[Pmwiki-users] Authentication

J. Perkins jason
Wed Jun 16 17:55:31 CDT 2004


Giving some thought to authentication for nested pages, but had some 
comments about the topic in general...

I believe that the process should be split up into three parts:

(1) Identification - getting the user ID and/or password
(2) Authentication - making sure ID is valid
(3) Authorization  - determining if user has sufficient rights

For instance I might have (1) a logon form with username and password 
fields, (2) code to check the fields against a database table, and (3) a 
list of users who are allowed to edit the current page. If I want to 
read my user list from a file instead of a database, I only have to swap 
out (2), reusing (1) and (3). If I want to automatically grab the user 
name using NTLM or some other scheme, I only have to replace (1).

I think the core wiki (pmwiki.php) should not contain any built-in 
scheme, instead delegating to addons. Security support in the core file 
can be reduced to:

   if (isset($AuthFunction))
     $AuthFunction($pagename, $action);

...called right before '$HandleAction[$action]' and returning if 
successful or calling 'exit;' if authorization fails.

This makes the system considerably more flexible and separates the 
question of "how do I manage users" from "how do I manage access", as 
well as increasing the possibilities for reuse.

I have some ideas on how each of these parts might be implemented, but 
what it comes down to is that there is no one solution that will work 
for everyone. In fact, I am increasingly of the opinion that there 
should not be a default authentication scheme.

Jason





More information about the pmwiki-users mailing list