phpwiki-talk

Re: [Phpwiki-talk] Re:Userids?

[Jeff D. <da...@da...>]

In message <000601c110c9$279a9e80$640...@ho...>,"Seth Cohn" writes:

>It looks as if  it isn't a major thing, just set the cookie
>correctly (via setprefs&userid ) and then read it back.
....
>Adding a single line to UserPreferences such as
>[Set UserID | phpwiki:?action=setprefs&userid=40()] should be possible,
>right?

Yes I think that's right.  I'll take a look at it tomorrow, unless
someone else speaks up before then to say they're working on it.

I wrote the userauth stuff with the idea that it would be expanded
to be able to authenticate (i.e. with passwords) registered users 
(other than admin).  However, that step is currently waiting on the
specification/development of some sort of user database API (and all
the forms, etc. needed to register and authenticate users) --- this
is another area where it would be nice if we could find some "standard"
PHP library code which does what we want.

My one concern is that the non-authenticated userid's be added
in a way that will be forward-compatible with authenticated userid's
in the future.   (I'm sure it's possible, it just takes some thought
and care.)

Jeff

Re: [Phpwiki-talk] Re:Userids?

[Jeff D. <da...@da...>]

How's this for an interim solution (until we get real user
authentication, that is)?

Allow anyone to log in (via HTTP authentication,
the same way the admin currently logs in) with any userid
except the admin user, and any password.  This would be a
trivial hack, and I believe would be maximally forward-compatible
with future non bogo-authentication.

I guess we don't want to allow people to set userid's which
look like IP addresses or host names.

Perhaps we should only allow people to log in with with userid's
which are WikiWords, so as to encourage userids to be the names
of homepages?


Speak now or suffer the short term consequences.

Jeff

Re: [Phpwiki-talk] Re:Userids?

[Steve W. <sw...@pa...>]

Sounds fine... hack away! :-)

~swain

On Fri, 20 Jul 2001, Jeff Dairiki wrote:

> How's this for an interim solution (until we get real user
> authentication, that is)?
>
> Allow anyone to log in (via HTTP authentication,
> the same way the admin currently logs in) with any userid
> except the admin user, and any password.  This would be a
> trivial hack, and I believe would be maximally forward-compatible
> with future non bogo-authentication.
>
> I guess we don't want to allow people to set userid's which
> look like IP addresses or host names.
>
> Perhaps we should only allow people to log in with with userid's
> which are WikiWords, so as to encourage userids to be the names
> of homepages?
>
>
> Speak now or suffer the short term consequences.
>
> Jeff
>
>
> _______________________________________________
> Phpwiki-talk mailing list
> Php...@li...
> http://lists.sourceforge.net/lists/listinfo/phpwiki-talk
>

---
                  http://www.panix.com/~swain/
"Without music to decorate it, time is just a bunch of boring
production deadlines or dates by which bills must be paid."
                     -- Frank Zappa
http://pgp.document_type.org:11371/pks/lookup?op=get&search=0xF7323BAC

Re: [Phpwiki-talk] Re:Userids?

[Reini U. <ru...@x-...>]

Jeff Dairiki schrieb:
> How's this for an interim solution (until we get real user
> authentication, that is)?
> 
> Allow anyone to log in (via HTTP authentication,
> the same way the admin currently logs in) with any userid
> except the admin user, and any password.  

yes. but why not also the admin? 
the admin check is done later in user_auth.

other wiki's do it with simple userid cookies instead of auth.
setting up the db auth scheme is not that trivial. cookies are easier.

> This would be a trivial hack, and I believe would be maximally forward-compatible
> with future non bogo-authentication.
> I guess we don't want to allow people to set userid's which
> look like IP addresses or host names.
> 
> Perhaps we should only allow people to log in with with userid's
> which are WikiWords, so as to encourage userids to be the names
> of homepages?

good idea. count me pro.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/

Re: [Phpwiki-talk] Re:Userids?

[Jeff D. <da...@da...>]

>yes. but why not also the admin? 
>the admin check is done later in user_auth.

I don't think we want random people to be able to make
edits which appear to be signed by the admin.
 
>other wiki's do it with simple userid cookies instead of auth.
>setting up the db auth scheme is not that trivial. cookies are easier.

(Password) authentication however is on the to-do list.
The motivations for adding real authentication include:
 * Page ownership (read-only or add-only pages).
 * Page change notification (authentication prevents
   the use of this feature for mail-bombing unsuspecting
   recipients.)
 * The (server-side) storage of large amounts of per-user
   state data could be used to do things like list/highlight
   changes since last visit, etc...  (Cookies can only store
   a finite amount of information.)

>> This would be a trivial hack, and I believe would be maximally forward-compa
> tible
>> with future non bogo-authentication.


The one problem I see with my proposed hacks is that it's going to
be fairly confusing to the user.  Since it's going to use the 
HTTP authentication mechanism (as currently used for admin logins)
there's not much opportunity to issue meaningful prompts.