[pmwiki-users] Site.AuthList Questions

[Sivakatirswami]

Tegan Dowling wrote:
> On 6/26/07, Sivakatirswami <katir at hindu.org> wrote:
>> Do you also keep some kind of record of "who" is given the passwords?
>> does your framework not require this oversight? Or perhaps you issue
>> passwords
>> as a site admin, but someone else is responsible for who gets them?
>>
>> then if there is a problem, that someone simply tell you "can you please
>> change
>> the password "bravo" to "tango" and then you need to go thru all groups
>> manualy change that in Group Attributes for each one.
> 
> Hi, Siva:  It would be a mere record-keeping matter to add the "who
> got it" information to the table, but I haven't found that I needed
> it.  Typically, when I have a need to track passwords this way, the
> passworded areas 'belong' to people or groups, so that the identity of
> the wikigroup or page itself basically tells me who has the password.

that's pretty much exactly my context as well. In a non-profit, there's lots
of levels of people from department head to part time volunteers and
"my brother from Melbourne Australia"

So not needing to be bound to a requirement to know each and everyone
one of these users is actually a plus, assuming your security is
not compromised in such a "loose" framework.

All I really want to know about "VisitorCare" (a wiki group-cluster)
   is the one man, "Rajan" who
is in touch with all the "hosts"... and I don't really need (or want)
  to know that Shama, Deva, Ishani, Alice  are "hosts" as such...
all of whom got the password from "Rajan."


> The real issue with the table is remembering to update it.  It's not a
> technically necessary step, so it's easy to postpone and then forget
> to add a new password to the list.  If you do have to add "who got it"
> to the data you track, you may find that AuthUser actually requires
> less effort to maintain, once it's set up -- as Sandy said:
> 
> Quote
> --------------------
> Back to AuthUser. On the attrib pages, it shows either **** for an
> classic-style password, or id:George or @GroupOne , which is much more
> informative.
> 
> It will also allow you to add / remove individuals without affecting
> others, and track authors more accurately.
> 
> Downside is that each person must be given a name and password, and
> you'll have to update SiteAdmin/AuthUser for each person. And then
> you'll have to stick people into user groups. (Each person can be in an
> unlimited number of user groups.) But you'd have to do much of this with
> any of the other methods.
> ----------------------
> /Quote
> 
> Since with AuthUser, the "who got it" is displayed right on the attr
> screen, and removes the need to track passwords themselves there, this
> might actually be simpler and more efficient than the tracking table
> for the native password-authentication, and the added simplicity might
> trump the 'wait for a business case' argument against AuthUser.

I did see that and had exactly the same thoughts come to mind...


On the other hand, the question remains (point made above)
if you really, really *need* to know each individual who is participating.

There is a slick advantage of  being able to just give a password to
Department Head A... who then gives it to staff members 1,2,3,4
who you, as wiki admin, may never know or care to know or need
to track... if there is a leak, Department Head A, just tells you
"We've been compromised can you please change all instances
of "Rose" to "Jasmine"

With AuthUser, Department Head A has to get back to you and say
"Can you please add Sushila to the Volunteers user group? I already
gave her the password."

> 
> If only AuthUser didn't have that ?action=login bug.


What is that? does it relate to your home page UI model
that you showed me before? (see other memo off list)


Sivakatirswami
www.himalayanacademy.com