[pmwiki-users] Custom Action and Authentication

Petko Yotov 5ko at 5ko.fr
Tue Feb 11 07:50:33 CST 2014


I don't have the potential to review and debug all this but you need to NOT  
have a username $_POST['authid'] at all, not empty, just not set, if you  
only use "shared password" protection.

Is it possible that you have some function calls to CondAuth(),  
RetrieveAuthPage(), PageVar(), FmtPageName() or other core function before  
you have set $_POST['authpw']? Some of these functions, if they retrieve  
content from the wiki.d files, will cache the authorization levels.

Typically, any function call in config.php, or in a recipe included from  
config.php, can cache the levels. The function you set with $HandleActions  
is called much later, at the end of the processing. So you may want to  
assingn the $_POST['authpw'] value before any function call and before any  
included recipe.

Petko

P.S. There is no point in calling CondAuth() before RetrieveAuthPage().  
CondAuth() actually returns (boolean)RetrieveAuthPage() so you do the same  
CPU-intensive operation twice.


Crisses writes:
>
> On Feb 11, 2014, at 3:42 AM, Petko Yotov wrote:
>>
>> Petko Yotov writes:
>>
>>> Crisses writes:
>>>> « HTML content follows »
>>>> Hi,
>>>>
>>>> I've spent a day trying to fix this, so I have to figure that the  
>>>> documentation or myself (or both) aren't up to the task...
>>
>>>>
>>>> I have an array of (xml scalar) variables being passed to PmWiki via ? 
>>>> action=xmlrpc, including the author & password.  All the xmlrpc functions  
>>>> are in their own classes, including extracting the password from the xml  
>>>> data.  It works just fine, can dump the vars and all is (apparently?) in  
>>>> order.
>>
>>>>
>>>> I'm using basic PmWiki passwording.  I've set up the password to be  
>>>> passed to $_POST['authpw'] and the username to go into $_POST['authid']  
>>>> and (global) $Author.
>>
>>>
>>
>>> If you use basic PmWiki passwording (shared password) you need to set  
>>> $_POST['authpw'] before calling RetrieveAuthPage().
>>
>> Or, you should be able to call SessionAuth($pagename, $pass); before  
>> calling RetrieveAuthPage(), no need to set $_POST['authpw'].
>>
>> After you have authenticated, just get and return the PHPSESSID cookie when  
>> you access the other pages, no need to repost user/pass every time.
>>
>> Petko
>
>
>
>
>
> Apparently I'm still not "getting it"....  Note: I'm just using basic  
> passwords (for now) and not trying to make it compatible with authuser.php  
> (yet).
>
>
> I don't think the XMLRPC clients (Ecto, MarsEdit, etc.) have session cookies.  
>  
>
>
> $password and $username are set just fine as far as I can tell from the  
> scalarval() (no whitespace chars added, etc...).  xes_error & xes_dump are  
> debug functions which write to the error_log.  xes_dump does a print_r($var,  
> true).  $page and $page['text'] comes out blank every time, unless I use  
> ReadPage().  CondAuth would work to skip the rest of the loop, but the auth  
> fails.  The remainder of the GetRecentPages function runs fine when I use  
> ReadPage including client-side XML output, and with authentication the blank  
> pages are sent to the XMLRPC client as if nothing else is wrong.
>
>
>
>
> (parent function(s) called via $HandleActions['xmlrpc'] = 'HandleXMLRPC'; )
>
>
> ...
>
>
>
>
>         // Retrieves a certain number of PmWiki pages ordered by date
>         public static function GetRecentPages($params) {
>                 xes_error("Calling GetRecentPages.");
>                 global $XMLRPC_AuthPage;
>                 $blogidp=$params->getParam(0); $groupname=$blogidp- 
> >scalarval();
>                 $usernamep=$params->getParam(1); $username=$usernamep- 
> >scalarval();
>                 $passwordp=$params->getParam(2); $password=$passwordp- 
> >scalarval();
>                 $passp=$params->getParam(3); $number=$passp->scalarval();
>                 ValidateUser($username,$password);
>
>
>                 // Gather pages in an array for sorting by time
>                 $grouppages = $fullpages = Array();
>                 $pattern = "/^$groupname\\./";
>                 $grouppages = ListPages($pattern);
>                 foreach($grouppages as $pagename) {
>                         xes_dump($pagename, "Next Name: ");
>                         // Skip pages we do not have access to
>                         if (! CondAuth($pagename, 'edit')) xes_error("No Text  
> 4 u!");
>                         $page = RetrieveAuthPage($pagename, 'edit', false,  
> 0);
>                         #$page = ReadPage($pagename);
>                         xes_dump($page, "Page: ");
>                         $fullpages[] = $page;
>                 }
>                 //Needs an empty error! No pages found....
>
>
>                 function ComparePageTime($a, $b) {
>                         if ($a['time'] > $b['time']) return -1;
>                         if ($a['time'] < $b['time']) return 1;
>                         return 0;
>                 }
>                 usort($fullpages, "ComparePageTime");
>
>
>                 $arrayval = Array();
>                 $pagenum = 0;
>                 // Only return as many pages as are requested
>                 foreach($fullpages as $page) {
>                         if($pagenum++ >= $number) break;
>
>
>                         $arrayval[]= BloggerXMLRPC::PageAsXMLStruct($page);
>                 }
>                 $myVal=new xmlrpcval($arrayval, "array");
>                 return new xmlrpcresp($myVal);
>         }
>
>
> ...
>
>
>
>
>
> separate "helper" function (I know it's not performing validation, I  
> inherited the namespace from the former recipe author and haven't corrected  
> it yet -- it used to support UserAuth and return false on failure):
>
>
>
> function ValidateUser ($username, $password) {
>         global $Author;
>         xes_error("Calling ValidateUser");
>         $Author = $_POST['authid'] = $username;
>         $_POST['authpw'] = $password;
>         return true;
> }
>
>
>
>
>
> Crisses
> --If PmWiki plug-ins are recipes, then I'm a chef! Or at least a line cook.  
>  :)



More information about the pmwiki-users mailing list