Recent Changes - Search:

Cookbook

PmWiki

pmwiki.org

Cookbook /

AuthPhpbb2Sso

Summary: Single Sign On for PmWiki and phpBB2
Version: 080401
Prerequisites: Working phpBB2 installation on the same server
Status: Release candidate
Maintainer: Jantah
Categories: Administration, Security, Forum

Questions answered by this recipe

  1. How do I use phpBB2 authentication in PMWiki?
  2. How do I use phpBB2 membership and groups to setup PmWiki authorization?
  3. How do I limit PmWiki administrative tasks to the phpBB site administrators?

Description

AuthPhpbb2Sso uses phpBB2 to authenticate users, and the standard AuthUser functions for PmWiki authorization.

This recipe provides 100% integration of the phpBB authentication and session management. This is achieved by including the relevant scripts from the phpBB installation and calling the appropriate functions. The phpBB2 session is kept alive while the user is browsing the wiki. No hacks into the phpBB scripts are required.

This recipe has been tested with PmWiki version 2.2.0-beta65 and phpBB2 version 2.0.23. This recipe will not function on phpBB3.

The recipe has yet to be installed on a live system, I've already put it here for feedback.

Installation

  1. Download the following file: AuthPhpbb2Sso.phpΔ and save in your cookbook directory.
  2. Add the following lines into your local/config.php script:
    define ('PhpbbRootPath', "$FarmD/../forum/");
    require_once ("cookbook/AuthPhpbb2Sso.php");
Note: the PhpbbRootPath should point to the path of your phpBB2 installation.

Main features

After installing the recipe as described above, user and group information from phpBB can be used to setup authorization of the various PmWiki pages. The standard AuthUser function is used to setup authorization, but obviously, the SiteAdmin.AuthUser page is not required, since user and group administration is done in phpBB.

By default, there are no restrictions, except for PmWiki admin pages. PmWiki admin pages are restricted to phpBB users that are assigned the "Administrator" user level. All other authorization can be set up as required. Check AuthUser and Passwords for details, but find some examples below:

To achieve Action
Limit page edits to users signed into phpBB Add the following line to your local/config.php:
$DefaultPasswords['edit'] = 'id:*';
Limit page edits to users that are member of the phpBB group "wiki" Add the following line to your local/config.php:
$DefaultPasswords['edit'] = '@wiki';
Restrict access to attr pages to users that are member of the phpBB group "siteadmin" Add the following line to your local/config.php:
$DefaultPasswords['attr'] = '@siteadmin';
Make pages in the Sandbox pagegroup only visible to users signed into phpBB Open the Sandbox.GroupAttributes?action=attr page on your site and put in the "Set new read password" field:
id:*
Make the page "SomeWiki.SomeWiki" only editable by the phpBB user named "Jantah" Open the SomeWiki.SomeWiki?action=attr page on your site and put in the "Set new edit password" field:
id:Jantah

Other features

Author

The author name will be set to the phpBB username. Since it is not possible to overrule this from the edit page, you may choose to delete the Author field from your Site.EditForm page:

(:input e_author:)

Page compression

If set in phpBB, and the client supports this feature, pmWiki pages will be compressed before being sent to the client. This usually saves around 80% in bandwidth.

Recognizing administrators

Site administrators are marked in phpBB with a separate "User level", which cannot be used in PmWiki. This recipe automatically assigns the PmWiki group "siteadmin" to members that have user level "Administrator", so it can be used for PmWiki authorization. If you want to use another group name, add the following line to your local/config.php, before including AuthPhpbb2Sso:

$PhpbbAdminGroup='wikiadmin';

Replace 'wikiadmin' with the name you would like to use.

Group moderators

Every group in phpBB has one group moderator. This is propagated to PmWiki by assigning a group membership of the group name + "Moderator" to the group moderator. So, for example, the moderator of the phpBB group "Wiki" will also be member of the PmWiki group "WikiModerator". If you want to use a different suffix, add the following line to your local/config.php, before including AuthPhpbb2Sso:

$PhpbbGroupModSuffix='Mod';

Replace 'Mod' with the suffix you would like to use.

Redirect to phpBB login page

If access to a certain page is denied, by default the PmWiki password page will be displayed. To obtain a tighter integration with phpBB, add the following line to your local/config.php:

RedirectOnDeny ();

If a client tries to acces a privileged page, the response will now depend on whether the user is signed in or not:

  • If the user is signed in, a message "You are not authorized to access this page" will be displayed.
  • If the user is not signed in, the browser will be redirected to the phpBB logon page.

