[Phpwiki-talk] Simple security revisited

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

1) Re: the graphics, for those of you who expressed an interest: I will 
be tweaking the buttons and making them available soon. I agree with 
Jeff that it is a good idea to keep gifs in the default template. Old 
browsers are, unfortunately, still with us...

2) Thanks again to Jeff and John for the code to create one authorized 
user. I now have one wiki set up with one user and one admin, and 
another set up with the admin and BOGO login enabled. The next thing I 
am wondering is: A) can BOGO login be enabled in the case where there 
is one authorized user in addition to the admin (to create a sort of 
super-user whose ID cannot be spoofed by the BOGO users)?

John's instructions to create an authorized user:

* Open index.php
* Find: define('ADMIN_USER', "admin");
* Add two new lines under the ADMIN_PASSWD line:

  define('RESTRICTED_USER', "user");
  define('RESTRICTED_PASSWD', "test");

* Now open lib/WikiUser.php
* Scroll to the end and replace the whole of the _pwcheck function with 
this:

     function _pwcheck ($userid, $passwd) {
         global $WikiNameRegexp;

         if (!empty($userid) && $userid == ADMIN_USER) {
             if (!empty($passwd) && $passwd == ADMIN_PASSWD)
                 return WIKIAUTH_ADMIN;
             return false;
         }
         elseif (!empty($userid) && $userid == RESTRICTED_USER) {
             if (!empty($passwd) && $passwd == RESTRICTED_PASSWD)
                 return WIKIAUTH_USER;
         }
         return false;
     }

* Finally open lib/main.php
* Halfway down you'll find this:

             case 'edit':
                 if (defined('REQUIRE_SIGNIN_BEFORE_EDIT') && 
REQUIRE_SIGNIN_BEFORE_EDIT)
                     return WIKIAUTH_BOGO;
                 return WIKIAUTH_ANON;

Replace it with this:

             case 'edit':
                 return WIKIAUTH_USER;

I think that should do it.

John.
-- 

This seems to eliminate the BOGO option, and I was wondering if there 
is a way to keep it without messing up the admin and authuser functions.

B) I can also see a use for John's suggestion: allowing a sort of BOGO 
login where one password (known to the group) will work with any 
WikiWord user name, so that each group member's posts can be tied to 
their user name. I realize that this is getting closer to just having 
full authentication capability for all users, but it is a nice 
intermediate step for simple groups where there is a fair amount of 
trust and cooperation (and it would also make it possible for the 
password to be changed from time to time as needed -- something to 
consider if the membership of the group changes dramatically, or if 
members are leaving periodically and thus should "lose" posting ability 
upon departure).

Thanks, as always, for any help or advice on this. The more I work with 
this application, the more possibilities I see and the more I want to 
promote its use for groups of all types.

-----------------------------------------------------
http://eo.yifan.net
Free POP3/Web Email, File Manager, Calendar and Address Book