On Sun, May 24, 2009 at 1:53 AM, John Rankin <john.ran...@affinity.co.nz>wrote:
> It seems to me that we ought to be able to define a custom
> $AuthFunction that checks the IP address of the requestor,
> rather than asking for a username and password. Then the
> custom auth function can authenticate the request based on
> the fact that it comes from an IP address pmwiki trusts.
> It may have to grant "admin" rights, especially where the
> request is retrieving multiple pmwiki pages.
>
Something along these lines might work (UNTESTED - basically just making a
wrapper for PmWikiAuth())...
$AuthFunction = 'MyAuthFunction';
$PrivilegedIP = array('/^100\.100\.100\.[0-9]*$/', '/^89\.90\.91\.92$/');
function MyAuthFunction($pagename, $level, $authprompt, $since)
{
global $PrivilegedIP;
if (!in_array($action, array('edit', 'attr')))
foreach ($PrivilegedIP as $IPPat)
if (preg_match($IPPat, $_SERVER['REMOTE_ADDR']))
return true;
return PmWikiAuth($pagename, $level, $authprompt, $since);
}
You'll note I've made a quick attempt to disallow editing and
attribute-setting using this "Privileged IP" authentication. If that's not
desirable then just delete the line with "if (!in_array...". If there are
other actions I'm thinking of that should not be available then just edit
the array (or, better yet, change it into a configurable var).
I *think* I've read that $_SERVER['REMOTE_ADDR'] can be spoofed, so be aware
that this opens a potential security hole. That's why I've made a
rudimentary effort to allow only browsing using this form of authentication.
-Peter
_______________________________________________
pmwiki-devel mailing list
pmwiki-devel@pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
