[pmwiki-users] authuser
OBUTEX / Hladůvka
admin at obutex.com
Tue Mar 21 11:13:37 CST 2006
Hi all,
I have had similar problem, when I loged in as an user with admin rights
and after as a common user
without closing the browser (MSIE) then I usuallly could access
functions that are forbiden to a common user.
My site allowes to read only to loged in users, all other actions are
allowed only to users with membership @admin.
This is set in Site.SiteAttributes.
Any exeptions are set by Somegroup.GroupAttributes or pageattributes.
Each user is defined in Site.AuthUser (including his membership)
my local/config.php contains these sections concerned to authorization
#-------------------
## DefaultPasswords
$DefaultPasswords['admin'] = '@admins';
$DefaultPasswords['read'] = 'id:*';
# ------------------------------------------
## Define usernames and passwords.
$AuthUser['Admin'] = crypt('somepwd');
## Enable authentication based on username.
include_once('scripts/authuser.php');
## Let Author = AuthId
if (@$AuthId) $Author = $AuthId;
# ------------------------------------------
## membership
$Conditions['member'] = '@$GLOBALS["AuthList"][$condparm] > 0';
#Then you can do:
# (:if member @staffwarehouse:)info for warehouse
# (:if member @staffbookkeepers:)info for bookkeepers
# (:if:)
#The above "member" condition also works to identify specific
#usernames, thus
# (:if member id:alice :)Hello, Alice
# (:if member id:bob :)Hello, Bob
# (:if member @editors :)You're allowed to edit pages
# ------------------------------------------
There is no .htpasswd file so I can maintain everything by Site.AuthUser
page. 8-)
I found that with such a configuration the access to the site has to be
done
using the URL
http://some_domain/path_to_instalation_folder/index.php/some_group/some_page
(the page then asks for login).
If I used http://some_domain/path_to_instalation_folder
then only Admin could log in and after that a normal user could be loged
in (without closing the browser)
I hope, this info is useful for you.
Best regards,
Jiri
Patrick R. Michaud napsal(a):
> On Tue, Mar 21, 2006 at 10:46:18AM -0500, Rene Paquin wrote:
>
>> Yes that does fix it. Thank you. However i notice that with the
>> following configuration when I log in as rene/testing I can access the
>> admin area. I shouldnt be able to do that am I correct?
>>
>> ## Enable authentication based on username.
>> ## Define usernames and passwords.
>> $AuthUser['rene'] = crypt('testing');
>> $DefaultPasswords['edit'] = 'id:*';
>> $DefaultPasswords['read'] = 'id:*';
>> $DefaultPasswords['admin'] = crypt('admin');
>> include_once('scripts/authuser.php');
>>
>
> Depends on what you mean by "access the admin area"? Normally
> the Site.* pages are publicly readable. Also, once you enter the
> admin password ('admin'), you have admin privileges until you
> log out or change a page's password somewhere -- even if you
> log in as another account.
>
> Pm
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
>
> __________ Informace od NOD32 1.1453 (20060321) __________
>
> Tato zprava byla proverena antivirovym systemem NOD32.
> http://www.nod32.cz
>
>
>
>
--
OBUTEX s.r.o
Ing.Jiří Hladůvka
Zlatovská 22
911 01 Trenčín
tel.: +421 (0)32 6587000
mailto:admin at obutex.com
http://www.obutex.com
More information about the pmwiki-users
mailing list