The current method used for adiminstering passwords is very awkward. A few simple changes to the interface would make it much easier to use. This is not a proposal to change the security model at all - just the interface.
Change #1 is to the attributes form. Have it show the status of each password. Currently you cannot tell if a password is set for any action. If a password is set, you can't tell if it is a site-wide, group-wide, or page-level password. Proposed new form:
Set new read password: [ ] not set Set new edit password: [ ] not set Set new attribute password:[ ] * Set new upload password: [ ] set
This would indicate that on this page:
- the read and edit passwords are not set (nor are they set in config.php)
- the attribute password is picked up from config.php
- the upload password is set to some value on this page
Change #2 is to the wording that appears with the attributes form. The current wording is misleading because it refers to "attributes" when it means "passwords". The new wording should be:
- Enter new passwords for this page in the form below. Leave a field blank to leave the password unchanged. To clear a password, enter 'clear'. If the password is set by config.php, entering 'clear' does not work - use 'nopass' instead to remove the password, or enter a new password to override the one in config.php.
It is actually slightly more complex than this if you consider group-level passwords, but this would be a huge improvement over the current "stabbing in the dark" method.
->Radu: Actually as a newbie I was expecting the ?action=attr page to report all the attributes of the page as well as allowing pass change (creation and last modif dates, creator, maybe editors, wikiver at creation, current wikiver, skin name (rather important, that!), and any other defined vars) Is there a reason not to display those, since they're available anyway?
PmWikiPhilosophy #3. Most features aren't added until there's a definite need for them. In particular, I'd want to know how the resulting output should look.
How about a list of pairs:
Attr: <value(s)>, e.g. Editors: Pm, NeilHerber, Radu
and the set of attributes to be displayed (including their order) could be set in config.php (or group config files)
Are you saying there's no need to know the attributes of the current page? Of course, this could be done as a recipe if you don't think that info is of interest. It could be gathered from other places (like page history), but I'd find a summary helpful.
And I think you're already working on something like this for pass attributes:
Set new read password: [ ] not set Set new edit password: [ ] set in group Set new attribute password:[ ] * Set new upload password: [ ] set in wiki