Subject: True user authentication, security and preferences
Hi there,
I have recently installed PHPwiki-1.3.10, and so far I love it! I've run into some issues and need some help.
I have RedHat Linux 8.0, kernel version 2.4.18-14, apache 2, PHP 4.2.2.
In my wiki I need true user authentication (giving users the ability to change their passwords) and I don't want users to be able to create themselves. I started off by putting File as the first thing in the list for USER_AUTH_ORDER. I then created a file using apache's htpasswd program and added some users giving them an initial password.
This seamed to work pretty well. I made a user called wikidavid and I was able to sign in as wikidavid. Right after signing in, the message shown next to the sign-in box says "Authenticated as wikidavid[?]". However, after clicking on any link and going to some other WikiPage, the message changes to "You are signed but not authenticated as wikidavid". Why is this? Is this a problem?
Anyway, it does not seem to affect anything so far, because I am still able to edit pages as wikidavid and it does not ask for the password again (which is a little strange).
However, if I go into preferences, it asks for the password before showing me the preferences page. And it asks for the password again when I click on the 'update preferences' button. I tried changing the theme from <system theme> to other settings and it seemed to work (the theme changed), but it did not stick after I restarted the browser. Same thing happens if I try to set an email address and other preferences. The funny thing is that if I change the password, that sticks. It seems to be the only thing that sticks when I change preferences. This is the case whether or not the WikiPage wikidavid exists. How do I get my user preferences to stick? (note that the admin's preferences stay without a problem and it does not ask for the admin's password before or after showing the preferences page)?
Well, I tried changing the option USER_AUTH_POLICY from first-only to strict (having
USER_AUTH_ORDER set to "File : PersonalPage : Db"). Once I did this, my use wikidavid was able to change the preferences and have them stick after restarting the browser. Howerver, I noticed that now anybody could sign in without a password by using as a username the name of any WikiPage. For example, someone could just come in and sign in as WikiWikiWeb (because that is one of the pages that exists) and no password. This user was then able to change any page in the wiki and behave as any other authenticated user. So I changed USER_AUTH_POLICY back to first-only. The funny thing is that WikiWikiWeb can still sign in without a password; the good thing is that SandBox (another existing page) cannot sign in (like WikiWikiWeb did initially). If I delete WikiWikiWeb as admin, WikiWikiWeb can no longer sign in. But if anyone makes a new page called WikiWikiWeb, then user WikiWikiWeb can sign in again :) -- any idea how I can get rid of WikiWikiWeb as a user?
I know this is a long story with many questions -- thanks for reading it by the way -- but it would be really nice to know how to set up my PHPwiki to save user preferences either in their pages or in the database (I'm using DBA - gdbm), have real authentication and prevent users from creating themselves.
Below are some parts of my current config.ini file and a directory listing of my wikidata directory.
Thanks a lot for any help you guys can provide.
David
Subject: True user authentication, security and preferences
Hi there,
I have recently installed PHPwiki-1.3.10, and so far I love it! I've run into some issues and need some help.
I have RedHat Linux 8.0, kernel version 2.4.18-14, apache 2, PHP 4.2.2.
In my wiki I need true user authentication (giving users the ability to change their passwords) and I don't want users to be able to create themselves. I started off by putting File as the first thing in the list for USER_AUTH_ORDER. I then created a file using apache's htpasswd program and added some users giving them an initial password.
This seamed to work pretty well. I made a user called wikidavid and I was able to sign in as wikidavid. Right after signing in, the message shown next to the sign-in box says "Authenticated as wikidavid[?]". However, after clicking on any link and going to some other WikiPage, the message changes to "You are signed but not authenticated as wikidavid". Why is this? Is this a problem?
Anyway, it does not seem to affect anything so far, because I am still able to edit pages as wikidavid and it does not ask for the password again (which is a little strange).
