This is the discussion page. Back to HtpasswdForm

Firstly, I must say i deployed PM Wiki for a small group of people within my organisation and it was a Huge Success!!! So a big Thank you to the PMWiki Team

We plan to deploy the same across more users and varied group accesses. Thus I have couple of questions for this deployment

1. In the GroupAttributes, each member addition to the group including the existing list becomes a little exhaustive as all the previous members have to be added again first. Is there a way where an xls file or a file of some other format can be used as an Input to update the GroupAttributes.

If your question refers to PmWiki:GroupAttributes not to HtpasswdForm: you should add all your users to a "user group", say "@office1-edit", either with HtpasswdForm or in SiteAdmin.AuthUser. Then in the form Group.GroupAttributes?action=attr, you add only the user groups that have access, like "@admins @office1-edit", not the individual users. If your question refers to the group editor of HtpasswdForm not to PmWiki:GroupAttributes: to add a new user to an existing group, select the radio button of the group, then below leave the "Group:" field empty and type the new username(s) in the "User(s):" field. Then press "Add a user". The new user(s) will be added to the selected group without the need to type the existing members. --Petko May 31, 2020, at 07:09 AM

2. Is there a way to get the list of members who have access (and attributes they have access to) to each group and subsequent pages. This would help for record keeping purposes for future.

There is a list of all permissions enabled on the wiki, open the page SiteAdmin.AuthList. --Petko May 31, 2020, at 07:09 AM

3. Also since there is Print feature, is there a way to watermark in case a user tries to print the page.

This is not foolproof but should work in most recent browsers. Create a file local.css in the pub/css/ directory if it doesn't exist. Add the following code, adapted for your needs. --Petko May 31, 2020, at 07:09 AM
@media print {
  #wikitext::before {
    content: "Property of Company Intl Ltd";
    text-align: center;
    position: fixed;
    z-index: 9999;
    top: 20vh;
    color: rgba(100,100,100,.3);
    font-size: 3em;
    transform: rotate(45deg);
This will not prevent someone from copying the page text to a word processor and printing it from there without watermarks. --Petko May 31, 2020, at 07:09 AM

4. In addition is it possible to keep statistics about the footfall to each page and contributions by the members.

Not for the visitor statistics -- search the cookbook (total counter I believe but people have reported difficulties). Edits per page can be seen in ?action=diff or the "History" link, and we monitor Site.AllRecentChanges (here with LocalTimes and PendingChanges). --Petko May 31, 2020, at 07:09 AM

Thank you (--Kannan)

Thank you once again for the quick response, I used the new recipe for the htpasswdform.php, ( I did not check to see what was the difference, my bad) however the issue seems to still persists. I continue to get the warning as stated earlier, and this is triggered only when I have not logged in. -Kannan

I found the error I had incorrectly set $HtpasswordForms to 1 in the local customization file, however now all I get is the new user form :-)

For the record, all the user-customizable global variables (documented in the configuration section of the recipe page Cookbook.HtpasswdForm#config) default to reasonable values. --Dfaure January 16, 2020, at 07:28 AM

Same for most other core features and recipes. --Petko January 16, 2020, at 07:35 AM

Thank you for the response on the previous question, I made the mistake of stating :htpasswdform: instead of (:htpasswdform:) , i.e., within braces, however now for new user creation the expectation is that I still have to login as an admin, i saw similar questions on this and I initialised the newuser global to one just prior to including the htpassform.php file , however this had no impact (Im new to php). In addition when Im not logged in i get the following warning

Cannot use a scalar value as an array in C:\xampp\htdocs\cookbook\htpasswdform.php on line 415

 - Kannan. 

It seems you trigger a bug. The recipe should now be fixed --Dfaure January 14, 2020, at 05:16 PM

The file local/Site.HtpasswdForm.php is not seen, I made the required changes in the config.php file and by looking at few of the above question i realised that is a mistake, can the variables be initialized in config.php or does it have to be in another configurable file? -- Kannan

According to the LocalCustomizations page, the configuration written in a local/<Group>.<Page>.php file is only taken in account in the corresponding <Group>.<Page> wiki page. All the recipe configuration may be made from the main configuration file config.php, but this would potentially enable the markup onto every wiki page (which is not necessarily the expected behavior). --Dfaure January 13, 2020, at 12:35 PM

Is the cookbooks newest version really PHP72 compliant? When I create a new user, there is a php error message "Deprecated: Function create_function() is deprecated in ... /cookbook/htpasswdform.php on line 609" -- Siegfried Seibert, 2019-03-11

The recipe has been fixed --Dfaure March 11, 2019, at 11:50 PM

There does not appear to be an error message when a user types an incorrect 'old' password. Can this be added? -- Allister.

