[Pmwiki-users] Easily Hackable?
H. Fox
haganfox
Sat Apr 3 12:53:47 CST 2004
Patrick R. Michaud wrote:
> On Wed, Mar 31, 2004 at 07:47:14PM -0800, Greg Morgan wrote:
>
> Finally, note that PmWiki doesn't *require* the use of shared passwords--
> a wiki admin can easily set up an array of passwords--say, one per author--
> which makes it possible to revoke passwords without having to tell the
> rest of the group about a new password.
This almost sounds like group support, which brings a question to mind:
If htaccess capability were added to pmwiki, could htgroup support be
added also, perhaps not right away, but eventually? From the Apache manual:
The format of the group file is exceedingly simple.
A group name appears first on a line, followed by a
colon, and then a list of the members of the group,
separated by spaces. For example:
authors: rich daniel allan
Some sites are already using this, so if PmWiki can read the .htgroup
file and make use of it, group memberships would be kept in a single
place (or at least one less place).
A page or WikiGroup might then be able to have permissions by UserGroup
(such as "authors" above) as well as by individual author.
>> 3. There's no relation between the password used and the Author of a
>> given page. (i.e. It would be pretty easy to make a change to a
>> page and for the Author put in your name of Pm's. Unless you were
>> familiar with what IP address Pm posts from, you wouldn't be able
>> to tell)
Not necessarily.
With the .htaccess method I posted a few days ago, authorship can be forced.
<Adds a single line to config.php. Grins because it was so easy.>
Here, try it for yourself:
http://www.cis-dept.com/support/yta46tbs/index.php/Main/WikiSandbox
username: wikiuser
password: wiki
> This is also not normally a problem in the context of web site maintenance.
> Generally there are going to be a small number of authors, and for an
> official/commercial site those people are (almost by definition) trusted.
And I might add that the the small number of authors are probably not
altering the public site directly.
Site development is ideally done on a development server, which will be
password-protected and/or on a protected subnet (i.e. behind a
firewall). When content is ready and tested (and, in some cases,
"approved"), it's published onto the production server.
Of course, with PmWiki this would be very easy to do.
Hagan
More information about the pmwiki-users
mailing list