The message and action can be modified by setting the $AuthPromptMemberFmt and $AuthPromptAnonymousFmt variables before calling RedirectOnDeny(), for example: 

 $AuthPromptMemberFmt=array(&$PageStartFmt
   , 'Sadly, you are not allowed to access this page'
   , &$PageEndFmt);
 $AuthPromptAnonymousFmt=array(&$PageStartFmt
   , "You may need to <a href='$PhpbbUrl/login.$phpEx'>login</a> to access this page."
   , &$PageEndFmt); 
 RedirectOnDeny ();

Template variables

The recipe also sets a couple of variables that can be used in the PmWiki templates to visually integrate PmWiki and phpBB:

$SiteUrl The root URL of your website
$PhpbbUrl The URL where the index.php of your phpBB2 installation resides
$PhpbbStyleName The name of the phpBB2 theme used. This is the theme selected by the user, or the default theme when not signed in.
$PhpbbTemplate The template directory of the phpBB2 style used.
$PhpbbStylesheet Name of the phpBB2 stylesheet.

Link to phpBB profile

By default, the "[[~" markup creates a link to the members page in the Profiles group in the wiki. To make it point to the phpBB profile of this member, add the following line to your local/config.php:

Markup ('[[~', '<links','/\\[\\[~(.*?)\\]\\]/e', "PhpbbUserProfile('$1')");

This will also work with the current user tag (three tildes) and from the recent changes page.

Time and date format, timezone

Since the time and date format and timezone are also set in the phpBB2 and user configuration, these can be retrieved and used in PmWiki. To enable this, add the following line to your local/config.php:

UsePhpbbDateSettings ();

This will also change the format of the new entries written to the RecentChanges page. The time of the change is now entered as '{(ftime when="@' . time() . '")}', so it is displayed in the date and time format set by the user.

Detailed description

This recipe includes a couple of scripts from the phpBB installation to enable it's session management in PmWiki. The basic goal of the whole exercise, the holy grail if you will, is to call the following phpBB2 function, which will take care of the entire session management:

$userdata = session_pagestart($user_ip, -20);

To achieve this, the following steps are performed:

  1. First, the recipe needs to know the root path of your phpBB installation. This is taken care of by defining the PhpbbRootPath constant in the local/config.php file.
  2. Now the script can start to probe the phpBB installation. First, it includes the extensions.inc file. The main function of this file is to define the extension of the PHP files of your phpBB installation.
  3. Knowing the extension, we can now include the first script: config.php (the phpBB one). This will set the variables to enable us to query the database, such as the database name, username and password.
  4. At this point, it would have been nice to include the functions.php script. Unfortunately, this script defines a function redirect(), which is also defined by PmWiki. There is no real clean fix for this, so all (hopefully, see limitations) functions needed by the subsequent scripts are copied into this recipe script.
  5. Next, we include the db.php script. This will instantiate the $db object that is used in all phpBB scripts to access the database.
  6. Now we include the constants.php script. This will set a couple of constants for the table names, as used in the phpBB scripts.
  7. And finally, we can include the sessions.php script, that contains the session_pagestart() function which, as mentioned above, is the one to call to use the phpBB sessions.
  8. Two more things are defined now: the $board_config array, that basically contains the contents of the phpbb_config table, and the IP address of the user.

And that's it. We can now call the session_pagestart() function and take it from there.

Limitations

  1. Sessions that are browsing the wiki are registered in phpBB under page number -20. Since phpBB does not know a page by this number, these sessions are shown without a page description on the phpBB administration page.
  2. I may have completely missed the point with the timezones. It works on my test server, but that could be because I am correcting an error with a similar negative error.
  3. Timeformat in phpBB is defined for use with the the Date() function. PmWiki uses strfdate() function, which uses a different markup. The PhpbbDateFormat() takes care of the conversion, but following characters do not have a strfdate() equivalent and are not supported: eIOPTZuUBLtzS
  4. The included scripts might need functions from the phpBB2 includes/functions.php script that are not defined because we could not include that file. I have yet to run into a problem, but in other installations, the code might branch into a code segment with a missing function.
  5. Updates to the used phpBB scripts might break this recipe. Then again, with the arrival of phpBB3 it is not very likely the phpBB2 scripts will undergo any substantial modifications.
  6. Did I create vulnerability issues with the Markup "/e" functions?

