[pmwiki-devel] Help with understanding an authentication problem

Fri May 29 00:09:30 CDT 2009

On Thursday, 28 May 2009 7:42 PM, Oliver Betz <list_ob at gmx.net> wrote:
>john.rankin at affinity.co.nz wrote:
>
>[...]
>>
>>With my current problem, it is a server doing the requesting,
>>and in this particular case it is not being allowed to access the
>>wiki. Although it has a static address, you are correct about
>the
>
>...and it will also have a reverse DNS entry. This makes things much
>simpler.
>
>>dynamic IP address case. Peter's suggested approach can satisfy
>>this, if the dynamic address can be expressed as a regular
>>expression; at least, I think that's the case.
>
>I don't think so. You need gethostbyname() to get the address from the
>host name. And you need to call gethostbyname() for each entry in your
>list so this might get expensive.

In my case I don't need to look up the host name, as I know
the IP address of the hosting service's proxy server, which
is issuing the http request to the wiki server. So if the
wiki server sees a request from that IP address, we need to
have pmwiki grant the request read access to the wiki.
>
>[...]
>
>>Eemeli Aro suggested a related approach some time ago,
>>for when the IP address is known, although it doesn't seem
>>to work in my current case:
>>
>>/*
>>  To use, put the following in your SiteAdmin.AuthUser file:
>>    ip: username ip-address
>>*/
>>$AuthUserFunctions['ip'] = 'AuthUserIP';
>>function AuthUserIP($pagename, $id, $pw, $pwlist) {
>>  $i = '';
>>  foreach ( (array)$pwlist as $d ) {
>>    if ($d==$id) { $i = $d; continue; }
>>    if ( $i && ( $_SERVER['REMOTE_ADDR'] == $d ) ) return true;
>>  }
>>  return false;
>>}
>
>I can't assign certain auth levels / ids with this approach,
>can I?

You can, but not directly. In local/config.php, add a line
of the form

$DefaultPasswords['edit'] = "id:username";

where username is the user name associated with the IP 
address listed on SiteAdmin.AuthUser. See PmWiki/AuthUser.

However, on closer inspection of scripts/authuser.php, I
now see that this approach is not going to work as written, 
since the $AuthUserFunctions are only called when both
$_POST['authuser'] and $_POST['authpw'] are set. What we
want to do is authorise the request without a username and
password, based on the IP address of the requestor.
>
>>Perhaps the DNSallow recipe can use a similar approach?
>
>DNSallow was only a sample page name. The recipe page is
>Cookbook/DNSauth.

My mistake; I meant DNSauth.
>
>I don't understand what you want to express by "Perhaps the DNSallow
>recipe can use a similar approach".

I'll use a modified form of Peter's code as an illustration of
how I think it might work (untested):

$AuthFunction = 'IPAuthFunction';

# allow read access from one known IP address
$PrivilegedIP = array('90\.91\.92\.93');
$IPPrivileges = array('read');

function IPAuthFunction($pagename, $level, $authprompt, $since)
{
  global $PrivilegedIP, $IPPrivileges;
  if (in_array($level, $IPPrivileges))
     foreach ($PrivilegedIP as $ip)
        if (preg_match("/^$ip$/", $_SERVER['REMOTE_ADDR']))
           return ReadPage($pagename, $since);
  return PmWikiAuth($pagename, $level, $authprompt, $since);
}

The pmwiki.php script calls $AuthFunction from RetrieveAuthPage
and returns the contents of the page, if authorised to do so.

Could a similar approach work in the case of authenticating 
against a dynamic DNS entry?

JR
-- 
John Rankin
Affinity Limited
T 64 4 495 3737
F 64 4 473 7991
021 RANKIN
john.rankin at affinity.co.nz
www.affinity.co.nz