
the main one being only to authenticate for the actions we
expect from the wikibook pdf server. We also need $action 
as a global variable.

Gustav, could you test this and if it works, we'll add it as
a Wikipublisher recipe.
>
>$AuthFunction = ;MyAuthFunction;;
>$PrivilegedIP = array(;/^100\.100\.100\.[0-9]*$/;,
>;/^89\.90\.91\.92$/;);
>
>function MyAuthFunction($pagename, $level, $authprompt, $since)
>{
>   global $PrivilegedIP;
>   if (!in_array($action, array(;edit;, ;attr;)))
>      foreach ($PrivilegedIP as $IPPat)
>         if (preg_match($IPPat, $_SERVER[;REMOTE_ADDR;]))
>             return true;
>   return PmWikiAuth($pagename, $level, $authprompt, $since);
>}
>
$AuthFunction = 'MyAuthFunction';
## test the IP address of the wikipublisher.org proxy server
$PrivilegedIP = array('202\.160\.116\.36');

function MyAuthFunction($pagename, $level, $authprompt, $since)
{
  global $PrivilegedIP, $action;
  if (in_array($action, array('print', 'publish', 'browse')))
     foreach ($PrivilegedIP as $IPPat)
        if (preg_match("/^$IPPat$/", $_SERVER['REMOTE_ADDR']))
           return true;
  return PmWikiAuth($pagename, $level, $authprompt, $since);
}

This way, if something fakes the IP address, it only gets
read access. It's possible that the action check could be
replaced by:

  if ($level=='read') ...

JR
-- 
John Rankin
Affinity Limited
T 64 4 495 3737
F 64 4 473 7991
021 RANKIN
john.rankin at affinity.co.nz
www.affinity.co.nz

More information about the pmwiki-devel mailing list