Changelog

This is the changelog for the Cookbook.UserAuth2 recipe.

Changelog for version 2.2.3 (2010-03-03)

  • added capability to incorporate external group memberships into the authorization mechanism:
    Setting $UA2_FurtherGroupsForUserFunc to a function having signature ($user, $groupaction) and returning an array of groups the specified user is belonging to (or empty array if none), additional permissions can effectively be granted to that user.
  • added a config variable $UA2_CheckIpRangeUponLogin (by default true, as the previous behaviour) which allows to switch off the ip range check during the login; useful when employing external authentication backends like ldap and as result user profiles not necessarily exist in the UA2 dir tree

Changelog for version 2.2.2 (2009-02-16)

  • removed try{}catch wrap from UserSessionVars.php to avoid errors in PHP4

Changelog for version 2.2.1 (2009-02-12)

  • Made sure the authentication cookie is associated to the actual pmwiki directory and not the doc root of the domain, which allows for pmwikis to be safely operated even if not the whole domain is owned. This should also allow to operate (and be logged in in) more than one pmwiki under one domain. (reported by Olle. The hack that is mentioned is to remove the '/' argument (the last argument) from all setCookie(...) calls in userauth2/UserSessionVars.php.)
  • With this version, I change the version numbering from x.x-[beta|stable] to x.x.x. Versions might still be tagged "beta" or "stable", but this is not regarded anymore as part of the version number, and might also change for a particular version. The tagging will appear directly at the download link, and only there. Security related findings will not influence this "beta"/"stable" tagging. I might however tag a version as "secure" if it is stable and there are no security related reports over many months. The advantage of this approach is that a certain package can be retagged without the need to issue a new version (lessons learned from the release of pmwiki-2.2.0: separate judgement from identification; keep the order of the version numbers easily recognizable).

Changelog for 2.1-beta4 (2009-01-03)

  • Some corrections for cases where a user is orphaned, i.e. its parent was deleted. (discovered by "essai" in the showcase")
  • Fixed a bug surrounding tool_confirm, causing a possible dissent in the confirmation of user deletion to be ignored (discovered by Olle)
  • Fixed a bug causing generated cookie keys to be non-random on certain systems (critical, discovered by Olle)
  • Fixed a bug potentially enabling malicious users to reuse expired cookie authentications

Changelog for 2.1-beta3 (2008-01-08)

  • Added missing default value for $AuthUser variable in LDAP code, necessary e.g. in a clean install scenario.
  • Catching errors on missing UA2AuthFunctions.

Changelog for 2.1-beta2 (2007-12-24)

  • Added LDAP support.

Changelog for 2.1-beta1 (2007-12-23)

  • Rearranged code to relax sanitization checks on _REQUEST variables in the admintool, so as to concern only userauth2 relevant keys. (in response to mailing list msg)
  • Added 'zap' as always allowed permission level. (in response to mailing list msg)
  • Removed the hardwired denial of the 'attr' level; rather made this configurable via $UA2DenyAttrLevel (default true).
  • Some code rearrangement: from now on AlwaysAllowedLevels have not to be additionally mentioned in HandleAuth in order not to be rejected as unknown.

Changelog for 2.1-beta0 (2007-11-29)

This is a refactored version of 2.0-stable9, intended to be fully functionally equivalent. It prepares the module for use of the pmwiki engine in non-interactive mode. Basically, all core permission checking functions which are not session-, form-, markup- or otherwise browser client interaction related, are outsourced into userauth2/userauth2-permchecklib.php. (to make them separately includable in a NI setup)

Changelog for 2.0-stable9 (2007-11-28)

  • Added missing code for function get_rand_session_id in UserSessionVars.php, clearing error Fatal error: Call to undefined function: get_rand_session_id() .... Upgrade only relevant to people that use cookie authentication.

    if (!function_exists(get_rand_session_id)) {
      function get_rand_session_id() {
        $x  = substr(str_pad(mt_rand ( 1, 0xffffffffffff ), 10, '0'), 0, 10); // length 10 chars
        $x .= substr(str_pad(mt_rand ( 1, 0xffffffffffff ), 10, '0'), 0, 10);
        $x .= substr(str_pad(mt_rand ( 1, 0xffffffffffff ), 10, '0'), 0, 10);
        return md5($x);
      }
    }
    

Changelog for 2.0-stable8 (2007-09-12)

  • Added protection against brute force attacks on the login (enabled by default). Prevents logins for the client ip or the specified username if the number of corresponding failed logins over the last 30 days is bigger than 100 (default values; enforced separately for ip address and username).

Changelog for 2.0-stable7 (2007-08-11)

  • Adapted initially generated guest user permission record to environments with pmwiki 2.2.0-beta58 or above.

    Archived example guest user permission record suitable for below-2.2.0-beta58 pmwikis

    rd_*.*,
    -rd_Site.*,
    rd_Site.SideBar,
    rd_Site.MenuBar,
    rd_Site.PageActions,
    rd_Site.EditQuickReference,
    rd_Site.UploadQuickReference,
    rd_Site.PageListTemplates,
    rd_Site.LocalTemplates,
    rd_Site.PageNotFound,
    rd_Site.EditForm,
    rd_Site.Search,
    rd_Site.Preferences,
    ed_Home.Feedback,
    xx_Playground.*,
    

    The new version of an example record can be found at the UserAuth2 main page, Cookbook.UserAuth2.