Future Enhancements

  1. Perhaps pass user ranks as groups as well?

Release Notes

If the recipe has multiple releases, then release notes can be placed here. Note that it's often easier for people to work with "release dates" instead of "version numbers".

  • April 1st - version 080401
    • Also create a PmWiki group membership for phpBB group moderators.
  • March 30rd 2008 - version 080320
    • Merged the PhpbbTimeZone() and PhpbbDateFormat() functions into UsePhpbbDateSettings().
    • Function UsePhpbbDateSettings() also sets the format of new RecentChanges page entries so date and time are shown in the format preferred by the user.
  • March 24th 2008 - version 080324
    • Fixed typo which prevented administrators to access privileged pages.
  • March 23rd 2008 - version 080323
    • Pass the username and group memberships to AuthUser for authorization.
  • March 6th 2008 - version 080306
    • Full support for clients with disabled cookies, sid will now also be appended to static links in the template and links generated by the system. The $AmpSid and $QmSid variables are discontinued because they are no longer required.
    • Root path of the phpBB installation now needs to be set using a define(), so the recipe can check if it is set properly. If phpBB is installed under the pmWiki directory, and a typo was made in the $phpbb_root_path variable name, the recipe might still work, but servers with register_globals on would be vulnerable to attacks.
    • Inherit page compression setting from phpBB
  • February 21st 2008 - version 080221
    • More forgiving with server and path settings from phpBB.
    • Markup rules for appending sid now uses single quotes in the output since this seems to be the PmWiki default. Double qoutes will break, for instance, tabbed skins.
    • If cookies are disabled, only add "sid=" to URLs pointing to our own site, not to external links.
  • February 20th 2008 - version 080220
    • Initial release for feedback

See Also

Contributors

Jantah

Comments

2008-02-20 - I just tried this, but it looks like a slash is missing when directed to the login page. I got to mydomain.comforum/login.php instead of mydomain.com/forum/login.php. I just can't seem to find where I should put that slash ;-) - blader_se

2008-02-21 - This was probably caused because your phpBB setting "script_path" did not start with a slash. Uploaded version 080221, which handles the settings similar to phpBB. Also made a couple of tweaks in the section that adds the session identifier for clients with cookies disabled. - Jantah

2008-03-17 - This script is wonderful. Is there any way however to give PHPBB users specific page privileges. I'm trying to make it so each user can edit their own specific page. The id:user in action=attr doesn't seem to work however. ~ Sarif

2008-03-18 - Not yet possible, I've copied the authorization function from AuthPhpBB2, and only slightly modified it. It distinguishes between guests, registered users and admins, but no more. I am working on extending that to phpBB groups and user-specific authorization. Stay tuned. - Jantah

2008-03-22 - Should have known it was not that hard in PmWiki. Just set the $AuthId, populate the $AuthList array and let AuthUser take care of the rest. I called this a release candidate, need some feedback (here, or by email from my profile page) to be certain about the stability. - Jantah

2008-03-30 - Right now, I'm setting up a site for a game (just a small mud) I'm staff at with pmwiki/phpbb and your recipe. I haven't installed the latest version yet, however, but it's been working well for user contributions. Within the next week or so, we'll probably be installing your latest release and making PmWiki/phpbb the main portion of our site. When we get the site up and working, skinned, and all that, I'll post a link for you. Great work on the recipe. It's saved me a lot of headaches and expanded on what we can easily provide for our players. Players will have personal pages, and pages for their characters and be able to contribute to various in-game groups they're a part of, without much work in terms of authentication that we've been integrating between our game and phpbb2 already. You rock. ~ Sarif

2008-04-01 - Will there be any support for calling group moderators in a separate group? Like @mod-foo would call the moderators for group foo? ~ Sarif

2008-04-01 - That seems like a good one. Group moderators may need additional privileges in areas where the group has certain rights. I've opted for a name suffix, because this results in a more descriptive group name. The moderator of the phpBB group "@Foo" will automatically be member of the PmWiki group "@FooModerator". - Jantah

2008-07-12 - Does anyone have a perspective on revising this code to work with phpbb3. I already have phpbb3 active and want to bring up a complementary PmWiki. What scale of debug/changes am I going to have to attempt? -Chris C

Edit - History - Print - Recent Changes - Search
Page last modified on July 12, 2008, at 04:24 PM