Thoughts On Access Control

User-based authentication

AuthUser

Pm, please complete ... thank you.

UserAuth

What is this? How is it different than AuthUser?

Password-based authentication

Pm, please comment .... Why is this easier to maintain for administrators? At a glance, it seems AuthUser is easier for authors?

Answer: With accounts you should create one account per user accessing the site, then organize them in groups, give the groups permissions and so on. If you have lots of editors then of course this is more work than simply sending an email with a password in it. The drawback is that if one of the users starts misbehaving you must redistribute new passwords to everybody rather than simply disabling one account.

Of course it is possible to emulate a passwords-based approach with a user approach by everybody using the same account, but why distribute two tokens (the username everybody use and the password everybody use) when there one will suffice? If you only have people share user accounts, the two are logically equivalent so of course...

Drawbacks

Pm, please comment ... It is difficult to remember all the commands for "passwords" based system, e.g. clear, @lock, @nopass, ?add=attr, adds headache.

(mgb) the way PmWiki is currently set up (for example, using AuthUser), it is painful to administer access control either with user accounts or with passwords only. That's because users can't easily maintain their own account/passwords. The administrator basically has to do everything. If a user loses a password or wants to change it, the administrator has to take care of it. It would be nice to have a true user account management system built in (perhaps another cookbook?), and for the wiki to use this method to this if a flag is turned on.

Advantages

Pm, please comment ....

Things Visitors Wish For

  • I'd like to be able to log in and log out as the admin and not let anyone else edit.
    • Why?
      • So I can use PmWiki as a CMS system, too and not just as a Wiki.
      • Seconded; example: would like for teachers to be able to log out after editing their pages, so that students can't come along to their computer & muck with their work when their backs are turned.
    • How?
      • Using an "if" statement a "skin," it's possible to hide all the edit, history, etc, links.
      • Then, once I, as the admin, log in, I would see all those, but regular visitors wouldn't.

UpdateMe

This page may have a more recent version on pmwiki.org: PmWiki:ThoughtsOnAccessControl, and a talk page: PmWiki:ThoughtsOnAccessControl-Talk.

Page last modified on September 10, 2011, at 04:08 PM
Powered by PmWiki