[pmwiki-users] AuthUser and groups

Eemeli Aro eemeli at gmail.com
Tue Feb 1 03:17:10 CST 2011


On 27 January 2011 20:17, Paul E. Bloch <paul at cs.uoregon.edu> wrote:
> We are using AuthUser for PmWiki access control.  I have two questions.
> Is there away to allow access for everyone except members of a group?

Yes. See next answer.

> Is there a variable like $AuthId that tracks the group of a user?  I am mostly interested in using this for testing, so ideally it would be the group membership that allowed access to a page.

It's $AuthList, and it's the array that actually determines your
access rights. It ends up with entries like 'id:blah' => 1, 'password'
=> 1, and '@group' => 1 after you've included scripts/authuser.php. If
you want to modify that array, you should do so immediately
afterwards, and if your modifications depend on the page/group being
accessed you should call ResolvePageName() before doing so -- it'll
get called in any case by scripts/stdconfig.php.

At the lowest level, the function that actually reads this array is
IsAuthorized(), which is called whenever your credentials might be
questioned.

To allow access for everyone except those in a defined group, the
default authuser rules aren't enough (as you've found out). The
problem is that you can't use the '-' negation prefix with groups. The
simplest solution that I think should work is the following:

1. Define your @specialgroup somewhere
2. Include scripts/authuser.php
3. Add the following to your config files just after that:
    if (!empty($AuthList['@specialgroup'])) $AuthList['@specialgroup'] = -1;
4. Define your access rules as follows: '@specialgroup id:*'

The extra config line will set membership of @specialgroup to be,
well, de-authorizing, and provided that it's before other rules it
should short-circuit any further rules (actually, the order might not
matter). Note that I haven't tested this, but it should work.

eemeli



More information about the pmwiki-users mailing list