Menu
▾
▴
Re: [Phpwiki-talk] To clarify re:security question
|
From: Reini U. <ru...@x-...> - 2002-08-17 16:10:39
|
Jeff Dairiki schrieb: >>If you're going to go to the trouble, could you make it that >>the username/password pairs are stored in a text file that would be >>easily edited. > > It would be much simpler (codewise) (and the point of this hack is > simplicity, after all) if these were just stored as a PHP hash in > index.php, like: > > $WikiUsers = array( 'JeffDairiki' => 'JeffsPassword', > 'JohnKershaw' => 'Your Password' ); > > Would that be okay? Nope, too simple. But I'll add AUTH_FILE also (pointing to /etc/passwd or any .htpasswd file), besides AUTH_DNS, AUTH_IMAP and AUTH_LDAP, which already works for me. The .htpasswd solution is then an __optional__ Apache HTTP_AUTH solution, in contrast to a __required__ Apache HTTP_AUTH. With REQUIRE_HTTP_AUTH you __must__ login before you get to any page, with REQUIRE_AUTH_USER you try any of the supported auth mechanisms: (PASS, FILE, DNS, IMAP, LDAP, BOGO, NONE). I'll probably commit tomorrow, without groups and userprefs, when I get the permission checks correct. Jeff's page-meta data abstraction lib (WikiDB_Page::get) is perfect for this, probably better than a seperate table. So I'll do the groups, permissions and user preferences (email, ...) in a wikipage, only the passwords are from the AUTH mechanism. I don't really want to store the password in the page, besides I do want to have passwords for my group only at one single place. (radius or imap preferred). So it get's easily changed and remembered. >>Or maybe a third option, a half-way house: one password that fits any >>WikiWord login name? > Interesting idea. I think it's probably appropriate for certain > situations. well, that's a good option for simple groups. Maybe REQUIRE_AUTH_PASS? -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |