Is anyone able to tell me how phpwiki handles the security issues? login, passes, cookies?
After logging in to a page does a cookie get set? Which database-table does wiki use? on which php-pages are this functions called?
I would need the answer to integrate wiki more directly into other webpages which need a login...
thank you
Alvaro
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
userauth data is stored in:
1) persistently a page metadata or opt. in a database
2) session-wise in a session variable, which is transported via the normal PHP mechanisms, cookie or url_rewriter.
session data is either stored in tmpfiles or if a databse is used (SQL, ADODB or dba) in a database.
read the doc/README-phpwiki-auth section or external auth pages at phpwiki.
you can easily use external userdata to login into phpwiki.
in CVS is a new experimental auth method which just reuses a session variable from anotehr app with an already authenticated username.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am integrating phpWiki with gForge, using the technique you describe here. I am using the 'wiki' script to override config.ini and manipulate the environment before lib/main.php is loaded.
However, I cannot get 'Session' to run correctly, and, if I start the session outside of phpWiki, I end up with errors as phpWiki tries to run sessions with its own parameters.
How do I debug issues with the WikiUserNew.php?
phpWiki is 1.3.10 -
wiki has been edited thus:
<?php // -*-php-*-
/*
PrettyWiki startup script.
Sample to override the default wiki (Theme, Language, DB, ...).
Also For Wiki farms.
Simplifies USE_PATH_INFO paths:
"/<home>/wiki/HomePage" instead of "/<home>/wiki/index.php/HomePage"
The simpliest version is
<?php include "index.php"; include "lib/main.php"; ?>
Note: This needs a webserver handler to PHP like this on Apache:
// Override the default configuration for VARIABLES after index.php:
// E.g. Use another DB:
$DBParams['dbtype'] = 'SQL';
$DBParams['dsn'] = 'pgsql://' . $sys_dbuser . ':' .
$sys_dbpasswd . '@' . $sys_dbhost .'/' . $sys_dbname . '_wiki';
$DBParams['prefix'] = $project->getUnixName() ."_";
// If the user is logged in, let the Wiki know
if (session_loggedin()){
// let php do it's session stuff too!
//ini_set('session.save_handler', 'files');
session_start();
$_SESSION['user_id'] = user_getname();
} else {
// clear out the globals, just in case...
}
// Start the wiki
include "lib/main.php";
}
?>
=====
And in config.ini:
ENABLE_USER_NEW = true
ALLOW_ANON_USER = true
ALLOW_ANON_EDIT = false
ALLOW_BOGO_LOGIN = false
ALLOW_USER_PASSWORDS = true
USER_AUTH_ORDER = "Session"
USER_AUTH_POLICY = old
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
"you can easily use external userdata to login into phpwiki.
in CVS is a new experimental auth method which just reuses a session variable from anotehr app with an already authenticated username."
Which Files do I have to look at? I just looked in the docs but did not really find what I was looking for.
Which File(s) of the CVS would I have to download for reusing an external session variable?
Thank you
Alvaro
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you for your answer although it's not exactly that what i was looking for...
The question for me is:
I am using a forum phpBB2 and have a phpwiki included.
What I am trying now is to read out the phpBB cookie and use it as authentification for phpwiki.
So I need to know where wiki authentificates the user to edit a page so I can, if the user's not logged in, forward him to the phpBB auth or, if he's logged in, let him edit the page.
Thanks again...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
>So I need to know where wiki authentificates the user >to edit a page so I can, if the user's not logged in, >forward him to the phpBB auth or, if he's logged in, let >him edit the page.
authenticated if isset($GLOBALS['request']->_user) and
$GLOBALS['request']->_user->_level > 0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
But to be able to use the userid session variable, when it is inside an array or a object parameter, you have to wait some days, until I submit this WikiUsernew fix to CVS.
Support for:
$_SESSION['user']['userid'] or $_SESSION['user']->userid
I've made several other fixes and have to test these first.
Regarding phpBB integration:
I briefly looked into phpBB auth and saw that they don't use session vars to keep the userid. They keep the sid in a COOKIE or GET and check the user database manually then.
So the only way to use phpBB auth is to use the "Db" method, with the proper auth_dsn and auth sql statements.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@rUrban:
I don't know if I understand everything right, and I know that this will be a probably stupid question, but if wiki is able to get permissions by a cookie or session var, why wouldn't it be able to use the phpBB-cookie or read out the phpBBsession vars, when I use the wiki and phpBB in the same domain?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Because phpBB doesn't use php sessions.
They invented their own scheme which is similar to a php session, but they don't store the userid in $_SESSION which we can check against then.
They also have their own cookie which we don't check against.
We could but this would require a special phpBB auth handler. I will probably write one sooner or later, but at first I have to fix our bugs here and check integration of gforge and phpnuke then.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is anyone able to tell me how phpwiki handles the security issues? login, passes, cookies?
After logging in to a page does a cookie get set? Which database-table does wiki use? on which php-pages are this functions called?
I would need the answer to integrate wiki more directly into other webpages which need a login...
thank you
Alvaro
login, passes, cookies:
userauth data is stored in:
1) persistently a page metadata or opt. in a database
2) session-wise in a session variable, which is transported via the normal PHP mechanisms, cookie or url_rewriter.
session data is either stored in tmpfiles or if a databse is used (SQL, ADODB or dba) in a database.
read the doc/README-phpwiki-auth section or external auth pages at phpwiki.
you can easily use external userdata to login into phpwiki.
in CVS is a new experimental auth method which just reuses a session variable from anotehr app with an already authenticated username.