However, if I go into preferences, it asks for the password before showing me the preferences page. And it asks for the password again when I click on the 'update preferences' button. I tried changing the theme from <system theme> to other settings and it seemed to work (the theme changed), but it did not stick after I restarted the browser. Same thing happens if I try to set an email address and other preferences. The funny thing is that if I change the password, that sticks. It seems to be the only thing that sticks when I change preferences. This is the case whether or not the WikiPage wikidavid exists. How do I get my user preferences to stick? (note that the admin's preferences stay without a problem and it does not ask for the admin's password before or after showing the preferences page)?
Well, I tried changing the option USER_AUTH_POLICY from first-only to strict (having
USER_AUTH_ORDER set to "File : PersonalPage : Db"). Once I did this, my use wikidavid was able to change the preferences and have them stick after restarting the browser. Howerver, I noticed that now anybody could sign in without a password by using as a username the name of any WikiPage. For example, someone could just come in and sign in as WikiWikiWeb (because that is one of the pages that exists) and no password. This user was then able to change any page in the wiki and behave as any other authenticated user. So I changed USER_AUTH_POLICY back to first-only. The funny thing is that WikiWikiWeb can still sign in without a password; the good thing is that SandBox (another existing page) cannot sign in (like WikiWikiWeb did initially). If I delete WikiWikiWeb as admin, WikiWikiWeb can no longer sign in. But if anyone makes a new page called WikiWikiWeb, then user WikiWikiWeb can sign in again :) -- any idea how I can get rid of WikiWikiWeb as a user?
I know this is a long story with many questions -- thanks for reading it by the way -- but it would be really nice to know how to set up my PHPwiki to save user preferences either in their pages or in the database (I'm using DBA - gdbm), have real authentication and prevent users from creating themselves.
Below are some parts of my current config.ini file and a directory listing of my wikidata directory.
Thanks a lot for any help you guys can provide.
David
--------------------
config.ini:
;======================================================================
; Part Two: Database Selection
;======================================================================
DATABASE_TYPE = dba
DATABASE_DSN = "mysql://guest@unix(/var/lib/mysql/mysql.sock)/test"
DATABASE_SESSION_TABLE = session
DATABASE_DIRECTORY = /usr/local/phpwiki-1.3.10/wikidata
DATABASE_DBA_HANDLER = gdbm
DATABASE_TIMEOUT = 20
SESSION_SAVE_PATH = /usr/local/phpwiki-1.3.10/wikidata
;========================================================================
; Part Three: User Authentication
;========================================================================
ALLOW_ANON_USER = true
ALLOW_ANON_EDIT = false
ALLOW_BOGO_LOGIN = false
ALLOW_USER_PASSWORDS = true
USER_AUTH_ORDER = "File : PersonalPage"
PASSWORD_LENGTH_MINIMUM = 2
USER_AUTH_POLICY = first-only
LDAP_AUTH_HOST = "ldap://localhost:389"
LDAP_BASE_DN = "ou=Users,o=Development,dc=mycompany.com"
AUTH_USER_FILE = /usr/local/phpwiki-1.3.10/wikidata/.wikipasswd
AUTH_USER_FILE_STORABLE = true
AUTH_SESS_USER = userid
AUTH_SESS_LEVEL = 2
GROUP_METHOD = WIKIPAGE
userid='$userid'"
userid='$userid'"
DBAUTH_AUTH_CRYPT_METHOD = plain
userid='$userid'"
userid='$userid'"
groupname='$groupname'
groupname='$groupname'
EDITING_POLICY = EditingPolicy
--------------------------
ls -l -a /usr/local/phpwiki-1.3.10/wikidata/*
drwxr--r-- 2 apache apache 4096 Aug 24 11:37 .
drwxr-xr-x 12 apache apache 4096 Aug 22 13:31 ..
-rw-r--r-- 1 apache apache 399349 Aug 25 22:59 wiki_access_log
-rw-r--r-- 1 apache apache 382349 Aug 25 22:59 wiki_pagedb.gdbm
-rw------- 1 apache apache 111 Aug 24 11:37 .wikipasswd
-rw------- 1 apache apache 133 Aug 23 20:23 .wikipasswd~
-rw-r--r-- 1 apache apache 0 Aug 25 22:59 .wikipasswd.lock
-rw-r--r-- 1 apache apache 276621 Aug 25 22:59 wiki_session.gdbm
-------------------------