[pmwiki-users] Admin's password

Tegan Dowling tmdowling at gmail.com
Fri Aug 11 11:51:56 CDT 2006


On 8/11/06, 1 2 <vanship85 at gmail.com> wrote:
> On 8/11/06, Tegan Dowling < tmdowling at gmail.com > wrote:
> >On 8/11/06, 1 2 <vanship85 at gmail.com> wrote:
> > >
> > > Hi. I set up my pmwiki and set a page to be only edited by some
> > > users. But if I provide the admin's password in the password box,
> > > I will be able to login and edit this page regardless to the username I
> > > provide in theusername box. It seems that the default admin password
> > > does not require a user name. I think this may cause security problems.
> > > How to solve this problem?
> >
> > <snip>
> > Do you have in your config.php:
> >
> >     include_once("$FarmD/scripts/authuser.php");
> >
> > ?
> >
> Sorry that maybe I misunderstand ... it is AuthUser configuration. Maybe
> this problem is not a big deal, but I think sometimes some admins are
> annoyed about it...
> I will give an example,
>
> I set in local/config.php that
> $DefaultPasswords['admin'] = crypt('123456');
>
> And I follow the instruction that in Site.AuthUser, I add a line as
> alice: (:encrypt wonderland:)
>
> and save it to create an account.  Then I edit the attributes of a page, add
> the following line in the edit password box,
> id: alice
>
> Of coz next time when I edit the page, it prompts an login page with Name
> and Password box. I try alice:wonderland and it is ok. But when I try
> alice:123456(the default passwords of admin), it is also ok. Even when I try
> bob:123456, it is still ok. I think it is a problem that if a user's
> password is happened to be the admin's, he will get the whole privileges
> even if he does not know he becomes an admin.
>

OK, AuthUser - maybe the user-group will have an answer.  Me, I'd
change the admin password to something none of the users is going to
accidentally pick.  But it is surprising to me that the wiki doesn't
object to a mis-match between username and password.

Tegan




More information about the pmwiki-users mailing list