[pmwiki-users] How to store login information in a page and have their permissions determined by what group that page is in

Alex Eftimiades alexeftimiades at gmail.com
Sun Aug 12 17:27:31 CDT 2012


Thanks for your help, but I wound up finishing what I started on the  
custom authorization. It pretty much does everything I wanted it to  
do, and I intend to publish it as a recipe tonight and/or tomorrow.  
Here is the current functioning version of my recipe:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: authuserplus.php
Type: text/php
Size: 8287 bytes
Desc: not available
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20120812/d01b1139/attachment.bin>
-------------- next part --------------



You need to change scripts/author.php a bit to get the author links to  
go to the right pages, and I used the EditAttributes recipe to do a  
search for existing usernames, that a password has been set, and that  
the username does not contain unwanted characters (in my case, the @  
symbol, commas and whitespaces) before saving the new username. You  
also need to add two lines to your config.php before including the  
recipe if you are using wikipublisher (as I am):
unset($AuthCascade["wikipublisher"]);
$AuthCascade["read"]="wikipublisher";

Also since I salt my passwords, you should add the following line  
before including the recipe (at least while you are making your first  
users' profile pages):
$ROSPatterns['/\\(:encrypt\\s+([^\\s:=]+).*?:\\)/e'] =  
"crypt(PSS('$1'),'$1')";

I tried to emulate the functionality of @_site_admin and the like by  
associating a group $SitePrefix.'admin' or the like with an equivalent  
level of authorization to @_site_admin. For example, by default  
$SitePrefix='Site'. So anyone in the Siteadmin group gets similar  
authorization to that of @_site_admin. The same goes for the rest of  
the default passwords. As of now, I just have it so that anyone in  
Siteadmin is the admin of every page, anyone in Siteedit can edit any  
page, etc. I have to make it so that Siteedit cannot edit Siteadmin  
and Siteattr's passwords, and that Siteattr cannot reset the passwords  
of the other Site groups.

Also, the passwords are currently encrypted using the password itself  
as the salt. I do this to make sure that even if the person had source  
access to the page they could not read that person's passwords. I  
thought about storing the passwords in plaintext and only letting  
admins view pages with the 'password' page text variable, but this  
seemed safer. The only problem is that it makes it very difficult--if  
not impossible to use EditAttributes to create a new text field in the  
edit form for entering a new password-let alone a confirmation  
password. I will probably have to code that part from scratch if I  
stay with the encrypted password approach.

Anyone have any comments?

Thanks,
Alex

On Aug 10, 2012, at 10:02 AM, Peter Bowers wrote:

> On Thu, Aug 9, 2012 at 4:15 PM, Alex Eftimiades
> <alexeftimiades at gmail.com> wrote:
>> That recipe looked promising if not for the fact that the part of  
>> the recipe
>> that stores information in profiles is not maintained and there is  
>> a lot of
>> red text that indicates it being nonfunctional. Did I  
>> misunderstand, or is
>> that part of the recipe nonfunctional?
>
> IIRC the profiles section was completely functional first. Then
> authuser functionality was added in which changed a few parameters to
> a few functions, thus rendering the profiles functionality unusable.
> But I don't believe it's too far from being workable.  And I believe
> the functionality from an authuser standpoint is in live use on
> several sites.  All that to say I think the red warnings make it look
> a little worse than it actually is.
>
> -Peter



More information about the pmwiki-users mailing list