Re: [Phpwiki-talk] User authentication patch

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Dan Frankowski schrieb:
> I was having a problem. I have a Phpwiki 1.3.9+ site. It has a .htaccess 
> file with a single username/password pair. The intent is that once you 
> enter that site-wide user/pw, each editor then logs in with their own 
> WikiWord to have the right tracking in the change logs. Only for some 
> reason you had to log on for each page, hence over and over again. I 
> found out why: the Apache-authenticated user was being taken before the 
> login provided by the user in the Phpwiki "Sign in as:" window. This was 
> wrong for me, I attach a patch below.
> 
> My index.php auth settings are:
>        $USER_AUTH_ORDER =
>            array(
>                  "PersonalPage",
>                  "Db",
>                  ) ;

Why don't you use "File", with AUTH_USER_FILE = /your/.htaccess
apache auth is always before phpwiki auth.

> Perhaps my index.php authentication settings should be different, but it 
> still seems to me the Phpwiki login should trump the .htaccess login .. 
> hmm, maybe not always? Could I fake my way in with a trumped-up cookie?

You could fake the userid with the cookie, but not the authentication 
setting, the _level. So you are signed, but not authenticated.

Otherwise, if you prefer to always have the server auth prompt, your 
patch is okay.

> diff -b -u -r1.3 main.php
> --- main.php    14 Apr 2004 21:57:25 -0000      1.3
> +++ main.php    11 May 2004 18:01:21 -0000
> @@ -568,12 +568,15 @@
>     }
> 
>     function _deduceUsername() {
> +        // User login on the Wiki page.
> +        //
> +        // DSF: Overrides browser pop-up window, to allow the whole 
> site to
> +        // be behind browser authentication with one username/pw, then
> +        // each page editor to have their own login.
> +        //
> +
>         if (!empty($this->args['auth']) and 
> !empty($this->args['auth']['userid']))
>             return $this->args['auth']['userid'];
> -        if (!empty($_SERVER['PHP_AUTH_USER']))
> -            return $_SERVER['PHP_AUTH_USER'];
> -        if (!empty($_ENV['REMOTE_USER']))
> -            return $_ENV['REMOTE_USER'];
> 
>         if ($user = $this->getSessionVar('wiki_user')) {
>             $this->_user = $user;
> @@ -586,6 +589,14 @@
>                 return $userid;
>             }
>         }
> +
> +        // User login through a browser pop-up window
> +        if (!empty($_ENV['REMOTE_USER']))
> +            return $_ENV['REMOTE_USER'];
> +
> +        if (!empty($_SERVER['PHP_AUTH_USER']))
> +            return $_SERVER['PHP_AUTH_USER'];
> +
>         return false;
>     }
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/