[pmwiki-users] suggestion for improved password admin
Neil Herber
nospam at mail.eton.ca
Sun Jan 23 19:11:02 CST 2005
I ran into a problem earlier today when trying to upload some pictures to
my own PmWiki.
It has (I thought!) password protection on all pages for uploads and the
upload link goes to a page called Guest.Uploads. This forces users to go to
the Uploads page and read about how it works. On the Uploads page I have a
password too, but it is revealed in a verbal captcha to keep spammers at bay.
Much to my surprise, I discovered that there was no "attr" password on that
page, which means anyone could have gone in and altered the upload
password. After some considerable difficulty, I think I have things
protected the way I want.
The $64 question is, could the ATTR form be made a little more helpful?
Right now, if I go to a group attributes page to check the attributes I see
nothing but a blank form. I can't tell what is set and what is not. I had
to use a text editor on the raw files to see what was going on.
Things would be a lot simpler if the form looked like this:
=========
Set new read password: (box) not set
Set new edit password: (box) not set
Set new attribute password: (box) *
Set new upload password: (box) set
===========
This indicates to me that on this page:
* the read and edit passwords are not set (nor are they set in config.php)
* the attribute password is picked up from config.php
* the upload password is set to some value here
This does not reveal any significant amount of information to a hacker, but
it tells me a lot!
For instance, entering "clear" in the attribute password box will have no
effect, because the attribute password comes from the config file. I have
to enter "nopass" instead if I really want to have no password.
Could this change become part of PmWiki?
At the very least, the language at the top of the form should be changed.
Currently it says:
>Enter new attributes for this page below. Leaving a field blank will leave
>the attribute unchanged. To clear an attribute, enter 'clear'.
It should say:
Enter new passwords for this page in the form below. Leaving a field blank
leaves the password unchanged. To clear a password, enter 'clear'. If the
password is set by config.php, entering 'clear' does not work - use
'nopass' instead to remove the password or enter a new password to override
the one in config.php.
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list