[pmwiki-users] How to restrict auth to secure connections

Bart pmwiki-users at mediamatrix.nl
Thu Aug 31 18:17:02 CDT 2006


Hi Daniel, 

On Thu, Aug 31, 2006 at 09:48:28AM +0200, Daniel Rubin wrote:
| Hi Bart,
| please forgive for letting you wait so long for an answer.  I was out of 
| work for a couple of days and only just read your message.
| 
| What you propose really looks like a fine concept, but unfortunately 
| doesn't suit me needs (as far as I can see).  Using the apache 
| authentication would cause a login dialog to pop up on any access to the 
| wiki, wouldn't it?  

Actually it won't, once authenticated it's valid for the whole browse
session. But, I left the concept of passing the apache authentication to
pmwiki, cause Pmwiki authentication is much more transparent to set in a
mixed Pmwiki http, https enviorment.

| But I want anybody to be able to view wiki pages without any fuzz, to have
| a somehow CMS-like behavior of the wiki engine. All I want to do is to
| ensure that people who have valid login credentials don't expose them by
| logging in through an insecure connection.

I worked out the next set up:

PmWiki reachable via http for browsing, no action links visible, actions
not working when appended to the URL
Pmwiki reachable via https for editing login via Apache or Pmwiki which way
you like best. 

| I was thinking it should be possible to achieve my goal by a few simple 
| lines in config.php.  Is there a $_SERVER variable indicating whether a 
| request is from an https connection or not?  I believe I saw something 
| concerning the originating IP address, so that would solve halve my problem.

For apache there is : $_SERVER["HTTPS"] which is "on" if connecting via https
and which is the key for my setup. Be aware this can be server specific. So
if things don't work the variable is probably not present or set by the
webserver.

| And maybe I could use the AuthUserId function you mentioned in your 
| quote from the cookbook, to cancel an authentication after I worked out 
| it is illegal because of its source?

Actually there is a way that is much easier and straight forward to do :-)

for your: config.php

# switch of action if not on https
if (!@strtolower($_SERVER["HTTPS"]) == 'on'){
$HandleActions['edit'] = '';
$HandleActions['upload'] = '';
$HandleActions['attr'] = '';
$HandleActions['source'] = '';
$HandleActions['rename'] = '';
$HandleActions['login'] = '';
}

This switches off all the actions listed when not using https, so people
can't reach the login form anymore when using http. Just try it by appending
?action=login or a other action on a page displayed via http. Pmwiki just
returns the page in browse view. 

Thanks to Pm for pointing this out in one of his posted on this list :-)

Hiding the the actions links to get a kind of CMS look, can be done in more
than one way. There are even recipes in the cookbook doing this for you.
However I liked to figure how to this myself :-)

It's not that hard :-) Edit Site.PageActions and precede the actions list
with: (:if authid:) or you can use (:if auth edit:) or (:if auth admin:) and
the like to show only the links one is authenticated for.

I also did set up a separate Login link at the end of the list,  because the
other links are hidden when not logged in. It'll only shows up when using
https

(:if equal {$https} on :)
* %item rel=nofollow class=rename accesskey=$[ak_login]%[[{$FullName}?action=login | $[Login] ]]

And presto! on http the site looks like static site no links no way to
evoke a login form. On https there's a login link. Once logged in the other
action links show up :-)

Be aware of the (:if :) behavior the do not nest. Just read
http://pmwiki.org/wiki/PmWiki/ConditionalMarkup for good explanation on this.


Good luck, Bart 






More information about the pmwiki-users mailing list