[Pmwiki-users] User based security?

Nathan Jones nathanj
Mon Feb 23 19:37:14 CST 2004 

Pm wrote:
>$HTAccess['read'] = '';			# anyone can read
>$HTAccess['edit'] = 'valid-user';	# anyone with a valid password can edit
>$HTAccess['upload'] =                   # frankr, harryt, and abel can upload
>  array('frankr', 'harryt', 'abel');

I like this idea.

>although I'm not sure if it will be possible to allow anonymous read access
>when using .htaccess authentication.

I doubt it. My understanding of Apache's support for Basic Auth, is that
it applies to a whole directory and its subdirectories. I'd imagine that
allowing anonymous access to pages, but requiring auth for editing is not
possible.

It is important (if no login is required for read access) that users are
not prompted for a password and expected to leave it blank - too
confusing.

Looks like the Cookbook module would have to work directly with HTTP
headers:

PmWiki, responding to request for blah?action=edit:
WWW-Authenticate: BASIC realm="PmWiki"

Web browser, after prompting the user for login:
Authorization: BASIC user:pass (in base64)

Of course, there's no reason that a normal .htpasswd file couldn't be
used to hold username and password pairs. This way the functionality
could be developed and tested without too much work. Building auth
details into user profiles could be tackled as a follow-on step, if there
is enough interest/demand.

>We could also see about combining the authentication mechanisms; i.e.,
>have a username+password scheme combined with the current page/group
>passwords.

As the module will be an optional extra (ie. in the Cookbook), the
current password scheme for groups, pages and actions would have to
remain in the default install. Not sure how the two schemes should
interact. (Not that you'd really need the existing scheme if using the
Cookbook module.)

One last note: I think it would be necessary that the $HTAccess['action']
array can be set at different levels. That is, I might want:

- In config.php:
  $HTAccess['edit'] = 'valid-user';

- In Private.php:
  $HTAccess['read'] = 'nathanj';

-- 
Nathan Jones

More information about the pmwiki-users mailing list