[pmwiki-users] How do I only let authorized users edit pages?

John M. Gabriele john_sips_tea at yahoo.com
Sun Jul 24 20:27:04 CDT 2005



--- "Patrick R. Michaud" <pmichaud at pobox.com> wrote:

> On Sun, Jul 24, 2005 at 03:52:49PM -0700, John M. Gabriele wrote:
> > Ok, I tried it, and I made a small update to 
> > http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin
> > but my page still lets me make a change without having to
> > type in a password. Why isn't it asking me for a password?
> > Do I need to restart something?
> 
> Note that once you've entered in the password into your browser,
> you may not be asked for that same password again.

Doh! That was probably it. :)

> > > scripts/authuser.php is pmwiki's build in script for user
> > > authentification, providing a login form with name and password
> > > fields.
> > 
> > It sounds like there's a lot more to it than that. (?)
> > 
> > It almost makes it sound like pmwiki has that notion of users
                                             ^^^^

s/that/no/   -- I guess I just made a typo there.

> > with passwords... but I'm not seeing anything like that in pmwiki
> > except for that cookbook AuthUser thing.
> 
> User-based authorization is being slowly added into PmWiki.  I held off
> for a very long time because for most of my purposes, maintaining
> a set of usernames and passwords is much more of a hindrance than
> a help.  It's *far* easier for me to tell my small groups of editors 
> "the edit password is 'xyz'" than it is for me to require each one of
> them to register, be added to a list of authorized editors, and 
> have to worry about what to do when one of them forgets their individual
> password.  

I see your point Patrick, and it makes a lot of sense. I can always
just email a password to the folks that request one. It only takes
a moment to ssh in to the server and add a line to my config.php.

> PmWiki's authuser.php script takes the approach that there are many
> forms of authentication; some admins already have authentication systems
> in place (e.g., via existing .htaccess, MySQL databases, LDAP, 
> Active Directory, RADIUS, other), so rather than require all sites
> to maintain "yet another user account/password" system just for PmWiki, 
> PmWiki gives the flexibility to make use of existing ones.  But because 
> of that, we haven't developed a full-fledged username/password system
> for people who don't already have one, which is what you're finding to
> be "missing" at the moment.  :-)

In the future, it might be nice to have an admin page that someone
with the admin password can visit, listing all the wiki users
(maybe alphabetically, showing only one letter at a time (all names
starting with "[aA]", all names starting with "[bB]", etc.) and
showing checkboxes to give or deny edit privileges... but even though
I don't understand authuser.php yet, I can guess how that might
conflict with the ways other users might be handling access privileges.

> Right now, I find the easy way to handle usernames and passwords in 
> PmWiki is to put them directly in config.php and use the authuser script.
> So, in local/config.php you can do:
> 
>     $AuthUser['alice'] = crypt('alicepassword');
>     $AuthUser['bob'] = crypt('bobpassword');
>     $AuthUser['carol'] = crypt('carolpassword');
>     include_once('scripts/authuser.php');
> 
>     $DefaultPasswords['edit'] = 'id:*';
> 
> and then only Alice, Bob, and Carol will be able to edit pages on the
> site (unless a group or page overrides the site password).  

Ahhh! That is very simple. I like it! That's what I'll use. Thanks.

> Eventually, someone (maybe me, maybe not me) will likely write a cookbook
> recipe 

Speaking of cookbook, looks like this page:
http://www.pmwiki.org/wiki/Cookbook/Cookbook
may have been vandalized (possibly inadvertantly) by someone
after I made my edit.

>that builds on authuser.php and allows new site visitors to 
> register for an account, set a password, change a password, 
> recover lost passwords, etc.  Then we'll take a look at it and
> see about incorporating it into the main distribution.  But we just 
> don't have that yet.
> 
> Pm

Sounds good. I think the simplest solution right now is to just
make sure you've got the admins email right there on the front
page saying, "if you've lost your password, think hard about it,
then email the admin. :)".

Thanks for the reply,
---J



		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 




More information about the pmwiki-users mailing list