Menu
▾
▴
phpwiki-talk
|
From: Jeff D. <da...@da...> - 2001-07-20 06:04:31
|
In message <000601c110c9$279a9e80$640...@ho...>,"Seth Cohn" writes: >It looks as if it isn't a major thing, just set the cookie >correctly (via setprefs&userid ) and then read it back. .... >Adding a single line to UserPreferences such as >[Set UserID | phpwiki:?action=setprefs&userid=40()] should be possible, >right? Yes I think that's right. I'll take a look at it tomorrow, unless someone else speaks up before then to say they're working on it. I wrote the userauth stuff with the idea that it would be expanded to be able to authenticate (i.e. with passwords) registered users (other than admin). However, that step is currently waiting on the specification/development of some sort of user database API (and all the forms, etc. needed to register and authenticate users) --- this is another area where it would be nice if we could find some "standard" PHP library code which does what we want. My one concern is that the non-authenticated userid's be added in a way that will be forward-compatible with authenticated userid's in the future. (I'm sure it's possible, it just takes some thought and care.) Jeff |
|
From: Jeff D. <da...@da...> - 2001-07-20 15:41:21
|
How's this for an interim solution (until we get real user authentication, that is)? Allow anyone to log in (via HTTP authentication, the same way the admin currently logs in) with any userid except the admin user, and any password. This would be a trivial hack, and I believe would be maximally forward-compatible with future non bogo-authentication. I guess we don't want to allow people to set userid's which look like IP addresses or host names. Perhaps we should only allow people to log in with with userid's which are WikiWords, so as to encourage userids to be the names of homepages? Speak now or suffer the short term consequences. Jeff |
|
From: Steve W. <sw...@pa...> - 2001-07-20 16:30:51
|
Sounds fine... hack away! :-) ~swain On Fri, 20 Jul 2001, Jeff Dairiki wrote: > How's this for an interim solution (until we get real user > authentication, that is)? > > Allow anyone to log in (via HTTP authentication, > the same way the admin currently logs in) with any userid > except the admin user, and any password. This would be a > trivial hack, and I believe would be maximally forward-compatible > with future non bogo-authentication. > > I guess we don't want to allow people to set userid's which > look like IP addresses or host names. > > Perhaps we should only allow people to log in with with userid's > which are WikiWords, so as to encourage userids to be the names > of homepages? > > > Speak now or suffer the short term consequences. > > Jeff > > > _______________________________________________ > Phpwiki-talk mailing list > Php...@li... > http://lists.sourceforge.net/lists/listinfo/phpwiki-talk > --- http://www.panix.com/~swain/ "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." -- Frank Zappa http://pgp.document_type.org:11371/pks/lookup?op=get&search=0xF7323BAC |
|
From: Reini U. <ru...@x-...> - 2001-07-20 16:32:17
|
Jeff Dairiki schrieb: > How's this for an interim solution (until we get real user > authentication, that is)? > > Allow anyone to log in (via HTTP authentication, > the same way the admin currently logs in) with any userid > except the admin user, and any password. yes. but why not also the admin? the admin check is done later in user_auth. other wiki's do it with simple userid cookies instead of auth. setting up the db auth scheme is not that trivial. cookies are easier. > This would be a trivial hack, and I believe would be maximally forward-compatible > with future non bogo-authentication. > I guess we don't want to allow people to set userid's which > look like IP addresses or host names. > > Perhaps we should only allow people to log in with with userid's > which are WikiWords, so as to encourage userids to be the names > of homepages? good idea. count me pro. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
|
From: Jeff D. <da...@da...> - 2001-07-20 16:49:47
|
>yes. but why not also the admin? >the admin check is done later in user_auth. I don't think we want random people to be able to make edits which appear to be signed by the admin. >other wiki's do it with simple userid cookies instead of auth. >setting up the db auth scheme is not that trivial. cookies are easier. (Password) authentication however is on the to-do list. The motivations for adding real authentication include: * Page ownership (read-only or add-only pages). * Page change notification (authentication prevents the use of this feature for mail-bombing unsuspecting recipients.) * The (server-side) storage of large amounts of per-user state data could be used to do things like list/highlight changes since last visit, etc... (Cookies can only store a finite amount of information.) >> This would be a trivial hack, and I believe would be maximally forward-compa > tible >> with future non bogo-authentication. The one problem I see with my proposed hacks is that it's going to be fairly confusing to the user. Since it's going to use the HTTP authentication mechanism (as currently used for admin logins) there's not much opportunity to issue meaningful prompts. |
Thanks for helping keep SourceForge clean.
X