HtpasswdForm-Talk

This is the discussion page. Back to HtpasswdForm


There does not appear to be an error message when a user types an incorrect 'old' password. Can this be added? -- Allister.

This is a feature. See the password changer form note. --Dfaure

It seems any user can create the password form by just including (:htpasswdform:) in any page.

If any user can get access to the password form, what's the point of adding security to my password form page? How can we prevent users from making their own password form page? -- Sean, Sep 2006

You should both take care of narrowing the recipe (wiki page) scope, avoiding using local/config.php and adding include_once("cookbook/htpasswdform.php"); only in local/Site.HtpasswdForm.php (for example), and set the desired page permissions (browsing [[Site.HtpasswdForm?action=attr]]).

I've tried following the above steps and all I get is (:htpasswdform:) in my page - what am I missing?

(I set the following variables before the include_once call in the local page customization file: $EnableHtpassword, $HtpasswdFile and $HtpasswordDefaultType)

Before all you should make sure that your customization file is related to the page (name) you're working with ('local/Test.MyPasswdEditor.php' file for 'Test.MyPasswdEditor' page for example). Further details are available here. --Dfaure

Also check your local or farm config.php files to make sure that you haven't inadvertently included htpasswdform.php there - that can also cause problems. shi

Basically, i want to be able to give someone an initial password, but force them to change it on first login.

Is it possible to flag something in a php recipe that would force the user to change their password after logging in? If not, this would be a useful checkbox to have on the admin form. --Lordmundi, 2007-03-23

This behavior is beyond the scope of the recipe --Dfaure July 03, 2007, at 03:50 AM

Our Apache runs on a server with a UTF-8 locale. Adding either a group or a user with accented characters (e.g., åland) results in the following error message: "Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1025 bytes) in /var/www/pmwiki/cookbook/htpasswdform.php on line 526". The requested user name gets added about 131 times to the htpasswduser file, each line with a different apr1 crypt. The htpasswdform version is 2007-07-03 and our locale settings mimic these: http://myy.helia.fi/~karte/english_in_finland_on_ubuntu.html --Pervilä 13.7.2007

AFAIK, Apache configuration/directives files are used to be plain acsii text files only (and alas, the htpasswd is one of them)... --Dfaure July 23, 2007, at 05:49 PM

I had more time to debug the problem above. Actually, the htpasswd file's content is written with UTF-8 encoding, correctly (verified with od). Line 529 is the fgets call, and for a moment I suspected rtrim beneath it. It is not the culprit - by changing the memory limit (ini_set("memory_limit"...)) of the htpasswdform script, the error message changes. So something starts to leak memory when UTF-8 is used. I'm not even sure it is htpasswdform anymore. UserAuth2-Talk contains something similar. --Pervilä 29.9.2007

Not sure if it is a bug. Unauthororized user can't create new user account (even the form does show). After I change the 59th line from
if(IsEnabled($HtpasswordNewUsers, 0))
to
if(IsEnabled($HtpasswordNewUsers, 1))
then it's all set... -- Terrence

The "normal" (and future-proof version) way to define a flag is to do it in your local configuration file just before the script reference:

$HtpasswordNewUsers = 1;
include_once("$FarmD/cookbook/htpasswdform.php");
--Dfaure August 31, 2007, at 06:51 AM

passwords don't match.
line 447
if($plain != $_REQUEST['passwd2']) {
change to
if(!$plain or $plain != $_REQUEST['passwd2']){

Technically speaking, Apache and the related tools are able to handle blank passwords but since PmWiki prohibits them the default behavior has been changed (you should now set explicitely $HtpasswordMandatory = 0; to allow blank passwords). --Dfaure October 12, 2007, at 08:51 AM

Is it possible to expand the recipe, that new users (i have set HtpasswordNewUsers to 1) have to provide their email-address in the comment field when they are registering themselves? schroe? January 28, 2008

Available in last release. --Dfaure March 18, 2008, at 09:54 AM

Is there a way to expand more required options to be included in new-user registration such as telephone number, address, etc.? If so, how do I do that? Thanks, Chris 8-26-08

This would require a large rewriting of the recipe, which is not really planned for now. --Dfaure August 26, 2008, at 07:12 AM

Ok, once again I have a question. This might be useful to many other people, so I'm requesting this via the Wikipage. I understand that my previous question asking if I could require more fields than just username, password and e-mail are not possible. However, what if I knew what type of e-mail addresses they should have. So, for example I knew that their e-mail address (if they were a part of my organization) ended in @example.com. If that were so, would there be a way I could program into HtpasswdForm that it would only accept certain e-mail address locations (such as @example.com)? Also, would there be a way that after they register, I could program HtpasswdForm to send an e-mail to their e-mail address to make sure its a valid e-mail address automatically? -Chris August 30, 2008

