[pmwiki-users] Access control boot camp (please!)

H. Fox haganfox at users.sourceforge.net
Sat May 6 21:41:53 CDT 2006


On 5/6/06, Jason Roberts <jason at jasonroberts.net> wrote:
> I've had no problems setting my admin password via the config.php
> file--but it's the only one I can get to work!
>
> I turned on authuser functionality. I inserted login accounts into
> the Site/AuthUser page, and they encrypt just like they're supposed
> to. But they don't get recognized when I use them to log in. I also
> tried inserting edit-level accounts into config.php. No go.

How did you try inserting an edit-level account?

At least for the time being, you should be able to set a global edit
password with

   $DefaultPasswords['edit']='$1$/PPoEleM$R1TxfBrbz.A9HFVxyR36I1';

near the top of your config.php file (substituting the appropriate
crypted string for your global edit password of course).

Remember that order matters.  If you are using authuser.php then any
username/password pairs you place into config.php need to be inserted
*above* the line that includes authuser.php.

Be sure to remove the leading "#" from the lines you are putting into
the Site.AuthUser page, otherwise they will be commented out.

> Additionally, the access control at the homepage has an easy
> workaround: since the "search" function is enabled on that page,
> anyone could just search for a simple string, then jump into the
> pages that Search pulls up.

>From docs/sample-config.php:

## By default, viewers are able to see the names (but not the
## contents) of read-protected pages in search results and
## page listings.  Set $EnablePageListProtect to keep read-protected
## pages from appearing in search results.
# $EnablePageListProtect = 1;

>From the Release Notes:

The $EnablePageListProtect variable now defaults to true, so that
read-only pages appear in pagelists only if the visitor has read
authorization. Note that this can also slow down some (:pagelist:) and
search commands, so if the site doesn't have any read-only pages or if
you aren't worried with cloaking read-only pages from searchlists, it
might be worth setting $EnablePageListProtect=0;

One of them is wrong.  :-)

It's also possible to cloak certain readable pages (pages in the Site
and PmWiki groups, for example) from searches unless you have edit
permissions.  Try this at the bottom of your config.php.

   $pagename = ResolvePageName($pagename);
   $page = RetrieveAuthPage($pagename, 'read', false, READPAGE_CURRENT);
   if (! @$page['=auth']['edit']) {
     $SearchPatterns['default'][] = '!\\.(All)?Recent(Changes|Uploads)$!';
     $SearchPatterns['default'][] = '!\\.Group(Print)?Header$!';
     $SearchPatterns['default'][] = '!^Main\\.!';
     $SearchPatterns['default'][] = '!^PmWiki\\.!';
     $SearchPatterns['default'][] = '!^Site\\.!';
   }

> I know these are newbie questions, so I appreciate your patience. But
> what I want to do is: Have just one global access control point,
> where my 33 users will need to log in with individual passwords.
>
> This is doable, right? Probably easily. I'm just not getting it, and
> meanwhile my supposed-to-be-private wiki is just hanging out there in
> the clear. Any help would be most appreciated.

It's very doable.  A little perseverance will go a long way.  :-)

Hagan




More information about the pmwiki-users mailing list