[pmwiki-users] How to restrict auth to secure connections

Daniel Rubin Daniel.Frederik.Rubin at scai.fraunhofer.de
Tue Sep 5 03:14:06 CDT 2006


Hi Bart,

and first of all:  Thanks for this detailed and enlightening post!

It seems you have just given me the tools I need to do what I want.

The config.php stuff looks just right:  This is exactly what I was after.

Not showing the edit, attach, etc. action links when not authenticated 
was something I had figured out for myself, too, but the hiding of the 
login action when without https is a nice extra.

So, thanks again, I will try to implement this this afternoon and drop a 
short note to the list about how it worked out.

Have fun,
----Daniel



Bart wrote:
> Hi Daniel, 
> 
> On Thu, Aug 31, 2006 at 09:48:28AM +0200, Daniel Rubin wrote:
> | Hi Bart,
> | please forgive for letting you wait so long for an answer.  I was out of 
> | work for a couple of days and only just read your message.
> | 
> | What you propose really looks like a fine concept, but unfortunately 
> | doesn't suit me needs (as far as I can see).  Using the apache 
> | authentication would cause a login dialog to pop up on any access to the 
> | wiki, wouldn't it?  
> 
> Actually it won't, once authenticated it's valid for the whole browse
> session. But, I left the concept of passing the apache authentication to
> pmwiki, cause Pmwiki authentication is much more transparent to set in a
> mixed Pmwiki http, https enviorment.
> 
> | But I want anybody to be able to view wiki pages without any fuzz, to have
> | a somehow CMS-like behavior of the wiki engine. All I want to do is to
> | ensure that people who have valid login credentials don't expose them by
> | logging in through an insecure connection.
> 
> I worked out the next set up:
> 
> PmWiki reachable via http for browsing, no action links visible, actions
> not working when appended to the URL
> Pmwiki reachable via https for editing login via Apache or Pmwiki which way
> you like best. 
> 
> | I was thinking it should be possible to achieve my goal by a few simple 
> | lines in config.php.  Is there a $_SERVER variable indicating whether a 
> | request is from an https connection or not?  I believe I saw something 
> | concerning the originating IP address, so that would solve halve my problem.
> 
> For apache there is : $_SERVER["HTTPS"] which is "on" if connecting via https
> and which is the key for my setup. Be aware this can be server specific. So
> if things don't work the variable is probably not present or set by the
> webserver.
> 
> | And maybe I could use the AuthUserId function you mentioned in your 
> | quote from the cookbook, to cancel an authentication after I worked out 
> | it is illegal because of its source?
> 
> Actually there is a way that is much easier and straight forward to do :-)
> 
> for your: config.php
> 
> # switch of action if not on https
> if (!@strtolower($_SERVER["HTTPS"]) == 'on'){
> $HandleActions['edit'] = '';
> $HandleActions['upload'] = '';
> $HandleActions['attr'] = '';
> $HandleActions['source'] = '';
> $HandleActions['rename'] = '';
> $HandleActions['login'] = '';
> }
> 
> This switches off all the actions listed when not using https, so people
> can't reach the login form anymore when using http. Just try it by appending
> ?action=login or a other action on a page displayed via http. Pmwiki just
> returns the page in browse view. 
> 
> Thanks to Pm for pointing this out in one of his posted on this list :-)
> 
> Hiding the the actions links to get a kind of CMS look, can be done in more
> than one way. There are even recipes in the cookbook doing this for you.
> However I liked to figure how to this myself :-)
> 
> It's not that hard :-) Edit Site.PageActions and precede the actions list
> with: (:if authid:) or you can use (:if auth edit:) or (:if auth admin:) and
> the like to show only the links one is authenticated for.
> 
> I also did set up a separate Login link at the end of the list,  because the
> other links are hidden when not logged in. It'll only shows up when using
> https
> 
> (:if equal {$https} on :)
> * %item rel=nofollow class=rename accesskey=$[ak_login]%[[{$FullName}?action=login | $[Login] ]]
> 
> And presto! on http the site looks like static site no links no way to
> evoke a login form. On https there's a login link. Once logged in the other
> action links show up :-)
> 
> Be aware of the (:if :) behavior the do not nest. Just read
> http://pmwiki.org/wiki/PmWiki/ConditionalMarkup for good explanation on this.
> 
> 
> Good luck, Bart 
> 
> 
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Daniel.Frederik.Rubin.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20060905/f9a031c7/attachment.vcf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3775 bytes
Desc: S/MIME Cryptographic Signature
Url : /pipermail/pmwiki-users/attachments/20060905/f9a031c7/attachment.bin 


More information about the pmwiki-users mailing list