Thanks for your quick response! I'm in a time crunch and therefore, although the news isn't positive, am benefitting from your timeliness. ;-) Ok, so, is there a way that I could have a new user register via this recipe, but then require them to have their accounts on hold until I approve it to when I receive all the information from them? Practically, I have a new user register giving their username, password, e-mail address and then have their account on hold until I approve it (by requiring them to send me an e-mail with the required information such as home phone, address, etc.?) Thanks, Chris 8-26-08

Like an above user, I followed the directions at the top of the page (using the example filenames, etc.), but when I visit the page, I get a page-not-found error: "The page "Site.HtpasswdForm" doesn't exist." local/Site.HtpasswdForm.php contains only "include_once("$FarmD/cookbook/htpasswdform.php");", the htpasswdform.php is in the /cookbook directory. --Xax? March 15, 2008

You must also create a Site.HtpasswdForm page containg the (:htpassword:) directive. --Dfaure March 16, 2008, at 05:18 AM

forceflow Could you add the functionality for regular users to update their 'comment' field too ? Very useful if you store e-mail adresses there.

Implemented in latest release. --Dfaure July 28, 2008, at 05:18 PM

Could you please explain how to use $HtpasswordForms to customise the forms (especially the user-registration form)? (I really like this recipe, by the way; it's fantastic to be able to use the same users and groups elsewhere!) Sam Wilson May 29, 2008, at 08:48 PM

The $HtpasswordForms forms are made of regular markup texts in which some tokens/placeholders are replaced to a computed definition:

$HtpasswordForms['user']
The user password change markup code in which the $UserName token will be replaced by the name of the currently authenticated user (333).
$HtpasswordForms['new']
The new user registration form (388), handling the $UserInfo and $Captcha tokens as place holders for the next sub-form optional elements:
$HtpasswordForms['info']
The user comment field (395).
$HtpasswordForms['captcha']
The captcha field (402).

(bracketed numbers refer to the source code lines where each variable is defined. --Dfaure May 30, 2008, at 05:10 AM

In my setup there are various groups, each with his set of moderators (elsewhere decided by membership in @groupmoderator). What I need is that a moderator should be able to add users to *his group* (add, delete new users). What changes should I make?

This feature is not planned for now. --Dfaure July 28, 2008, at 05:18 PM

Is there a password reminder/reset feature? Sam Wilson July 16, 2008, at 01:37 AM

Implemented in latest release using the user comment field. --Dfaure July 28, 2008, at 05:18 PM

Adding a user to a group which already includes a user with the same part of the name. (Adding 'Tom' to a group already containing 'Tommy') fails.

Fixed in latest release --Dfaure October 27, 2008, at 05:59 AM

How can I use the regular user form to display?

Can I create a new user if I'm already logged in? I'm using $HtpasswordNewUsers = 1, but sometimes already registered and logged in users want to help a new user to create a new account. Do the need to log out, or is there another method? 2010-05-02 OliverBetz

There's not other way than logging out to create another account. Providing a logout link on the auth page may be helpful. You may use: %rel=nofollow% [[{$Name}?action=logout| $[Logout] ]] --Dfaure May 02, 2010, at 04:24 PM

I want HtpasswdForm to use the htpasswd and htgroup files specified in SiteAdmin.AuthUser. This doesn't seem to work because the "$pn = FmtPageName($AuthUserPageFmt, $pagename);" line in HtAuthUserInit() assigns 'Site.AuthUser' to $pn instead of 'SiteAdmin.AuthUser' even though $pagename is 'SiteAdmin/AuthUser'. Since the default Site.AuthUser just redirects and doesn't contain the htaccess/htgroup file name, HtpasswdForm doesn't find the files. My current workaround is to simlink Site.AuthUser to SiteAdmin.AuthUser. Can the code be fixed so that this workaround is unnecessary?

You only have to go a step further in the recipe configuration itself, adding the following 1st extra line to your configuration file:

$AuthUserPageFmt = '$SiteAdminGroup.AuthUser';
include_once("$FarmD/cookbook/htpasswdform.php");

--Dfaure December 11, 2010, at 04:46 AM

There appears to be a bug in the version 2017-06-19. Line 88 should read something like (NB emphasis):

Markup('htpasswdform', '<split', '/\\(:htpasswdform(.*?):\\)/ei', "HtpasswdForm(PSS('$1'))");

sroracle? July 14, 2017, at 07:28 PM

I stupidly uploaded the recipe in a "test state". The last version is fixed. --Dfaure July 15, 2017, at 02:53 AM

Talk page for the HtpasswdForm recipe (users).