[pmwiki-users] suggestion for improved password admin

Neil Herber nospam at mail.eton.ca
Sun Jan 23 19:11:02 CST 2005 

I ran into a problem earlier today when trying to upload some pictures to 
my own PmWiki.

It has (I thought!) password protection on all pages for uploads and the 
upload link goes to a page called Guest.Uploads. This forces users to go to 
the Uploads page and read about how it works. On the Uploads page I have a 
password too, but it is revealed in a verbal captcha to keep spammers at bay.

Much to my surprise, I discovered that there was no "attr" password on that 
page, which means anyone could have gone in and altered the upload 
password. After some considerable difficulty, I think I have things 
protected the way I want.

The $64 question is, could the ATTR form be made a little more helpful? 
Right now, if I go to a group attributes page to check the attributes I see 
nothing but a blank form. I can't tell what is set and what is not. I had 
to use a text editor on the raw files to see what was going on.

Things would be a lot simpler if the form looked like this:

=========
Set new read password:  (box)  not set
Set new edit password:  (box)  not set
Set new attribute password:     (box)  *
Set new upload password:        (box)  set
===========

This indicates to me that on this page:
* the read and edit passwords are not set (nor are they set in config.php)
* the attribute password is picked up from config.php
* the upload password is set to some value here

This does not reveal any significant amount of information to a hacker, but 
it tells me a lot!

For instance, entering "clear" in the attribute password box will have no 
effect, because the attribute password comes from the config file. I have 
to enter "nopass" instead if I really want to have no password.

Could this change become part of PmWiki?

At the very least, the language at the top of the form should be changed. 
Currently it says:

>Enter new attributes for this page below. Leaving a field blank will leave 
>the attribute unchanged. To clear an attribute, enter 'clear'.

It should say:

Enter new passwords for this page in the form below. Leaving a field blank 
leaves the password unchanged. To clear a password, enter 'clear'. If the 
password is set by config.php, entering 'clear' does not work - use 
'nopass' instead to remove the password or enter a new password to override 
the one in config.php.



Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668

More information about the pmwiki-users mailing list