00111: Password Inheritance Across levels

Summary: Password Inheritance Across levels
Created: 2004-10-24 18:57
Status: Closed
Category: Feature
Assigned:
Priority:
Version: 1.0.8
OS:

Description: When one has a separate edit and read password, going back to read a page requires re-entering the password. This seems unecessary. Edit permissions should imply read permissions as well (since one can always read the page by editing it, but not vice versa). Similarly, attr privs should imply edit and read, since one can obtain these given that one has attribute changing rights. Here's a slightly modified replacement to BasicAuth() that does this:

function BasicAuth($pagename,$level,$authprompt=true) {

  global $AuthRealmFmt,$AuthDeniedFmt,$DefaultPasswords,
    $AllowPassword,$GroupAttributesFmt;
  $extrapass=array();

  $page = ReadPage($pagename);
  if (!$page) { return false; }
  @$passwd = $page["passwd$level"];
  if ($passwd!="") {
        array_push($extrapass,$page["passwdattr"]);
        if ($level=="read") {
            array_push($extrapass,$page["passwdedit"]);
        }
  }
  if ($passwd=="") {
    $grouppg = ReadPage(FmtPageName($GroupAttributesFmt,$pagename));
    @$passwd = $grouppg["passwd$level"];
    array_push($extrapass,$grouppg["passwdattr"]);
    if ($level=="read") {
        array_push($extrapass,$grouppg["passwdedit"]);
    }

  }
  if (crypt($AllowPassword,$passwd)==$passwd) return $page;
  if ($passwd=="") { $passwd=@$DefaultPasswords[$level]; }
  if ($passwd=="") return $page;
  foreach (array_merge((array)$DefaultPasswords['admin'],(array) $extrapass, (array)$passwd) as $pw)
    if (@crypt($_SERVER['PHP_AUTH_PW'],$pw)==$pw) return $page;
  if (!$authprompt) return false;
  $realm=FmtPageName($AuthRealmFmt,$pagename);
  header("WWW-Authenticate: Basic realm=\"$realm\"");
  header("Status: 401 Unauthorized");
  header("HTTP-Status: 401 Unauthorized");
  PrintFmt($pagename,$AuthDeniedFmt);
  exit;

}


I'm suspending this simply to wait and see what happens with password authentication in PmWiki 2.0 development before resolving it in 1.0.

The problem described above has already been fixed in PmWiki 2.0 development, and will likely be backported into the 1.0 code at some point in the near future. The solution that PmWiki 2 uses is slightly different, however--rather than using attr implies edit implies read (which may still be implemented), PmWiki 2 caches all of the passwords used in a browser session so that once the edit or read password is entered it's not requested again.

--Pm