[Pmwiki-users] Easily Hackable?

H. Fox haganfox
Sat Apr 3 12:53:47 CST 2004


Patrick R. Michaud wrote:
> On Wed, Mar 31, 2004 at 07:47:14PM -0800, Greg Morgan wrote:
> 
> Finally, note that PmWiki doesn't *require* the use of shared passwords--
> a wiki admin can easily set up an array of passwords--say, one per author--
> which makes it possible to revoke passwords without having to tell the
> rest of the group about a new password.

This almost sounds like group support, which brings a question to mind: 
  If htaccess capability were added to pmwiki, could htgroup support be 
added also, perhaps not right away, but eventually?  From the Apache manual:

      The format of the group file is exceedingly simple.
      A group name appears first on a line, followed by a
      colon, and then a list of the members of the group,
      separated by spaces. For example:

       authors: rich daniel allan

Some sites are already using this, so if PmWiki can read the .htgroup 
file and make use of it, group memberships would be kept in a single 
place (or at least one less place).

A page or WikiGroup might then be able to have permissions by UserGroup 
(such as "authors" above) as well as by individual author.

>>    3. There's  no relation between the password used and the Author of a
>>       given  page.  (i.e.  It would be pretty easy to make a change to a
>>       page and for the Author put in your name of Pm's.  Unless you were
>>       familiar  with what IP address Pm posts from, you wouldn't be able
>>       to tell)

Not necessarily.

With the .htaccess method I posted a few days ago, authorship can be forced.

<Adds a single line to config.php.  Grins because it was so easy.>

Here, try  it for yourself:

http://www.cis-dept.com/support/yta46tbs/index.php/Main/WikiSandbox
username: wikiuser
password: wiki

> This is also not normally a problem in the context of web site maintenance.
> Generally there are going to be a small number of authors, and for an
> official/commercial site those people are (almost by definition) trusted.

And I might add that the the small number of authors are probably not 
altering the public site directly.

Site development is ideally done on a development server, which will be 
password-protected and/or on a protected subnet (i.e. behind a 
firewall).  When content is ready and tested (and, in some cases, 
"approved"), it's published onto the production server.

Of course, with PmWiki this would be very easy to do.

Hagan




More information about the pmwiki-users mailing list