RUrban,
I am integrating phpWiki with gForge, using the technique you describe here. I am using the 'wiki' script to override config.ini and manipulate the environment before lib/main.php is loaded.
However, I cannot get 'Session' to run correctly, and, if I start the session outside of phpWiki, I end up with errors as phpWiki tries to run sessions with its own parameters.
How do I debug issues with the WikiUserNew.php?
phpWiki is 1.3.10 -
wiki has been edited thus:
<?php // -*-php-*-
/*
PrettyWiki startup script.
Sample to override the default wiki (Theme, Language, DB, ...).
Also For Wiki farms.
Simplifies USE_PATH_INFO paths:
"/<home>/wiki/HomePage" instead of "/<home>/wiki/index.php/HomePage"
The simpliest version is
<?php include "index.php"; include "lib/main.php"; ?>
Note: This needs a webserver handler to PHP like this on Apache:
<Files "wiki">
SetHandler application/x-httpd-php
<defined APACHE2>
AcceptPathInfo on
</defined>
</Files>
*/
require_once('pre.php');
if (!$group_id || !$project) {
exit_error("Invalid Project","Invalid Project");
} else {
define('VIRTUAL_PATH', $_SERVER['SCRIPT_NAME'] . '/' . $project->getUnixName() );
define('PATH_INFO_PREFIX', '/' . $project->getUnixName() . '/');
define('WIKI_NAME', $project->getUnixName());
//define('ALLOW_HTTP_AUTH_LOGIN', 1);
define('ADMIN_USER', 'martin');
define('ADMIN_PASSWD', 'bla');
define('AUTH_SESS_USER','user_id');
define('AUTH_SESS_LEVEL',2);
// Override the default configuration for CONSTANTS before index.php
$LANG='de'; $LC_ALL='de_DE';
define('THEME', 'gforge');
define('WIKI_NAME', "WikiDemo:$LANG:" . THEME);
// Load the default configuration.
include "index.php";
error_log ("PATH_INFO_PREFIX " . PATH_INFO_PREFIX);
// Override the default configuration for VARIABLES after index.php:
// E.g. Use another DB:
$DBParams['dbtype'] = 'SQL';
$DBParams['dsn'] = 'pgsql://' . $sys_dbuser . ':' .
$sys_dbpasswd . '@' . $sys_dbhost .'/' . $sys_dbname . '_wiki';
$DBParams['prefix'] = $project->getUnixName() ."_";
// If the user is logged in, let the Wiki know
if (session_loggedin()){
// let php do it's session stuff too!
//ini_set('session.save_handler', 'files');
session_start();
$_SESSION['user_id'] = user_getname();
} else {
// clear out the globals, just in case...
}
// Start the wiki
include "lib/main.php";
}
?>
=====
And in config.ini:
ENABLE_USER_NEW = true
ALLOW_ANON_USER = true
ALLOW_ANON_EDIT = false
ALLOW_BOGO_LOGIN = false
ALLOW_USER_PASSWORDS = true
USER_AUTH_ORDER = "Session"
USER_AUTH_POLICY = old
I'll try it by myself with gForge,
send you my results, and include some example for gForge integration.
thanks a lot for this info...
I'm glad that phpwiki gets developed further by you...
"you can easily use external userdata to login into phpwiki.
in CVS is a new experimental auth method which just reuses a session variable from anotehr app with an already authenticated username."
Which Files do I have to look at? I just looked in the docs but did not really find what I was looking for.
Which File(s) of the CVS would I have to download for reusing an external session variable?
Thank you
Alvaro
lib/WikiUserNew.php
add "Session" in USER_AUTH_ORDER
and
define('AUTH_SESS_USER','userid');
define('AUTH_SESS_LEVEL',2);
current CVS db-code and config-code is unstable.
Thank you for your answer although it's not exactly that what i was looking for...
The question for me is:
I am using a forum phpBB2 and have a phpwiki included.
What I am trying now is to read out the phpBB cookie and use it as authentification for phpwiki.
So I need to know where wiki authentificates the user to edit a page so I can, if the user's not logged in, forward him to the phpBB auth or, if he's logged in, let him edit the page.
Thanks again...
>So I need to know where wiki authentificates the user >to edit a page so I can, if the user's not logged in, >forward him to the phpBB auth or, if he's logged in, let >him edit the page.
authenticated if isset($GLOBALS['request']->_user) and
$GLOBALS['request']->_user->_level > 0
is this auth-feature integrated in the new 1.3.10 version?
Thanks
Alvaro
Yes.
But to be able to use the userid session variable, when it is inside an array or a object parameter, you have to wait some days, until I submit this WikiUsernew fix to CVS.
Support for:
$_SESSION['user']['userid'] or $_SESSION['user']->userid
I've made several other fixes and have to test these first.
Regarding phpBB integration:
I briefly looked into phpBB auth and saw that they don't use session vars to keep the userid. They keep the sid in a COOKIE or GET and check the user database manually then.
So the only way to use phpBB auth is to use the "Db" method, with the proper auth_dsn and auth sql statements.
@rUrban:
I don't know if I understand everything right, and I know that this will be a probably stupid question, but if wiki is able to get permissions by a cookie or session var, why wouldn't it be able to use the phpBB-cookie or read out the phpBBsession vars, when I use the wiki and phpBB in the same domain?
Because phpBB doesn't use php sessions.
They invented their own scheme which is similar to a php session, but they don't store the userid in $_SESSION which we can check against then.
They also have their own cookie which we don't check against.
We could but this would require a special phpBB auth handler. I will probably write one sooner or later, but at first I have to fix our bugs here and check integration of gforge and phpnuke then.