This is a feature. See the password changer form note. --Dfaure

It seems any user can create the password form by just including (:htpasswdform:) in any page.

If any user can get access to the password form, what's the point of adding security to my password form page? How can we prevent users from making their own password form page? -- Sean, Sep 2006

You should both take care of narrowing the recipe (wiki page) scope, avoiding using local/config.php and adding include_once("cookbook/htpasswdform.php"); only in local/Site.HtpasswdForm.php (for example), and set the desired page permissions (browsing [[Site.HtpasswdForm?action=attr]]).

I've tried following the above steps and all I get is (:htpasswdform:) in my page - what am I missing?

(I set the following variables before the include_once call in the local page customization file: $EnableHtpassword, $HtpasswdFile and $HtpasswordDefaultType)

Before all you should make sure that your customization file is related to the page (name) you're working with ('local/Test.MyPasswdEditor.php' file for 'Test.MyPasswdEditor' page for example). Further details are available here. --Dfaure

Also check your local or farm config.php files to make sure that you haven't inadvertently included htpasswdform.php there - that can also cause problems. shi

Basically, i want to be able to give someone an initial password, but force them to change it on first login.

Is it possible to flag something in a php recipe that would force the user to change their password after logging in? If not, this would be a useful checkbox to have on the admin form. --Lordmundi, 2007-03-23

This behavior is beyond the scope of the recipe --Dfaure July 03, 2007, at 03:50 AM

Our Apache runs on a server with a UTF-8 locale. Adding either a group or a user with accented characters (e.g., åland) results in the following error message: "Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1025 bytes) in /var/www/pmwiki/cookbook/htpasswdform.php on line 526". The requested user name gets added about 131 times to the htpasswduser file, each line with a different apr1 crypt. The htpasswdform version is 2007-07-03 and our locale settings mimic these: --Pervilä 13.7.2007

AFAIK, Apache configuration/directives files are used to be plain acsii text files only (and alas, the htpasswd is one of them)... --Dfaure July 23, 2007, at 05:49 PM

I had more time to debug the problem above. Actually, the htpasswd file's content is written with UTF-8 encoding, correctly (verified with od). Line 529 is the fgets call, and for a moment I suspected rtrim beneath it. It is not the culprit - by changing the memory limit (ini_set("memory_limit"...)) of the htpasswdform script, the error message changes. So something starts to leak memory when UTF-8 is used. I'm not even sure it is htpasswdform anymore. UserAuth2-Talk contains something similar. --Pervilä 29.9.2007

Not sure if it is a bug. Unauthororized user can't create new user account (even the form does show). After I change the 59th line from
if(IsEnabled($HtpasswordNewUsers, 0))
if(IsEnabled($HtpasswordNewUsers, 1))
then it's all set... -- Terrence

The "normal" (and future-proof version) way to define a flag is to do it in your local configuration file just before the script reference:

$HtpasswordNewUsers = 1;
--Dfaure August 31, 2007, at 06:51 AM

passwords don't match.
line 447
if($plain != $_REQUEST['passwd2']) {
change to
if(!$plain or $plain != $_REQUEST['passwd2']){

Technically speaking, Apache and the related tools are able to handle blank passwords but since PmWiki prohibits them the default behavior has been changed (you should now set explicitely $HtpasswordMandatory = 0; to allow blank passwords). --Dfaure October 12, 2007, at 08:51 AM

Is it possible to expand the recipe, that new users (i have set HtpasswordNewUsers to 1) have to provide their email-address in the comment field when they are registering themselves? schroe? January 28, 2008

Available in last release. --Dfaure March 18, 2008, at 09:54 AM

Is there a way to expand more required options to be included in new-user registration such as telephone number, address, etc.? If so, how do I do that? Thanks, Chris 8-26-08

This would require a large rewriting of the recipe, which is not really planned for now. --Dfaure August 26, 2008, at 07:12 AM

Ok, once again I have a question. This might be useful to many other people, so I'm requesting this via the Wikipage. I understand that my previous question asking if I could require more fields than just username, password and e-mail are not possible. However, what if I knew what type of e-mail addresses they should have. So, for example I knew that their e-mail address (if they were a part of my organization) ended in If that were so, would there be a way I could program into HtpasswdForm that it would only accept certain e-mail address locations (such as Also, would there be a way that after they register, I could program HtpasswdForm to send an e-mail to their e-mail address to make sure its a valid e-mail address automatically? -Chris August 30, 2008

