[pmwiki-users] Password Locations

Hans design5 at softflow.co.uk
Tue Sep 30 02:10:58 CDT 2008

Tuesday, September 30, 2008, 1:05:01 AM, Peter wrote:

> I'm trying to change the password on my Wiki and I'm having a bit of
> trouble.   Below is part of my config.php and let me explain what's
> happening.  My admin password (qqq) works fine.  My attr password is the
> same so it works fine.  My edit password (xxx) is given out to my employees
> and it's not fine.

> The problem began when I wanted to change the old edit password (yyy) since
> we had a bit of a turnover in staff and I didn't want any wiki vandalism.
> Currently the 'yyy' password will get you edit privileges into the site and
> I don't want it to.  When I uncomment out the ForbiddenPasswords section
> suddenly the new edit password 'xxx' fails to work.  They are completely
> different passwords.  The 'zzz' password is quite similar to the 'yyy'
> password and hence it's there also in case any guesswork is attempted and to
> also remind me not to use that one.  To fix my issue where nobody can log in
> but myself I have to comment out the ForbiddenPasswords section.

> My question is where is the 'yyy' password being stored that also knocks out
> the 'xxx' password?

> $DefaultPasswords['admin'] = crypt('qqq');
> $DefaultPasswords['attr'] = crypt('qqq');
> $DefaultPasswords['edit'] = crypt('xxx');
> ##$ForbiddenPasswords = array('yyy', 'zzz');
> ##if (in_array(@$_POST['authpw'], $ForbiddenPasswords))
> ##unset($_POST['authpw']);

there should be absolutely no need for a $ForbiddenPasswords array,
and i guess it does you more harm than good.

If you need a new edit passord for your employees, just set
   $DefaultPasswords['edit'] = crypt('xxx');
and any previous password is no longer useful.
If you find that people can still edit pages with the old demoted
password (without you introducing a ForbiddenPasswords check)
than check if those pages or the groups they belong to have the edit
password set through action=attr, as this overrides the site-wide
passwords set in config.php.
The page SiteAdmin.AuthList will list pages which have passwords set
(without revealing them).


More information about the pmwiki-users mailing list