Changelog for 2.0-stable6 (2007-06-13)

  • Removed flock() commands in the load/save permrecord functions, as it failed to work properly on Windows. (This introduces the theoretical possibility of reading an unsufficiently written perm record, with maximum unfavourite effect of getting denied certain permissions (relogin heals). Permrecord writes are not affected.)
  • Added code at UserAuth2() entrance to convert slashes to dots in page specifiers so as to ensure required standardized module input. (as response to WikiCalendar dysfunction)

Changelog for 2.0-stable5 (2007-05-26)

  • Re-added GetInstanceUsername() to the user session class methods. Reestablishes compatibility with presence awareness (light).
  • Corrected variable collision leading to bad bug, in which link targets got scrambled after the first visit of the admin tool. (The $ScriptUrl variable was set inappropriately.)

Changelog for 2.0-stable4 (2007-05-21)

  • added 'ALWAYS' as valid permission level and action
  • added simplified debug functionality to output permission query results
  • ensured functionality in connection with CleanUrls
    The variable $LoginPage (and same with all other page name specifiers) should use the dot as group/page part separator, even when $EnablePathInfo is enabled.
  • updated the "Useful links" section on Cookbook.UserAuth2 to be functional in connection with CleanUrls. (Before the login/logout links appeared as broken links.)
  • added the =auth and =passwd fields in the returned page so as to make pagelists working again (this closes PITS.00901)
  • this is now more or less fully tested with CleanUrls

Changelog for 2.0-stable3 (2007-04-16)

  • comments in permission tables can now actually contain spaces ;)

Changelog for 2.0-stable2 (2007-04-15)

  • made $UA2AllLevels initialize on first permission query rather than on script inclusion so as to make it capture all registered HandleAuth settings, not only ones before the userauth2 inclusion

Changelog for 2.0-stable (2007-04-14)

  • amended code whose omittance made group deletions in the admin tool group list not to display immediately

Changelog for 2.0-beta9

  • restricted GuestUsers rights for admin actions to keep perm system consistency (see #301)
  • changed default value of $HomePage to the pmwiki standard value (Main.HomePage)
  • corrected typo in uncovered code in userauth2-pwchange.php
  • removed old code

Changelog for 2.0-beta8

  • corrected ClearInstanceVariables to properly delete all user data from the session array
  • Using now a dedicated session save path and session name for each site (ini vars set by the script using some identifier derived from userauth2.php file location); this makes it now possible to access two sites on the same server with the same browser without intermingling their authentication status or forcing mutual logouts / session inconsistencies.
  • renamed $UA2EnforceClientIpFixation to $UA2EnforceFixedClientIp

Changelog for 2.0-beta7

  • no functionality changes
  • fixed error that caused an empty page to be displayed upon installation
  • minor speed optimization in the permission evaluation stack

Changelog for 2.0-beta6

  • no functionality changes
  • set appropriate default value for site identifier
  • added check for unreplaced {$AuthId} occurrences

Changelog for 2.0-beta5

  • changed perm semantics such that group membership entries are interpreted throughout the perm table at their place of occurrence, but only in affirmative direction (more flexible for complex permission constructions)

Changelog for 2.0-beta4

  • should work now with SSL (the protocol in redirection url is derived from the one that was used for the request)
  • the always readable HomePage principle is abandoned (since some sites may want to have a hidden home page); you must care yourself that for a logged in user the home page (or any other redirection target after successful self-initiated login) is readable
  • you can now use {$AuthId} in the permission table of the logged in user group, which is replaced by the upper-cased version of the user name the client is logged in as; good for automatic personalized pages, for example: xx_PrivatePages.{$AuthId}, or even better: xx_My*.{$AuthId}
  • you can now use #..., comments in the permission table (note the comma)
  • added Site.PageNotFound to the GuestUsers default permission record
  • added perm entry level abbreviation xx matches every page related level
  • code around session_regenerate_id() now reimplemented: the old session file gets now destroyed as necessary for preventing fixation
  • in the released package: removed unnecessary dirs, GuestUsers record and admin profile, added .htaccess
  • initial admin profile and GuestUser record are now generated on first run if non-existent
  • removed editguestuser and editloggedinuser levels - functionality can be obtained also using usual mechanisms. They are editable now according to the usual patron principle, with the exception that the creation or deletion is restricted to be done by 'admin' only.)
  • session expiration now manually (i.e. by the script instead of by PHP) enforced (new configuration variables for this); alongside some PHP directives massaged such that they dont interfere; redirection for this case revised
  • redirection for ip mismatch revised
  • possible edit loss on session expiration is now prevented, by reiterating the _POSTed data after relogin
  • group membership entries need not be at the beginning of the perm table anymore

Changelog for 2.0-beta3

  • corrected default value for $exitHandler

Changelog for 2.0-beta2

  • added recipe version info as explained in recipe guidelines
  • set a default value for $exitHandler for getting things right for PmWikis without exit handler modification
  • added code such that former markup (:if member @editor:) is honoured (accounts for the @ at the beginning of the group); added check on bad input also there