[pmwiki-users] Site.AuthList Questions

Sivakatirswami katir at hindu.org
Wed Jun 27 05:39:07 CDT 2007 

Neil Herber (nospam) with a great deal of compassionate patience, wrote:

> > I am not sure that I can answer all of your questions, but this is my 
> attempt ...
> 
> PmWiki passwords without AuthUser does not authenticate the user. I need 
> to know who has done what and be sure that it really was the person it 
> was supposed to be. Hence my choice of Apache BA.
> 
> I could just use PmWiki AuthUser, because that *does* authenticate the 
> user. However, it does not protect anything "outside" of the wiki. In my 
> case, I have file libraries that live outside of the wiki. For example:
> 
[snip]
> 
> One other feature I really like about Apache BA versus AuthUser is that 
> the .htaccess file is unservable. The Site.AuthUser page is servable, 
> and hence more vulnerable (but not much I suspect).
> 
> To reiterate, I use Apache BA to authenticate the users, then I can use 
> AuthUser to assign permissions to particular users by name, without 
> needing their passwords.
> 

Excellent, I think that *does* answer my question.

  "Why would one choose Apache BA? (or AuthUser)"

Thank you for taking the time to make it so clear.

  A useful brainstorm here....

  In my case the content does all live inside the wiki.
(well almost, some content outside the wiki that is servable but OK for
public consumption.)

But the other key point is: PMWiki passwords=user unknown.

Well, not exactly... you could still set author required variable
(I forget out to do that and can't find the variable
name in the docs any more...).
which at least forces authors to enter something.
They could of course mask their true identity. Or someone who got
hold of a password could spoof a trusted user's identity.

So then the question becomes: can one live
without being absolutely certain of the author?

I guess the easy path forward is to start with PMwiki passwords only and
then
see if a real "business case" emerges that mandates strict user
authentication.

At least I understand it now! Thank you for your patience.

Sivakatirswami
www.himalayanacademy.com

Get Hinduism Today Digital Edition. It's Free!
http://www.hinduismtoday.com/digital/

More information about the pmwiki-users mailing list