[pmwiki-users] authuser forcing Author name stopped working?
H. Fox
haganfox at gmail.com
Thu Jul 7 23:02:42 CDT 2005
On 7/7/05, H. Fox <haganfox at gmail.com> wrote:
> On 7/7/05, Neil Herber <nospam at eton.ca> wrote:
> > At 2005-07-07 09:06 PM -0500, Patrick R. Michaud is rumored to have said:
> > >So, it sounds as though what you really want is to set the author
> > >name based on the password form and not based on authentication, so
> > >perhaps something like:
> > >
> > > $AuthUser['htpasswd'] = '/path/to/your/.htpasswd';
> > > include_once("$FarmD/scripts/authuser.php");
> > > if (@$_POST['authid']) {
> > > $Author = $_POST['authid'];
> > > setcookie('author', $Author, 0, '/');
> > > }
> >
> > Exactly what I want to do! I shall try it now.
>
> I think you can keep your users from spoofing a .htpasswd user by
> slipping in two more lines:
>
> $AuthUser['htpasswd'] = '/path/to/your/.htpasswd';
> include_once("$FarmD/scripts/authuser.php");
> if (@$_POST['authid']) {
> $Author = $_POST['authid'];
> setcookie('author', $Author, 0, '/');
> } else if (@$_COOKIE['author']) {
> $Author = $_COOKIE['author'];
> }
>
> This way:
>
> * If they try to log in as a .htpasswd user they will need the correct password.
> * The name they use to log in cannot be changed using the Edit form's
> Author field.
Oops. This might be better.
if ($action == 'edit') @session_start();
if (@$_SESSION['authid']) {
$Author=@$_SESSION['authid'];
} else if (@$_POST['authid']) {
$Author = $_POST['authid'];
setcookie('author', $Author, 0, '/');
} else if (@$_COOKIE['author']) {
$Author = $_COOKIE['author'];
}
Hagan
More information about the pmwiki-users
mailing list