This is a talk page for improving AuthUser.

AuthUser & Farm-Wikis

I need a bit more concrete hints for handling AuthUser within wikis in a farm, if wiki1 should be readable for all visitors, while wiki2 only should be readable for login-users. Especially I’m not sure, where to place the include of authuser.php. But – after very long searching, I’d wish I could have found such a hint clearly and directly at AuthUser – I bet it could work like this:

$AuthUser['htpasswd'] = 'path/to/.htpasswd';
$AuthUser['htgroup'] =  'path/to/.htgroup';
$DefaultPasswords['edit'] = '@wiki-editors';
#NO include of authuser.php here, while it will destroy all settings – correct?

$DefaultPasswords['read'] = '';

$DefaultPasswords['read'] = '@wiki2-readers';

Am I right: The include of authuser.php must NOT be placed in the farmconfig.php, but should be included in every local/config.php ?

Thanks for all helpful hints and answers!

Yes, this looks good. --Petko November 07, 2017, at 02:40 AM

Setting single page permission.

Is there a way to set read-only permission to single page, after setting de default $DefaultPasswords['edit'] and $DefaultPasswords['read']?

Yes, follow a link like [[Main.HomePage?action=attr]] and in the form set the read password for the page to @nopass (open for everyone), @lock (locked for everyone except admins) or any actual password. See Passwords. --Petko September 08, 2016, at 01:01 PM

Can this be done also from config.php and not from browser url and form?

Not in a secure way. --Petko September 08, 2016, at 02:22 PM

Marcus Denning,, 20160202-12:35GMT-06
When using Option: User List on Site.AuthUser
The following pertains to Username, Password, and Profile pages combinations when using AuthUser Wiki pages for group/user Authentications.

If only the password is used for authentication, how can the name assignment be verified or changed appropriately so that there is not an author of name 'blank' or "Profile" showing up and regardless of the login author name a valid profile page can be reached?

This is going to be a bit of an involved one. I have literally just taken snippets of code and figured out how to implement them in this one. I am pretty sure someone can figure out how to do it better. However, this solution seems to work and is letting me display a valid profile page to reach without blanks or the name "Profile" for the AuthorName.

First, I have this little snippet of code in my NavBar header (another CookBook plug-in) that shows the profile selection and login auth selections appropriate to the login.

(:if ! enabled AuthPw:)
* %item rel=nofollow class=login  accesskey='$[ak_login]'%   [-'''%color=#880000%[[{*$FullName}?action=login | $[Login] ]]%%'''-]
(:if enabled AuthPw:)
(:if2 auth admin:)
* [-[[Profiles.{$Author} | %color=#660000%'''''{$Author}''  - '''%%%color=#ff0000% ''Profile''%%]]-]
* %item rel=nofollow class=logout accesskey='$[ak_logout]'% [-'''''%color=#ff0000%[[{*$FullName}?action=logout | $[Logout] ]]%%'''''-]
* [-[[Profiles.{$Author} | %color=#660000%'''''{$Author}''  - '''%%%color=#00ca00% ''Profile'' %%]]-]
* %item rel=nofollow class=logout accesskey='$[ak_logout]'% [-'''''%color=#00ca00%[[{*$FullName}?action=logout | $[Logout] ]]%%'''''-]
(:if auth admin:)
* [-[[Site/Site | %color=red%Site Admin%%]]-]
* [-[[Site.SiteMap | %color=#0000aa%Site Map%%]]-]

Then, in my local/config.sys file, I have done the following.

