[pmwiki-users] Password Locations
Hans
design5 at softflow.co.uk
Tue Sep 30 02:10:58 CDT 2008
Tuesday, September 30, 2008, 1:05:01 AM, Peter wrote:
> I'm trying to change the password on my Wiki and I'm having a bit of
> trouble. Below is part of my config.php and let me explain what's
> happening. My admin password (qqq) works fine. My attr password is the
> same so it works fine. My edit password (xxx) is given out to my employees
> and it's not fine.
> The problem began when I wanted to change the old edit password (yyy) since
> we had a bit of a turnover in staff and I didn't want any wiki vandalism.
> Currently the 'yyy' password will get you edit privileges into the site and
> I don't want it to. When I uncomment out the ForbiddenPasswords section
> suddenly the new edit password 'xxx' fails to work. They are completely
> different passwords. The 'zzz' password is quite similar to the 'yyy'
> password and hence it's there also in case any guesswork is attempted and to
> also remind me not to use that one. To fix my issue where nobody can log in
> but myself I have to comment out the ForbiddenPasswords section.
> My question is where is the 'yyy' password being stored that also knocks out
> the 'xxx' password?
> $DefaultPasswords['admin'] = crypt('qqq');
> $DefaultPasswords['attr'] = crypt('qqq');
> $DefaultPasswords['edit'] = crypt('xxx');
>
> ##$ForbiddenPasswords = array('yyy', 'zzz');
> ##if (in_array(@$_POST['authpw'], $ForbiddenPasswords))
> ##unset($_POST['authpw']);
there should be absolutely no need for a $ForbiddenPasswords array,
and i guess it does you more harm than good.
If you need a new edit passord for your employees, just set
$DefaultPasswords['edit'] = crypt('xxx');
and any previous password is no longer useful.
If you find that people can still edit pages with the old demoted
password (without you introducing a ForbiddenPasswords check)
than check if those pages or the groups they belong to have the edit
password set through action=attr, as this overrides the site-wide
passwords set in config.php.
The page SiteAdmin.AuthList will list pages which have passwords set
(without revealing them).
~Hans
More information about the pmwiki-users
mailing list