version=pmwiki-2.2.34 ordered=1 urlencoded=1 author=RandyB charset=UTF-8 csum=correct typo description=General use of passwords and login name=PmWiki.Passwords post= Save rev=220 targets=PmWiki.PasswordsAdmin,Category.Spam,PmWiki.PmWiki,PmWiki.WikiGroup,PmWiki.Security,PmWiki.AvailableActions,PmWiki.SpecialPages,PmWiki.GroupAttributes,PmWiki.Uploads,SiteAdmin.AuthList,PmWiki.AuthUser text=(:Summary:General use of passwords and login:)(:Audience: authors :)(:Description General use of passwords and login:)%0a>>rframe font-size:smaller%3c%3c%0a!!!! Table of contents%0a* [[#pageattr|Protect an individual page]]%0a* [[#groupattr|Protect a group of pages]]%0a* [[#siteattr|Protect the site]]%0a>>%3c%3c%0a[[PmWiki]] has built-in support for password-protecting various areas of the wiki site. Authors generally want to be able to apply passwords to individual pages or to [[wiki group]]s. Wiki Administrators can apply passwords to individual pages, to wiki groups, or to the [[PasswordsAdmin#settingsitewidepasswords|entire site]]. Setting an edit password on a [[#pageattr|page]] or [[#groupattr|group]] (or [[#siteattr|the entire site]]) is one of the most common ways to stop [[!spam]]. As with any access control system, the password protection mechanisms described here are only a small part of overall system and wiki [[security]].%0a%0a!! As an author editing pages...%0a%0aAn author will generally set 3 types of passwords:%0a# to control who can see a page or group, use @@read@@ passwords%0a# to control who can edit a page or group, use @@edit@@ passwords%0a# to control who can alter the passwords used to protect a page or group, use @@attr@@ passwords%0a%0aIf required most [[AvailableActions|page actions]] can be password protected.%0a%0a[[#pageattr]]%0a!!! Protect an individual page%0aTo set a password on an individual wiki page, add the [[AvailableActions|page action]]%0a%0a->@@?action=attr@@ %0a%0ato the page's URL (address) to access its attributes. Using the form on the attributes page, you can set or clear the @@read@@, @@edit@@, or @@attr@@ passwords on the page. In the form you enter the passwords as cleartext; PmWiki encrypts them for you automatically when it stores them. %0a%0a%0aAdditional options:%0a%0a* Leaving a field blank will leave the attribute unchanged. %0a* To remove a password from a page (''reverting back'' to the group's or site's default), enter %0a%0a-> @@ clear @@%0a%0a* To indicate that the page can be edited ''even if a group or site password is set'', enter %0a%0a-> @@ @nopass @@%0a%0a* To lock a page for everybody but the admin, enter %0a%0a-> @@ @lock @@%0a%0a* To assign the site's site-wide passwords to the @@read@@, @@edit@@, or @@attr@@ password for the page, enter %0a%0a-> @@ @_site_edit, @_site_read or @_site_upload @@%0a%0a[[#groupattr]]%0a!!! Protect a wiki group of pages%0aTo set a password on a [[wiki group]] is slightly more difficult -- you just set the passwords on a [[special page(s)]] in each group called %0a%0a->[[GroupAttributes]]%0a%0aFirst, you can get to the attributes page for `GroupAttributes by entering a URL (address) like %0a%0a->[@http://example.com/pmwiki/pmwiki.php?n=GroupName.GroupAttributes?action=attr@]%0a%0aReplace example.com with your domain name, and GroupName with the name of the group%0a%0aThen, using the form on the attributes page, you can set or clear the @@read@@, @@edit@@, or @@attr@@ passwords for the entire group. In the form you enter the passwords as cleartext; PmWiki encrypts them for you automatically.%0a%0aAdditional options:%0a%0a* To remove a password from a group (''reverting back'' to the site's default), enter %0a%0a->clear%0a%0a* To indicate that the group can be edited ''even if a site password is set'', enter %0a%0a->@nopass%0a%0a* To lock a group for everybody but the admin, enter %0a%0a->@lock%0a%0a* (Beginning with Ver 2.2.3) To assign the site's site-wide passwords to the @@read@@, @@edit@@, or @@attr@@ password for the group, enter %0a%0a-> @@ @_site_edit, @_site_read or @_site_upload @@%0a%0a%0a!! Passwords%0aPasswords may consist of any combination of characters, except double "quotes" or 'apostrophes'.%0aPasswords with spaces or colons must be entered using quotes, eg "foo bar" or "foo:bar".%0aObviously longer is [[http://www.microsoft.com/protect/fraud/passwords/create.aspx|better]], and on some systems passwords need to have 4 or more characters.%0a%0a!! Multiple passwords%0aMultiple passwords for a page, group or site are allowed. %0aSimply enter multiple passwords separated by a space. This allows you to have a read password, a write password, and have the write password allow read/write access. In other words, if the read password is %0a%0a->alpha%0a%0aand the edit password is %0a%0a->beta%0a%0athen enter%0a%0a-> [@%0aSet new read password: alpha beta%0aSet new edit password: beta%0a@]%0a%0aThis says that either %0a%0a->alpha%0a%0aor %0a%0a->beta%0a%0acan be used to read pages, but only %0a%0a->beta%0a%0amay edit. Since PmWiki checks the passwords you've entered since the browser has been opened, entering a read password that is also a write password allows both reading and writing.%0a%0a[[#siteattr]]%0a!!! Protect the site%0aPasswords can be applied to the entire wiki website in ''config.php''.