To answer my own question, I found that groups as members of groups is not a
current feature and is being discussed in
<http://www.pmwiki.org/wiki/PITS/01232>. Part of the question being asked is
what if you have multiple levels of groups. I could live with one level for my
current application, but I do believe that full multi-level recursive groups
would make more sense to admins.
I'll solve my immediate problem by just fulling listing each group membership.
Thanks.
Paul
On 27 Jan 2011, at 10:17 AM, Paul E. Bloch wrote:
> We are using AuthUser for PmWiki access control. I have two questions.
> Is there away to allow access for everyone except members of a group?
> Is there a variable like $AuthId that tracks the group of a user? I am
> mostly interested in using this for testing, so ideally it would be the group
> membership that allowed access to a page.
>
> More details of our configuration and requirements.
>
> We are using htpasswd and htgroup files to define users and groups.
> Currently we require a login for any access to the wiki and some page groups
> are further protected so that only members of a specific group can access
> those pages. Here are the relevant lines from our config.php:
>
> $DefaultPasswords['admin'] = '@admin';
> $DefaultPasswords['attr'] = '@admin';
> $DefaultPasswords['edit'] = 'id:*';
> $DefaultPasswords['upload'] = 'id:*';
> $DefaultPasswords['read'] = 'id:*';
>
> $AuthUser['htpasswd'] = '/etc/pmwiki.passwd';
> $AuthUser['htgroup'] = '/etc/pmwiki.group';
> include_once("$FarmD/scripts/authuser.php");
>
> This give the basic access requirement of a login in our htpasswd file for
> the entire site. For wiki groups that require more restrictive access we
> change the attributes on the GroupAttributes page to have a read password of
> '@groupname' where the membership of groupname is defined in the htgroup file.
>
> http://example.com/pmwiki/pmwiki.php?n=GroupName.GroupAttributes?action=attr
>
> and the htgroup file has entries like
>
> admin: paul jdash tom sue
>
> There is a new requirement to allow a new group of users access to ONLY pages
> in their wiki group. I could put everyone in a group 'all' and then make the
> default read access be '@all', but that requires maintaining that group.
> Every time we add a new person we add them to 'all', making sure not to add
> the users with more restrictive rights. Not terrible but it seemed like
> there might be a better way.
>
> The AuthUser documentation describes a method of excluding individuals from
> password groups. The example of keeping Fred out of a group is
>
> $DefaultPasswords['attr'] = array('id:*,-Fred');
>
> I reasoned that since my new group included members who were only allowed to
> access pages in their group, I should be able to exclude them just as Fred is
> excluded in the example. So I tried modifying my config.php like this:
>
> $DefaultPasswords['read'] = array('id:*,-@specialgroup'); # I tried both
> of these.
> $DefaultPasswords['read'] = array('id:*','-@specialgroup');
>
> I was hoping that everyone but members of @specialgroup would have default
> read access. Then I could change the GroupAttibutes to allow @specialgroup
> read access to their pages. That does't seem to work. Am I using the wrong
> syntax or doing things in the wrong order? Or is excluding a group not
> possible?
>
> Paul
>
>
> _______________________________________________
> pmwiki-users mailing list
> [email protected]
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