Thanks for your quick response! I'm in a time crunch and therefore, although the news isn't positive, am benefitting from your timeliness. ;-) Ok, so, is there a way that I could have a new user register via this recipe, but then require them to have their accounts on hold until I approve it to when I receive all the information from them? Practically, I have a new user register giving their username, password, e-mail address and then have their account on hold until I approve it (by requiring them to send me an e-mail with the required information such as home phone, address, etc.?) Thanks, Chris 8-26-08

Like an above user, I followed the directions at the top of the page (using the example filenames, etc.), but when I visit the page, I get a page-not-found error: "The page "Site.HtpasswdForm" doesn't exist." local/Site.HtpasswdForm.php contains only "include_once("$FarmD/cookbook/htpasswdform.php");", the htpasswdform.php is in the /cookbook directory. --Xax? March 15, 2008

You must also create a Site.HtpasswdForm page containg the (:htpassword:) directive. --Dfaure March 16, 2008, at 05:18 AM

forceflow Could you add the functionality for regular users to update their 'comment' field too ? Very useful if you store e-mail adresses there.

Implemented in latest release. --Dfaure July 28, 2008, at 05:18 PM

Could you please explain how to use $HtpasswordForms to customise the forms (especially the user-registration form)? (I really like this recipe, by the way; it's fantastic to be able to use the same users and groups elsewhere!) Sam Wilson May 29, 2008, at 08:48 PM

The $HtpasswordForms forms are made of regular markup texts in which some tokens/placeholders are replaced to a computed definition:

The user password change markup code in which the $UserName token will be replaced by the name of the currently authenticated user (333).
The new user registration form (388), handling the $UserInfo and $Captcha tokens as place holders for the next sub-form optional elements:
The user comment field (395).
The captcha field (402).

(bracketed numbers refer to the source code lines where each variable is defined. --Dfaure May 30, 2008, at 05:10 AM

In my setup there are various groups, each with his set of moderators (elsewhere decided by membership in @groupmoderator). What I need is that a moderator should be able to add users to *his group* (add, delete new users). What changes should I make?

This feature is not planned for now. --Dfaure July 28, 2008, at 05:18 PM

Is there a password reminder/reset feature? Sam Wilson July 16, 2008, at 01:37 AM

Implemented in latest release using the user comment field. --Dfaure July 28, 2008, at 05:18 PM

Adding a user to a group which already includes a user with the same part of the name. (Adding 'Tom' to a group already containing 'Tommy') fails.

Fixed in latest release --Dfaure October 27, 2008, at 05:59 AM

How can I use the regular user form to display?

Can I create a new user if I'm already logged in? I'm using $HtpasswordNewUsers = 1, but sometimes already registered and logged in users want to help a new user to create a new account. Do the need to log out, or is there another method? 2010-05-02 OliverBetz

There's not other way than logging out to create another account. Providing a logout link on the auth page may be helpful. You may use: %rel=nofollow% [[{$Name}?action=logout| $[Logout] ]] --Dfaure May 02, 2010, at 04:24 PM

I want HtpasswdForm to use the htpasswd and htgroup files specified in SiteAdmin.AuthUser. This doesn't seem to work because the "$pn = FmtPageName($AuthUserPageFmt, $pagename);" line in HtAuthUserInit() assigns 'Site.AuthUser' to $pn instead of 'SiteAdmin.AuthUser' even though $pagename is 'SiteAdmin/AuthUser'. Since the default Site.AuthUser just redirects and doesn't contain the htaccess/htgroup file name, HtpasswdForm doesn't find the files. My current workaround is to simlink Site.AuthUser to SiteAdmin.AuthUser. Can the code be fixed so that this workaround is unnecessary?

You only have to go a step further in the recipe configuration itself, adding the following 1st extra line to your configuration file:

$AuthUserPageFmt = '$SiteAdminGroup.AuthUser';

--Dfaure December 11, 2010, at 04:46 AM

There appears to be a bug in the version 2017-06-19. Line 88 should read something like (NB emphasis):

Markup('htpasswdform', '<split', '/\\(:htpasswdform(.*?):\\)/ei', "HtpasswdForm(PSS('$1'))");

sroracle? July 14, 2017, at 07:28 PM

I stupidly uploaded the recipe in a "test state". The last version is fixed. --Dfaure July 15, 2017, at 02:53 AM

Talk page for the HtpasswdForm recipe (users).