[pmwiki-users] AuthUser and groups
Paul E. Bloch
paul at cs.uoregon.edu
Thu Jan 27 14:47:18 CST 2011
To answer my own question, I found that groups as members of groups is not a current feature and is being discussed in <http://www.pmwiki.org/wiki/PITS/01232>. Part of the question being asked is what if you have multiple levels of groups. I could live with one level for my current application, but I do believe that full multi-level recursive groups would make more sense to admins.
I'll solve my immediate problem by just fulling listing each group membership. Thanks.
Paul
On 27 Jan 2011, at 10:17 AM, Paul E. Bloch wrote:
> We are using AuthUser for PmWiki access control. I have two questions.
> Is there away to allow access for everyone except members of a group?
> Is there a variable like $AuthId that tracks the group of a user? I am mostly interested in using this for testing, so ideally it would be the group membership that allowed access to a page.
>
> More details of our configuration and requirements.
>
> We are using htpasswd and htgroup files to define users and groups. Currently we require a login for any access to the wiki and some page groups are further protected so that only members of a specific group can access those pages. Here are the relevant lines from our config.php:
>
> $DefaultPasswords['admin'] = '@admin';
> $DefaultPasswords['attr'] = '@admin';
> $DefaultPasswords['edit'] = 'id:*';
> $DefaultPasswords['upload'] = 'id:*';
> $DefaultPasswords['read'] = 'id:*';
>
> $AuthUser['htpasswd'] = '/etc/pmwiki.passwd';
> $AuthUser['htgroup'] = '/etc/pmwiki.group';
> include_once("$FarmD/scripts/authuser.php");
>
> This give the basic access requirement of a login in our htpasswd file for the entire site. For wiki groups that require more restrictive access we change the attributes on the GroupAttributes page to have a read password of '@groupname' where the membership of groupname is defined in the htgroup file.
>
> http://example.com/pmwiki/pmwiki.php?n=GroupName.GroupAttributes?action=attr
>
> and the htgroup file has entries like
>
> admin: paul jdash tom sue
>
> There is a new requirement to allow a new group of users access to ONLY pages in their wiki group. I could put everyone in a group 'all' and then make the default read access be '@all', but that requires maintaining that group. Every time we add a new person we add them to 'all', making sure not to add the users with more restrictive rights. Not terrible but it seemed like there might be a better way.
>
> The AuthUser documentation describes a method of excluding individuals from password groups. The example of keeping Fred out of a group is
>
> $DefaultPasswords['attr'] = array('id:*,-Fred');
>
> I reasoned that since my new group included members who were only allowed to access pages in their group, I should be able to exclude them just as Fred is excluded in the example. So I tried modifying my config.php like this:
>
> $DefaultPasswords['read'] = array('id:*,- at specialgroup'); # I tried both of these.
> $DefaultPasswords['read'] = array('id:*','- at specialgroup');
>
> I was hoping that everyone but members of @specialgroup would have default read access. Then I could change the GroupAttibutes to allow @specialgroup read access to their pages. That does't seem to work. Am I using the wrong syntax or doing things in the wrong order? Or is excluding a group not possible?
>
> Paul
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
More information about the pmwiki-users
mailing list