[pmwiki-users] Group security

Patrick R. Michaud pmichaud at pobox.com
Mon Feb 26 16:12:03 CST 2007 

On Mon, Feb 26, 2007 at 02:02:30PM -0800, Robert Laird wrote:
> 
>    "DEF" needs to be a password-protected group... anyone with access to this
>    internal wiki should be able to get to anything in the wiki except for the
>    "DEF" group, unless authenticated.
> 
>    I used the command:
> 
>    http://internalwiki/PMWiki/pmwiki.php?n=DEF.GroupAttributes?action=attr
> 
>    in order to set the group password, and that works. The first time someone
>    who knows the password access the DEF group, it asks for a password. Once
>    authenticated, that user can get to any page in the DEF group.
> 
>    However, someone who is not authenticated only has to do a search, and
>    once a DEF.something page is found, they can click on it and it will
>    display. This is not good.

If you've set a read password for the group, then someone who
has not entered the password should not be able to view the page
(nor see it in the results of a search).  If you're able to
see the page, then chances are that you've authenticated somehow.

Are you sure you aren't already authenticated at the time of
doing your testing?  PmWiki remembers passwords until explicitly
logged out or all browser windows are closed.

Try explicitly logging out with ?action=logout before performing
the search.

>    It would also be nice to make sure that Recent Changes won't show DEF
>    pages unless authenticated.

One can configure PmWiki so that DEF pages won't show up in
Site.AllRecentChanges at all, but there's not a way to selectively
view from Site.AllRecentChanges.

>    P.S. We're running pmwiki-2.1.beta14

Aha!  The other thing you will want to do is set the following
in your local/config.php:

    $EnablePageListProtect = 1;

This tells PmWiki to not display read-protected pages in pagelists
and search results unless the person is authorized to view the page.

Oddly enough, this setting became the default in 2.1.beta15 ,
so you could try upgrading to a later version of PmWiki and see
if that improves things for you.

Hope that helps, if things still don't seem to be working let us know.

Pm

More information about the pmwiki-users mailing list