phpwiki-talk

Re: [Phpwiki-talk] To clarify re:security question

[John K. <jo...@ke...>]

>  > ... perhaps I should have put glowing neon lights
>  > and dancing animated gifs around the word "simple" in my request.

Hi,

In case Jeff's explantion needs additional simplification, here's the 
step-by-step version :)
Wise ones please check this and make sure I haven't got it wrong. 
Seems to work for me.


All file paths are relative to the phpwiki folder.

* Open index.php
* Find: define('ADMIN_USER', "admin");
* Add two new lines under the ADMIN_PASSWD line:

  define('RESTRICTED_USER', "user");
  define('RESTRICTED_PASSWD', "test");

* Now open lib/WikiUser.php
* Scroll to the end and replace the whole of the _pwcheck function with this:

     function _pwcheck ($userid, $passwd) {
         global $WikiNameRegexp;
        
         if (!empty($userid) && $userid == ADMIN_USER) {
             if (!empty($passwd) && $passwd == ADMIN_PASSWD)
                 return WIKIAUTH_ADMIN;
             return false;
         }
         elseif (!empty($userid) && $userid == RESTRICTED_USER) {
             if (!empty($passwd) && $passwd == RESTRICTED_PASSWD)
                 return WIKIAUTH_USER;
         }
         return false;
     }

* Finally open lib/main.php
* Halfway down you'll find this:

             case 'edit':
                 if (defined('REQUIRE_SIGNIN_BEFORE_EDIT') && 
REQUIRE_SIGNIN_BEFORE_EDIT)
                     return WIKIAUTH_BOGO;
                 return WIKIAUTH_ANON;

Replace it with this:

             case 'edit':
                 return WIKIAUTH_USER;


I think that should do it.

John.
-- 
------------------------------------
     0113 2289316 / 07944 755613
jo...@ke... / www.kershaw.org
  AOL johnkershaw / Y! john_m_kershaw
------------------------------------

Re: [Phpwiki-talk] To clarify re:security question

[Jeff D. <da...@da...>]

> Wise ones please check this and make sure I haven't got it wrong. 
> Seems to work for me.

It looks right to me.  Thank you, John, very much for fleshing it
out (and testing).

If I can find time, I'll try to check something like this into CVS next
week.  I think it would probably be useful to have a simple two-user
option like this even after Reini's full multi-user support is available.

Re: [Phpwiki-talk] To clarify re:security question

[John K. <jo...@ke...>]

>  > Wise ones please check this and make sure I haven't got it wrong.
>>  Seems to work for me.
>
>It looks right to me.  Thank you, John, very much for fleshing it
>out (and testing).
>
>If I can find time, I'll try to check something like this into CVS next
>week.  I think it would probably be useful to have a simple two-user
>option like this even after Reini's full multi-user support is available.

I've tried to follow the stuff about Unix-style permissions and 
failed! A simple option like this for 'the rest of us' would be 
great. If you're going to go to the trouble, could you make it that 
the username/password pairs are stored in a text file that would be 
easily edited.

Or maybe a third option, a half-way house: one password that fits any 
WikiWord login name? That way I can tell everyone a single password, 
but their login name is still attached to their alts.

Is this a good or bad idea?

John.
-- 
------------------------------------
     0113 2289316 / 07944 755613
jo...@ke... / www.kershaw.org
  AOL johnkershaw / Y! john_m_kershaw
------------------------------------

Re: [Phpwiki-talk] To clarify re:security question

[Jeff D. <da...@da...>]

> If you're going to go to the trouble, could you make it that 
> the username/password pairs are stored in a text file that would be 
> easily edited.

It would be much simpler (codewise) (and the point of this hack is
simplicity, after all) if these were just stored as a PHP hash in
index.php, like:

  $WikiUsers = array( 'JeffDairiki' => 'JeffsPassword',
                      'JohnKershaw' => 'Your Password' );

Would that be okay?

> Or maybe a third option, a half-way house: one password that fits any 
> WikiWord login name?

Interesting idea.  I think it's probably appropriate for certain
situations.

Re: [Phpwiki-talk] To clarify re:security question

[John K. <jo...@ke...>]

>  > If you're going to go to the trouble, could you make it that
>>  the username/password pairs are stored in a text file that would be
>>  easily edited.
>
>It would be much simpler (codewise) (and the point of this hack is
>simplicity, after all) if these were just stored as a PHP hash in
>index.php, like:
>
>   $WikiUsers = array( 'JeffDairiki' => 'JeffsPassword',
>                       'JohnKershaw' => 'Your Password' );
>
>Would that be okay?

That would be fine. Stored in index.php?

>  > Or maybe a third option, a half-way house: one password that fits any
>>  WikiWord login name?
>
>Interesting idea.  I think it's probably appropriate for certain
>situations.

How about:

  $WikiUsers = array( 'JeffDairiki' => 'JeffsPassword',
                       'JohnKershaw' => 'Your Password',
                       '*' => 'General Password' );

John.
-- 
------------------------------------
     0113 2289316 / 07944 755613
jo...@ke... / www.kershaw.org
  AOL johnkershaw / Y! john_m_kershaw
------------------------------------

Re: [Phpwiki-talk] To clarify re:security question

[Reini U. <ru...@x-...>]

Jeff Dairiki schrieb:
>>If you're going to go to the trouble, could you make it that 
>>the username/password pairs are stored in a text file that would be 
>>easily edited.
> 
> It would be much simpler (codewise) (and the point of this hack is
> simplicity, after all) if these were just stored as a PHP hash in
> index.php, like:
> 
>   $WikiUsers = array( 'JeffDairiki' => 'JeffsPassword',
>                       'JohnKershaw' => 'Your Password' );
> 
> Would that be okay?

Nope, too simple.
But I'll add AUTH_FILE also (pointing to /etc/passwd or any .htpasswd 
file), besides AUTH_DNS, AUTH_IMAP and AUTH_LDAP, which already works 
for me.
The .htpasswd solution is then an __optional__ Apache HTTP_AUTH 
solution, in contrast to a __required__ Apache HTTP_AUTH. With 
REQUIRE_HTTP_AUTH you __must__ login before you get to any page, with 
REQUIRE_AUTH_USER you try any of the supported auth mechanisms:
(PASS, FILE, DNS, IMAP, LDAP, BOGO, NONE).

I'll probably commit tomorrow, without groups and userprefs, when I get 
the permission checks correct. Jeff's page-meta data abstraction lib 
(WikiDB_Page::get) is perfect for this, probably better than a seperate 
table.
So I'll do the groups, permissions and user preferences (email, ...) in 
a wikipage, only the passwords are from the AUTH mechanism.
I don't really want to store the password in the page, besides I do want 
to have passwords for my group only at one single place. (radius or imap 
preferred). So it get's easily changed and remembered.

>>Or maybe a third option, a half-way house: one password that fits any 
>>WikiWord login name?
> Interesting idea.  I think it's probably appropriate for certain
> situations.

well, that's a good option for simple groups.
Maybe REQUIRE_AUTH_PASS?
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/