[Pmwiki-users] [pmwiki1 & 2], userauth and author spamming

pyg_listes pyg_listes
Tue Dec 14 01:17:44 CST 2004

Patrick R. Michaud wrote:

>On Sun, Dec 12, 2004 at 07:39:09PM +0100, pyg_listes wrote:
>>Solutions I have explored :
>>-> assigning a password the first time an author name is used, store it 
>>(hidden) in Profiles/AuthorsPasswords (so each user define by himself 
>>his password). It would be (for me) the best solution, but I'm affraid 
>>it's quite complicated to code :-/
>I'm working on this one, except the passwords would be stored in
>the individual Profiles pages instead of having a separate page for them
Thanks Patrick for your response,
I also came to this conclusion and sent an email (below) in reply to 
Kevin, but it seems to be lost :-(


> Date: Mon, 13 Dec 2004 10:46:08 +0100
> To: "KevinTiller" <kevin at coolrunning.com.au>
> From: PyG <pyg_listes at exiup.com>
> Subject: Re: [Pmwiki-users] how can I change the page author attribution?
> At 03:05 13/12/2004, you wrote:
>> On my website we have a UBB messageboard that requires a login. This info
>> is stored in a cookie. I then massaged the pmwiki code so that it reads
>> the cookie and only then displayed the Edit page link. Then I made the
>> name field hidden so the user can't change it, and defaulted it to the
>> logon name. Work like a treat. It also gives a minimum level of security
>> as you can edit a page unless you have an account. However getting an
>> account is an automated fill-in-the-form and be emailed a password 
>> process
>> so anyone determined can get one. Once people have an account its an easy
>> process (we have 4000 users).
> Hi Kevin,
> this sounds great, but (as far as I understand english :-/) that mean 
> that UBB log/pass is stored in a database ?
> One of the 1 billion advantages of pmWiki among other CMS is that it 
> could work without DB.
> That's why I have asked about a procedure to store log/pass in flat file.
> What I have thinked of :
> (user pyg doesn't exist)
> 1- user edit a page
> 2- below edit box : user AND password is asked ("Please enter your 
> author name and (facultative) your Password, if the author name 
> doesn't exists, it will be created and associated with your password 
> (even blank)")
> 3- user enter "pyg" and "pygpassword" and validate changes
> 4- pmWiki verify if page Profiles/Pyg exists
> => Page Profiles/Pyg doesn't exists :
> 5.1- pmWiki create Profiles/Pyg and store in a hidden way the password
> 5.2- pmWiki store cookie with login only (user need to retype his 
> password each time), or login and pass if short-life cookie (local 
> config option)
> 5.3- pmWiki record modifications of the modified page (as usual)
> => Page Profiles/Pyg already exist
> 6.1- PmWiki load Profiles/Pyg page and load hidden password
> 6.2- pmWiki compares inputed password and loaded password
> 6.3 => different password : error message ("Bad password or user 
> already exists") and back to step 3
> 6.4 => same password : pmWiki record modifications of the modified 
> page (as usual)
> User should also modify is password by going to 
> /Profiles/pyg?action=changepassword
> What do experienced pmWiki users think of this ?
> This procedure doesn't answer to :
> - how can I change the page author attribution?
> - how can I prevent user to use different users names ("Chuck" and 
> "Chuck E")?
> But it permit to make a "name reservation".
> Cheers
> pyg

More information about the pmwiki-users mailing list