[pmwiki-users] Re: Read authority security bug with :include: in Site.SideBar (?)

Patrick R. Michaud pmichaud at pobox.com
Thu Nov 10 15:41:39 CST 2005 

On Thu, Nov 10, 2005 at 10:28:23PM +1030, Duncan Grove wrote:
> Patrick R. Michaud wrote:
> >How about switching to authuser.php ...?  What features do you
> >need from userauth.php that authuser.php lacks?
>
> Just the sort of stuff listed at the bottom of 
> http://www.pmwiki.org/wiki/Cookbook/AuthUser ;-)
> 
> In particular userauth:
> 
> 1) has a nice (:loginform:)
> 2) has a ?action=pwchange form allowing users to change their passwords 
> themselves
> 3) has a web-based user-add/delete/change-password ?action=admin
> 4) seems (?) a little more configurable
> 5) allows me to specify a user's permissions all in one place rather 
> than in each page's/group's ?action=attr
> 
> #5 is the main one though. It's really nice to be able to just go to the 
> .htconf and just see/modify what permissions a particular user has (see 
> eg above) rather than having to trawl through a whole bunch of attr 
> pages to do that.

Okay, having had some time to brainstorm on this, here's my plan
for authuser.php.  See if you think this works for you...

First, everything that authuser.php does now it will continue to do
as it did before.

However, we'll also supply a wiki-based interface via a Site.AuthUser
page.  This page will be viewable only by the admin, and it will
provide an alternate mechanism for configuring the settings that
are currently being set via the $AuthUser array in local/config.php.

In addition, we'll introduce authentication groups, which will be
distinguished from usernames by a leading @.  Thus, an administrator
can define groups such as "@editors", "@admins", "@friends", and
use those in password specifications on pages.

In the Site.AuthUser page, the wikiadmin can indicate group membership
in two ways... by username or by group name.  Thus the line

    alice: @editors, @admins

says that username "alice" is a member of the @editors and @admins
groups, while the line

    @editors: alice, bob, carol

says that "alice", "bob", and "carol" are members of the @editors
group.  These specifications formats can be used in any combination, 
and can be repeated, so that 

   @editors: alice, bob, carol
   @editors: dave, trent
   justin: @editors, @visitors

identifies six people in the @editors group.  This means that an admin
can organize things on a per-username or per-group basis (or both), 
whichever is most convenient for the particular application.  Also,
all of the group memberships are thus easily viewed and manipulated 
from a single page.

Within $DefaultPasswords, a GroupAttributes file, or a page's attributes,
one can specify either "group:@groupname" or "@groupname" to authorize
access to members of the corresponding group.  So, setting an edit
password of  "@editors id:pmichaud whitehorse"  on Misc.GroupAttributes
will allow editing by anyone in the @editors group, pmichaud, and those
who know the password "whitehorse".

Next, Site.AuthUser will also allow the admin to specify a wikipage
for storing passwords, similar to .htaccess.  By default this will likely
be Site.AuthUserPasswd, and it will also be viewable only by the admin.  
This page will probably also contain a form for adding new users and
changing/resetting passwords.  Of course, removing users is a simple
matter of editing the page and removing the unwanted entry.  
Eventually there will be a ?action=changepw that will allow non-admins
to set their own password (or recover from a lost password).

The "login form" is also completely customizable in 2.1.0, see 
http://www.pmwiki.org/wiki/Site/AuthForm for an example of
what I'm working on.  As a bonus we'll automatically get "?action=login"
for those who wish to have a login button of some sort.

So, does that about cover it?  :-)

Pm

More information about the pmwiki-users mailing list