%0aSee [[PasswordsAdmin#settingsitewidepasswords|passwords]] administration for details.%0a%0a%0a%25audience%25 administrator%0a%0a[[#administrators]]%0a!! As an administrator ...%0a%0aYou can set passwords on pages and groups exactly as described above for authors. You can also:%0a# set site-wide passwords for pages and groups that do not have passwords%0a# use @@attr@@ passwords to control who is able to set passwords on pages%0a# use @@upload@@ passwords to control access to the file [[upload(s)]] capabilities (if uploads are enabled)%0a# use an @@admin@@ password to override the passwords set for any individual page or group%0a# use [[SiteAdmin/AuthList]] to view the permissions settings for pages that have permissions set. %0aFor more information on password options available to administrators, see [[PasswordsAdmin]].%0a%0a!! Which password wins?%0a%0aIn PmWiki, page passwords override group passwords, group passwords override the ''default'' passwords, and the @@admin@@ password overrides all passwords. This gives a great deal of flexibility in controlling access to wiki pages in PmWiki. %0a%0a!! Opening access to pages in protected groups/sites%0a%0aSometimes we want to "unprotect" pages in a group or site that is otherwise protected. In these cases, the special password %0a%0a->@nopass%0a%0ais used to indicate that access should be allowed to a page without requiring a password. %0a%0aFor example, suppose `Main.GroupAttributes has an edit password set, thus restricting the editing of all pages in Main. Now we want `Main.WikiSandbox to be editable without a password. Using %0a%0a->clear%0a%0afor the edit password for `Main.WikiSandbox ''doesn't unprotect the page'', because the password is being set by the group. Instead, we set the edit password for `Main.WikiSandbox to the special value %0a%0a->@nopass%0a%0awhich tells PmWiki to ignore any site-wide or group-level passwords for that page.%0a%0a%0a>>faq%3c%3c [[#faq]]%0a%0a[[#site]]%0aQ: How can I password protect all the pages and groups on my site? Do I really have to set passwords page by page, or group by group?%0a%0aA: Administrators can set passwords for the entire site by editing the config.php file; they don't have to set passwords for each page or group. For example, to set the entire site to be editable only by those who know an "edit" password, an administrator can add a line like the following to local/config.php:%0a%0a $DefaultPasswords['edit'] = crypt('edit_password');%0a%0aFor more information about the password options that are available only to administrators, see [[PasswordsAdmin]].%0a%0aQ: I get http error 500 "Internal Server Error" when I try to log in. What's wrong?%0a%0aA: This can happen if the encrypted passwords are not created on the web server that hosts the PmWiki.\\%0aThe crypt function changed during the PHP development, e.g. a password encrypted with PHP 5.2 can not be decrypted in PHP 5.1, but PHP 5.2 can decrypt passwords created by PHP 5.1.\\%0aThis situation normally happens if you prepare everything on your local machine with the latest PHP version and you upload the passwords to a webserver which is running an older version.\\%0aThe same error occurs when you add encrypted passwords to local/config.php.%0a%0aSolution: Create the passwords on the system with the oldest PHP version and use them on all other systems.%0a%0aQ: How can I create private groups for users, so that each user can edit pages in their group, but no one else (other than the admin) can?%0a%0aA: Modify the edit attribute for each group to id:username, e.g. set the edit attribute in JaneDoe.GroupAttributes to id:JaneDoe.%0a%0aThere is a more automatic solution, but it's probably not a good idea for most wikis. Administrators can use the [[(PmWiki:)AuthUser]] recipe and add the following few lines to their local/config.php file to set this up:%0a%0a $group = FmtPageName('$Group', $pagename); \\%0a $DefaultPasswords['edit'] = 'id:'.$group; \\%0a include_once("$FarmD/scripts/authuser.php");%0a%0aThis automatically gives edit rights to a group to every user who has the same user name as the group name. Unfortunately it also gives edit rights to such a user who is visiting a same-named group not just for pages in that group, but for any page on the wiki that relies on the site's default edit password. This can create security holes.%0a%0aQ: [[#farm]] How come when I switch to another wiki within a farm, I keep my same authorization?%0a%0aA: PmWiki uses PHP sessions to keep track of authentication/authorization information, and by default PHP sets things up such that all interactions with the same server are considered part of the same session.%0a%0aAn easy way to fix this is to make sure each wiki is using a different cookie name for its session identifier. Near the top of one of the wiki's local/config.php files, before calling authuser or any other recipes, add a line like:%0a%0a session_name('XYZSESSID');%0a%0aYou can pick any alphanumeric name for XYZSESSID; for example, for the cs559-1 wiki you might choose%0a%0a session_name('CS559SESSID');%0a%0aThis will keep the two wikis' sessions independent of each other. time=1318340428