[pmwiki-users] AuthUser and groups

Thu Jan 27 12:17:42 CST 2011

We are using AuthUser for PmWiki access control.  I have two questions. 
Is there away to allow access for everyone except members of a group?
Is there a variable like $AuthId that tracks the group of a user?  I am mostly interested in using this for testing, so ideally it would be the group membership that allowed access to a page.

More details of our configuration and requirements.

We are using htpasswd and htgroup files to define users and groups.  Currently we require a login for any access to the wiki and some page groups are further protected so that only members of a specific group can access those pages.  Here are the relevant lines from our config.php:

$DefaultPasswords['admin'] = '@admin';
$DefaultPasswords['attr'] = '@admin';
$DefaultPasswords['edit'] = 'id:*';
$DefaultPasswords['upload'] = 'id:*';
$DefaultPasswords['read'] = 'id:*';    

$AuthUser['htpasswd'] = '/etc/pmwiki.passwd';
$AuthUser['htgroup']  = '/etc/pmwiki.group';
include_once("$FarmD/scripts/authuser.php");

This give the basic access requirement of a login in our htpasswd file for the entire site.  For wiki groups that require more restrictive access we change the attributes on the GroupAttributes page to have a read password of '@groupname' where the membership of groupname is defined in the htgroup file.

http://example.com/pmwiki/pmwiki.php?n=GroupName.GroupAttributes?action=attr

and the htgroup file has entries like

admin: paul jdash tom sue

There is a new requirement to allow a new group of users access to ONLY pages in their wiki group.  I could put everyone in a group 'all' and then make the default read access be '@all', but that requires maintaining that group.  Every time we add a new person we add them to 'all', making sure not to add the users with more restrictive rights.  Not terrible but it seemed like there might be a better way.

The AuthUser documentation describes a method of excluding individuals from password groups. The example of keeping Fred out of a group is 

 $DefaultPasswords['attr'] = array('id:*,-Fred');

I reasoned that since my new group included members who were only allowed to access pages in their group, I should be able to exclude them just as Fred is excluded in the example.  So I tried modifying my config.php like this:

$DefaultPasswords['read'] = array('id:*,- at specialgroup');     # I tried both of these.   
$DefaultPasswords['read'] = array('id:*','- at specialgroup');

I was hoping that everyone but members of @specialgroup would have default read access.  Then I could change the GroupAttibutes to allow @specialgroup read access to their pages. That does't seem to work.  Am I using the wrong syntax or doing things in the wrong order? Or is excluding a group not possible?

Paul