[Phpwiki-talk] Re: auth prefs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Joby Walker schrieb:
> Since you seem to be heading up the modifications to the user 
> authentication system, I thought I would run by you two more options I 
> would like to add.
> 
> 1) a new login method (currently PUBCOOKIE_LOGIN): this will allow end 
> user to use the University of Washington's Pubcookie system.  When using 
> Pubcookie the end user accesses a web site he is forced to authenticate 
> at a central site, and the central login site then guarantees the 
> authentication to the web site.  Thus the end user's password is never 
> available to the web site, and allowing a unified login structure for an 
> organization.  The only check is that $HTTP_SERVER_VARS['REMOTE_USER'] 
> is guaranteed to be set and correct.

I'm against adding this to the default HEAD branch of phpwiki.
I know that some sites do cookie auth, and even we do it in our internal 
backoffice, but this is totally insecure.

But I already added beta support for ALLOW_HTTP_AUTH_LOGIN which accepts 
already logged in users.

> 2) no admin account (ADMIN_GROUP): this would grant to specific users 
> WIKIAUTH_ADMIN privilages.  With this enabled there is no admin account, 
> but certain users have administrative privilages.  With this 
> modifications can be tracked by user.

This will be a PagePermission feature, once groups are ready.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/