phpwiki-talk

Re: [Phpwiki-talk] Getting Involved?

[Eric C. <er...@ec...>]

Hi Steve!

I absolutely understand. Perhaps I could work with them. The specific
ideas I have right now is similar to the suggestions made at 
the URL: http://phpwiki.sourceforge.net/phpwiki/UserAuthenticationDoneForYou

I was thinking that if we could setup a authentication API that
could be plugged into either http authentication using apache's
auth systems (like UserAuthType Basic) - or - setup proprietary
authentication systems (like a username/password in a MySQL db)
then wiki would not need to handle all the "innards" of authentication
but rather simply pull the username and password from however 
it's configured to use authentication.

Does that make sense?

Also, we could have a default user authentication system - if none is
present but people want an authentication system. Most likely a simple 
plain text file with encrypted passwords. (Using md5)

Just some thoughts - I noticed that phpwiki 1.3.2 would recognize 
an admin logged in via http basic auth (use of the $PHP_AUTH_USER 
I suppose) but with phpwiki 1.3.3 that has been eliminated. :-(

Eric

At Wednesday, 13 March 2002, Steve Wainstead <sw...@pa...> wrote:

>Hi Eric!
>
>I know someone on the project was supposed to be working on user 
auth, and
>promised to deliver something right about now. I haven't heard anything
>though; I will have to search the mail archive.
>
>More than likely you would be welcome to work on this, but I need 
to make
>sure someone else isnt' already doing it. Do you have any specific 
ideas
>right now for auth?
>
>~swain
>
>On Tue, 12 Mar 2002, Eric Carter wrote:
>
>> Hi,
>>
>> I've been hacking around with PhpWiki a bit over the past month
>> and I have to say - this is an awesome project. I have some thoughts
>> and ideas and I'd like to get involved.
>>
>> I'm particularly interested in setting up a seperate User Authentication
>>
>> interface. I've been using simple http basic authentication - and
>> I'd like to know where things are going with the project.
>>
>> Thanks,
>> Eric
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Phpwiki-talk mailing list
>> Php...@li...
>> https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
>>
>>
>>
>>
>
>---
>                  http://www.panix.com/~swain/
>"Without music to decorate it, time is just a bunch of boring
>production deadlines or dates by which bills must be paid."
>                     -- Frank Zappa
>
>_______________________________________________
>Phpwiki-talk mailing list
>Php...@li...
>https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
>

Re: [Phpwiki-talk] Getting Involved?

[Adam S. <ad...@pe...>]

> I absolutely understand. Perhaps I could work with them. The specific
> ideas I have right now is similar to the suggestions made at 
> the URL: http://phpwiki.sourceforge.net/phpwiki/UserAuthenticationDoneForYou

The person who did the initial implementation of non-apache based user
auth was Joe Edelman who hasn't been around for a while.  I don't know
if he's just been quiet or has found other responsibilities.
 
> I was thinking that if we could setup a authentication API that
> could be plugged into either http authentication using apache's
> auth systems (like UserAuthType Basic) - or - setup proprietary
> authentication systems (like a username/password in a MySQL db)
> then wiki would not need to handle all the "innards" of authentication
> but rather simply pull the username and password from however 
> it's configured to use authentication.

Here's now I see it.  The advantage of using something like apache for
authentication is that there are already a myriad of authentication
modules written (ldap, mysql, radius, htpasswd, ntlm etc etc).  

The disadvantage is that it makes it harder (impossible?) to force
people to log in via a form where you can request other information
(like an email address) and also explain how things work and that they
may just need to supply a WikiWord compliant username rather then find
somewhere to register for an account.

Leveraging apache would be really nice for intranet wiki's
(mod_auth_ntlm and all your exchange users now have wiki logins). 
However their logins aren't wiki words which sucks for a wiki.  Twiki
gets around this (imho in a confusing, kludgy way) by having a seperate
list which makes login names to wiki names (eg. adams = AdamShand).

The main reason for user authentication imho is that it provides a basis
for other things like customized themes, email notification and such.  I
don't think we need full on real authentication, just something that is
"good enough" (WorseIsBetter) to make abuse a pain and hopefully
discourage abuse.

Adam.

PS. My wiki's have recently stated to have problems of random abuse from
people on the internet (it's gone from happening every few months to a
few times a week).  Is it just me or have others noticed anything like
this?  It scares me a little that it's only going to get worse.

Re: [Phpwiki-talk] Getting Involved?

[Paul S. <pa...@et...>]

On 13 Mar 2002, Adam Shand wrote:

:Here's now I see it.  The advantage of using something like apache for
:authentication is that there are already a myriad of authentication
:modules written (ldap, mysql, radius, htpasswd, ntlm etc etc).

Hi, my two cents on this:

1. We use mod_auth_external to authenticate users on an
   internal-only/private SSL web site for access to the Wiki.

2. Many of my users are paranoid security freaks who do not
   tolerate cookies.  Mailman, for example, generates complaints
   from the cookie-paranoid.

So I would be very happy if Phpwiki would use basic auth and let me
configure the back-end any way I please.

I would like it if there were an option to have Phpwiki assume that a
working basic auth system is present and have it assume that $REMOTE_USER
exists and is trustworthy, tie that to users' prefs, etc. automatically.

--Paul