We are using AuthUser for PmWiki access control. I have two questions.
Is there away to allow access for everyone except members of a group?
Is there a variable like $AuthId that tracks the group of a user? I am mostly
interested in using this for testing, so ideally it would be the group
membership that allowed access to a page.
More details of our configuration and requirements.
We are using htpasswd and htgroup files to define users and groups. Currently
we require a login for any access to the wiki and some page groups are further
protected so that only members of a specific group can access those pages.
Here are the relevant lines from our config.php:
$DefaultPasswords['admin'] = '@admin';
$DefaultPasswords['attr'] = '@admin';
$DefaultPasswords['edit'] = 'id:*';
$DefaultPasswords['upload'] = 'id:*';
$DefaultPasswords['read'] = 'id:*';
$AuthUser['htpasswd'] = '/etc/pmwiki.passwd';
$AuthUser['htgroup'] = '/etc/pmwiki.group';
include_once("$FarmD/scripts/authuser.php");
This give the basic access requirement of a login in our htpasswd file for the
entire site. For wiki groups that require more restrictive access we change
the attributes on the GroupAttributes page to have a read password of
'@groupname' where the membership of groupname is defined in the htgroup file.
http://example.com/pmwiki/pmwiki.php?n=GroupName.GroupAttributes?action=attr
and the htgroup file has entries like
admin: paul jdash tom sue
There is a new requirement to allow a new group of users access to ONLY pages
in their wiki group. I could put everyone in a group 'all' and then make the
default read access be '@all', but that requires maintaining that group. Every
time we add a new person we add them to 'all', making sure not to add the users
with more restrictive rights. Not terrible but it seemed like there might be a
better way.
The AuthUser documentation describes a method of excluding individuals from
password groups. The example of keeping Fred out of a group is
$DefaultPasswords['attr'] = array('id:*,-Fred');
I reasoned that since my new group included members who were only allowed to
access pages in their group, I should be able to exclude them just as Fred is
excluded in the example. So I tried modifying my config.php like this:
$DefaultPasswords['read'] = array('id:*,-@specialgroup'); # I tried both of
these.
$DefaultPasswords['read'] = array('id:*','-@specialgroup');
I was hoping that everyone but members of @specialgroup would have default read
access. Then I could change the GroupAttibutes to allow @specialgroup read
access to their pages. That does't seem to work. Am I using the wrong syntax
or doing things in the wrong order? Or is excluding a group not possible?
Paul
_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