  • First I made a variable out of the Master Password to make it easier to change if needed.
    • $AdmPass = crypt('MastPass01');
      $DefaultPasswords['admin']   = array($AdmPass,                 # global password
                                          '@admins',                 # +users in these groups
                                          'id:Daniel', 'id:Marcus'); # +users individually
      $DefaultPasswords['upload']  = array($AdmPass, '@admins', '@moderators', '@editors');
      $DefaultPasswords['edit']    = array($AdmPass, '@admins', '@moderators', '@editors', '@writers');
      $DefaultPasswords['publish'] = array($AdmPass, '@admins', '@moderators', '@editors', '@writers');
      $DefaultPasswords['delete']  = '@lock';                        # DeletePage CookBook plug-in addition
      $DefaultPasswords['attr']    = array($AdmPass, '@admins');
  • Then, after all that, I get to my Login Name testing to select the right name.
    • ## Enable authentication based on username.
      if (  $AuthId=='admin' ) {$Author = $AuthId; } # after include_once(authuser)
      if ( !$AuthId=='admin' )
      { if ( (  $AuthId == '' ) || ( $AuthId == 'Profiles' ) )
        { if (  $authpw == $AdmPass ) { $Author = 'admin-X'; }
          if ( !$authpw == $AdmPass )	{ 
            if (  CondAuth($pagename,'admin') ) { $Author = 'admin-X'; }
            if ( !CondAuth($pagename,'admin') ) { 
              if ( CondAuth($pagename,'upload') || CondAuth($pagename,'read') || CondAuth($pagename,'edit') ) { $Author = $AuthId; }
              $Author = 'Rogue-X';

The final result of all of this is that when someone logs in they see their own login name at the top with a link to their own profile page. If they have the incorrect username and the correct password, the system authenticates but strips out any special admin/edit auths per the AuthUser plug-in functionality (goverened from within the AuthUser Wiki page by groups/users auths). If the latter happens, then Rogue-X shows up noting they had the incorrect login name and therefore the username is not a blank or the name "Profile" by default. In addition, the UserName Rogue-X can be assigned any rights desired in the AuthUser Wiki page. By Default, Rogue-X is simply a name and has no rights anyway. The Site Admin username is selected as either admin or admin-X as long as the correct password is entered, however the admin auth status is not stripped. Any edits that happen as admin or admin-X will simply show up as that AuthorName.

I really hope this helps someone. It took me a while to figure out the logic, but it seems solid for now.

Rarely asked questions

I get http error 500 "Internal Server Error" when I try to log in. What's wrong?

This can happen if the encrypted passwords are not created on the web server that hosts the PmWiki. The crypt function changed during the PHP development, e.g. a password encrypted with PHP 5.2 can not be decrypted in PHP 5.1, but PHP 5.2 can decrypt passwords created by PHP 5.1. This situation normally happens if you prepare everything on your local machine with the latest PHP version and you upload the passwords to a webserver which is running an older version. The same error occurs when you add encrypted passwords to local/config.php.

Solution: Create the passwords on the system with the oldest PHP version and use them on all other systems.

if i already specified a group in local/config.php, then i set the same group on SiteAdmin/AuthUser then will it merge all users in that same group?

It is supposed to work this way -- in config.php you set for example:

  $DefaultPasswords['edit'] = '@editors';

then, in the page SiteAdmin/AuthUser you define all users of the @editors group:

  @editors: Alice, Bob

I want to allow anyone to edit my wiki, but don't want anyone else to use my name as the author.

Is there a way to "reserve" and password protect certain usernames? Or basically just require a password when attempting to edit a page with a registered user's name in the author field?

Yes, use such a code in config.php:

  ## Preventing others posting as "Pm" or "Petko"
  if( preg_match('/^(Pm|Petko)$/i', trim(@$_POST['author'])) ){
    $DefaultPasswords['edit'] = '@lock';
    $MessagesFmt[] = "To post as '{$_POST['author']}' please log in.";

This will display the authentication form when a user tries to post as Pm or as Petko. Note that these users need to know the admin password to get through.

Not-answered questions

How can I access the authorization groups that the current user belongs to in order to test using that as a condition of an if statement?

forceflow: Dirty hack I found: create a lone page (DirtyHackPage) somewhere, and only give a certain group (apples, for example), the rights to read it. Then you can use (:if auth read DirtyHackPage:) to identify members of the apples group. It's dirty, but does the trick if you only have limited amount of groups.

Is there any way to have groups inherit other groups (e.g. @fruits: @apples, @oranges, jack)?

