[pmwiki-users] AuthUser and groups
Paul E. Bloch
paul at cs.uoregon.edu
Thu Jan 27 12:17:42 CST 2011
We are using AuthUser for PmWiki access control. I have two questions.
Is there away to allow access for everyone except members of a group?
Is there a variable like $AuthId that tracks the group of a user? I am mostly interested in using this for testing, so ideally it would be the group membership that allowed access to a page.
More details of our configuration and requirements.
We are using htpasswd and htgroup files to define users and groups. Currently we require a login for any access to the wiki and some page groups are further protected so that only members of a specific group can access those pages. Here are the relevant lines from our config.php:
$DefaultPasswords['admin'] = '@admin';
$DefaultPasswords['attr'] = '@admin';
$DefaultPasswords['edit'] = 'id:*';
$DefaultPasswords['upload'] = 'id:*';
$DefaultPasswords['read'] = 'id:*';
$AuthUser['htpasswd'] = '/etc/pmwiki.passwd';
$AuthUser['htgroup'] = '/etc/pmwiki.group';
This give the basic access requirement of a login in our htpasswd file for the entire site. For wiki groups that require more restrictive access we change the attributes on the GroupAttributes page to have a read password of '@groupname' where the membership of groupname is defined in the htgroup file.
and the htgroup file has entries like
admin: paul jdash tom sue
There is a new requirement to allow a new group of users access to ONLY pages in their wiki group. I could put everyone in a group 'all' and then make the default read access be '@all', but that requires maintaining that group. Every time we add a new person we add them to 'all', making sure not to add the users with more restrictive rights. Not terrible but it seemed like there might be a better way.
The AuthUser documentation describes a method of excluding individuals from password groups. The example of keeping Fred out of a group is
$DefaultPasswords['attr'] = array('id:*,-Fred');
I reasoned that since my new group included members who were only allowed to access pages in their group, I should be able to exclude them just as Fred is excluded in the example. So I tried modifying my config.php like this:
$DefaultPasswords['read'] = array('id:*,- at specialgroup'); # I tried both of these.
$DefaultPasswords['read'] = array('id:*','- at specialgroup');
I was hoping that everyone but members of @specialgroup would have default read access. Then I could change the GroupAttibutes to allow @specialgroup read access to their pages. That does't seem to work. Am I using the wrong syntax or doing things in the wrong order? Or is excluding a group not possible?
More information about the pmwiki-users