[Pmwiki-users] PmWiki password puzzles

[Alexandre Courbot]

>>*** Q1: Any one have comments in favor of or against switching to
>>session-based authentication as the default?
> 
> 
> Seems like a good optimization for the common case. 

I think too. I've just set up the devel version of PmWiki to start a new 
site, and unfortunately I'm in the case where I can't use HTTP-based 
authentication. And I don't have a sessionauth script with this version.

Anyway, using session-based authentication by default is not really 
likely to bother people (and if it does, they should be able to include 
an httpauth script).

>>  1. Leave things as they are--someone wanting to avoid the
>>     alternating edit+read password problem in pages would then set
>>     the edit password in both the edit and read password fields.
>>  2. Have the system assume that a person who knows the edit or
>>     attribute password is automatically given read permission to a
>>     page without having to explicitly enter or know the read
>>     password.
>>  3. Have the system cache all of the passwords that have been entered
>>     during a browser session, and test each page request against the
>>     set of passwords (so that a user would only have to enter each
>>     unique password once per browsing session).
>>
>>*** Q2: But my question is, what should be PmWiki's "default" setup in
>>the distributed version?
> 
> 
> #2 and #3.

#2 is good IMO, since the levels are inclusive. #3 might allow a user to 
have access to a page he shouldn't, if by chance they have the same 
password (even though the user doesn't know it).

Alex.
-- 
Alexandre Courbot
PhD Student - LIFL/RD2P
http://www.lifl.fr/~courbot/