See PITS.01232Eemeli Aro

Is it possible to list more than one .htpasswd and .htgroup file to be used?

e.g. if I am running a wikifarm and some users are common across various fields, it would be nice if they only needed to update their password once. Sure I could merge all the passwd & group files, but then I wouldn't be able to support identical user or group names on each independent wikifield..

I'm facing a problem with authentication using MySQL database.

New user registration works but login always fails asking for correct user name and password even though proper values are entered. Where could be the problem?

I have been trying to set site-wide authorizations and getting really frustrated. I have the following lines in my config.php:

 $DefaultPasswords['edit'] = crypt('edit_password');
 $DefaultPasswords['read'] = crypt('read_password');
 $DefaultPasswords['admin'] = crypt('admin_password');

But I can still freely edit many pages. Some not, some yes. I've tried manually "clearing" passwords on pages that I seem to be able to edit.

What gives?

Is there a way that people could self-register through AuthUser?

Chris I'm trying to do this same thing now via phpbb 3.0's authentication and database. If that's an option here's how I plan on doing it. I have the phpbb 3.0 working with an sql database thanks to godaddy. I think all you need are 4 other cookbooks, AuthUserDbase dependent on AuthUser, ADOdb, DatabaseStandard. I'm going to use Cookbook:AuthUserDbase "setting for using another program's database for authentication. Then I'll need to figure out how to set user permissions to their own created content. I'd love to package all 4 of these cookbooks, and some default lines to add to a config.php to enable any new pmwiki hosts to easily connect to an existing database with minimal "dirty work". Best of luck to us both, Mark (reach me at the site I'm building is

Please see Cookbook:AuthUserSignup for a solution to this problem. Peter Bowers October 25, 2008, at 01:45 PM

This is totally true! I've been working with Peter on getting this installed and I can truly say that this is the most complete authentication system for AuthUserSignup. Real Chris November 19, 2008, at 05:15 AM

I use the SiteAdmin.AuthUser page to create user accounts at my wiki. Now, I have three on there now (big site, really). Two I created some time ago (like 2 years ago, or something) that are functioning correctly, but a third that I've recently created, and I can't get this guy working. I have entered and re-entered various times, the same as for the others:

# username: (:encrypt somepassword :)
  1. username: $1$o4iUYvYF$cZh46pfprMsAIDEhRs.kQ1

and the guy can't get in with the assigned username and password.

I am confused by this.

This site is running pmwiki-2.2.27 (VersionNum=2002027).

Please forgive the xpost. I asked this question on another page, but this seems the appropriate place.

tonybaldwin September 25, 2011, at 10:54 AM

Remove the "#" at the beginning of the line before username. --Petko September 25, 2011, at 12:04 PM

Okay, I tried that, but it didn't make a difference. I didn't think it would, since the other users are listed in the same fashion, with a "#". I appreciated the attempt, all the same.

tonybaldwin September 27, 2011, at 06:38 PM

AuthUser ignores lines starting with # so it shouldn't be before any line with username:password. Other things to check: the password cannot contain spaces, tabs, new lines, columns ":" and equals "="; on some systems it should be at least 4 characters long; usernames and passwords are case sensitive. Does another password work with the same username? Does another username work with the same password? --Petko September 27, 2011, at 07:25 PM

Reserving author names - A question like this was asked below, but it doesn't seem to work for me, perhaps it worked with an older version. I have enabled AuthUser and created some accounts. I have one page, however, that I have set the edit password to @nopass to allow for anyone to edit it. I would, however, to not have anon users be able to use specific names as the author (like that of the admin, for example). I've tried adding the recommended lines to my config file with no success. Any suggestions? Thanks!

Here is what we use on this wiki to prevent others posting as Pm or Petko:

  $postauthor = stripmagic(trim(@$_POST['author']));
  if( preg_match('/^(Pm|Petko)$/i', $postauthor) ){
    $DefaultPasswords['edit'] = '@lock';
    $MessagesFmt[] = sprintf("To post as '%s' you need to log in.", $postauthor);

This is a talk page for improving PmWiki.AuthUser.