[pmwiki-users] authuser forcing Author name stopped working?

Patrick R. Michaud pmichaud at pobox.com
Fri Jul 8 01:06:12 CDT 2005


On Thu, Jul 07, 2005 at 10:00:17PM -0700, H. Fox wrote:
> On 7/7/05, Neil Herber <nospam at eton.ca> wrote:
> > It needs to do something like:
> >
> > if user name on form exists in .htpasswd
> >          if passwords match
> >                  user is authenticated, set author name
> >          else
> >                  user is a spoofer, refuse entry
> >          endif
> 
> authuser.php does this automatically.

Well, not exactly -- authuser.php doesn't "refuse entry".
It simply doesn't authenticate the user (set $AuthId).
But the user may still be authorized to perform the requested
password by virtue of knowing a shared password, which isn't 
really determined until later.

Also, authuser.php doesn't assume that a particular username
has only one password; it assumes that authentication could come
from any of several sources, so it can't simply reject things
based on the first matching username it encounters.  Well,
I suppose it *could* do that, but then we'll need a way to
specify the order in which user authentication entries are
to be processed.

What Neil is looking for is a way to prevent anyone from using
usernames in the authentication records if they aren't
authenticated as that particular user.  That's a fair amount
trickier, because it's really a form of negative authentication
("if you know the shared password, you can claim to be 
anyone except Neil or Bob").  But it's probably something 
worth solving, since being able to password-protect the use of
specific author names is likely to be desired...

I'll have to sleep on it for now and see if the morning brings
a good solution to mind.

Pm



More information about the pmwiki-users mailing list