Re: [Phpwiki-talk] Simple security revisited

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> I now have one wiki set up with one user and one admin, and 
> another set up with the admin and BOGO login enabled. The next thing I 
> am wondering is: A) can BOGO login be enabled in the case where there 
> is one authorized user in addition to the admin (to create a sort of 
> super-user whose ID cannot be spoofed by the BOGO users)?

Yes. Here's the untested instructions:

in lib/WikiUser.php, change _pwcheck to:

      function _pwcheck ($userid, $passwd) {
          global $WikiNameRegexp;

          if (!empty($userid) && $userid == ADMIN_USER) {
              if (!empty($passwd) && $passwd == ADMIN_PASSWD)
                  return WIKIAUTH_ADMIN;
              return false;
          }
          elseif (!empty($userid) && $userid == RESTRICTED_USER) {
              if (!empty($passwd) && $passwd == RESTRICTED_PASSWD)
                  return WIKIAUTH_USER;
              return false;
          }
          elseif (ALLOW_BOGO_LOGIN
                  && preg_match('/\A' . $WikiNameRegexp . '\z/', $userid))
{
              return WIKIAUTH_BOGO;
          }
          return false;
      }

(The first elseif clause is the only part which differs from
the stock PhpWiki code.)  This change will work for all three
cases outlined above, if in the case where there is no restricted
user, one sets RESTRICTED_USER and RESTRICTED to false.

Then, if you want to allow BOGO logins (as well as admin and
password-verified user) to edit pages, restore lib/main.php
to stock code (and set REQUIRE_SIGNIN_BEFORE_EDIT in index.php).

> B) I can also see a use for John's suggestion: allowing a sort of BOGO 
> login where one password (known to the group) will work with any 
> WikiWord user name, so that each group member's posts can be tied to 
> their user name.

Untested changes again:

Add to index.php somewhere:
  define('BOGO_PASSWORD', '<the universal password>');

Then change the last elseif clause in the above version of
WikiUser::_pwcheck() to:

          elseif (ALLOW_BOGO_LOGIN
                  && preg_match('/\A' . $WikiNameRegexp . '\z/', $userid))
{
              if (!empty($passwd) && $passwd == BOGO_PASSWD)
                  return WIKIAUTH_BOGO;
              return false;
          }

This makes it so bogo-logins are only accepted if accompanied
by the BOGO_PASSWORD.

Did that work?