[pmwiki-users] Newbie Alert!!! - basic site security?

Sat Oct 20 09:33:37 CDT 2007

On 10/19/07, Johnny Ernst Nielsen <j_e_n_pub at yahoo.dk> wrote:
>
> Fredag 19 oktober 2007 17:38 kvad Jeff Schallenberg:
> > I have just installed a pmwiki site on my Ubuntu server.
> >
> > It works and looks great - I have configured a logo and a skin, I
> > can create and edit pages - but that is the problem. This site is
> > to be used for a private non-profit group - less than a dozen
> > users. I would like to allow viewing, editing and uploading only by
> > this group.
> >
> > I have edited the config.php file to include the following lines:
> >
> > $DefaultPasswords['admin'] = crypt('secret');
> > $EnableUpload = 1;
> > $DefaultPasswords['upload'] = crypt('secret');
> >
> > But, even after restarting the server, I can still edit pages
> > without entering any password. If I check the recent changes, I
> > see:
> >
> >    -
> > HomePage<http://jeffnet.zapto.org:85/pmwiki/pmwiki.php?n=Main.HomeP
> >age>. . . October 19, 2007, at 08:54 AM by ?:
> >    -
> > NewPage<http://jeffnet.zapto.org:85/pmwiki/pmwiki.php?n=Main.NewPag
> >e>. . . October 19, 2007, at 08:42 AM by ?:
> >    -
> > WikiSandbox<http://jeffnet.zapto.org:85/pmwiki/pmwiki.php?n=Main.Wi
> >kiSandbox>. . . October 18, 2007, at 08:49 PM by ?:
> >
> > So, pmwiki doesn't even know who is editing!
> >
> > How can I protect my pmwiki site so that I have admin privileges,
> > and group members have read, write and upload privileges.
> >
> > I have read the documentation on security and passwords, and I
> > understood that setting passwords in config.php was sufficient to
> > limit edit privileges to users who know those passwords.
> >
> > What am I missing?
> >
> > Thanks for your help! And thanks for the great software!
>
> We are all newbies in different fields. It's all right.
>
> There are two ways.
>
> One with passwords, but no usernames.
>
> One with both user names and passwords.
>
> For the first method you need to add the proper passwords to the
> proper actions.
>
> Add to your config.php:
> $DefaultPasswords['admin'] = crypt('adminpassword');
> $DefaultPasswords['read'] = crypt('readpassword');
> $DefaultPasswords['edit'] = crypt('editpassword');
> $DefaultPasswords['attr'] = crypt('attributespassword');
> And so forth.
> You get the idea.
> Se the details here:
> <http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin>
>
> With this method you give the same password to all who should have the
> same permissions.

NOTE that this is the default way of securing a PmWiki site, and your users
will still be able to enter an "Author" name for each edit -- in fact, one
simple addition to this scheme is to require an Author name for each edit.
This scheme is almost always sufficient for the kind of use you are
envisioning.  For my small businesses and nonprofit clients, I almost always
use this, and very, very seldom have any reason to even discuss a user-based
authentication scheme with them.

This is simple to operate and maintain unless you want to have an elaborate
system of different permissions for many different areas of the wiki.  Even
then it's still usable.

Here's what I have in my standard config.php file

        $PmWikiAdmin = crypt('adminpasswordhere');
        $PmWikiUser = crypt('userpasswordhere');

        $DefaultPasswords['admin'] = $PmWikiAdmin;
        $DefaultPasswords['attr'] = $PmWikiAdmin;

        $DefaultPasswords['edit'] = $PmWikiUser;
        # $DefaultPasswords['read'] = $PmWikiUser; //if you don't want your
wiki to be publicly viewable

        $HandleAuth['source'] = 'edit';  //require edit password in order to
view wiki source for a page
        $HandleAuth['diff'] = 'edit';  //require edit password in order to
view page history

        ##example array of passwords
        #    $DefaultPasswords['whatever'] = array(crypt('alpha'),
crypt('beta')); //how to do it if you need more than one

    //Require author name -
http://www.pmwiki.org/wiki/Cookbook/RequireAuthor
    $EnablePostAuthorRequired = 1;

    //Author cookie
    include_once("$FarmD/scripts/author.php");
    if($AuthId && !@$_COOKIE[$AuthorCookie]) {
    $Author = $AuthId; setcookie($AuthorCookie,
    $Author, $AuthorCookieExpires, $AuthorCookieDir); }

Happy wiki-ing!

Tegan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20071020/28d64832/attachment.html 