Summary: Talk page for MemberMgmt.
Maintainer: (unsupported since 2008)
Users: (View? / Edit)

This space is for User-contributed commentary and notes. Please include your name and a date along with your comment.


Given recent demonstrations of vulnerabilities that result when ZAP is paired with open editing of a wiki, this type of authentication should only be used on wikis where every page (including the WikiSandbox) requires a password for editing. Ben Stallings May 03, 2007, at 11:30 AM

Note: the two exploits Pm demonstrated (both minor variations of the same basic attack) have both been completely plugged. Furthermore, two additional levels of security have been implemented, and numerous fixes made to keep ZAP on the cutting edge in terms of security. Caveman May 08, 2007, at 08:28 PM

Caveman, I'm very impressed with what you say ZAP can do. I have tried to install it on my pmwiki, but after playing with the ZAP toolbox and its uses, I had to completely delete the site I was working on. I'm in high need of some form of member management system and something that makes it easy for members to self-register. Your program looks like it could answer all of my questions, but the documentation on your site doesn't explain in terms simple enough for me, what and how the ZAPconfig page works. It seems like that page would make everything easier, but for someone as simple minded as myself,it raises new questions. Is there another location (website, forum, etc.) that could explain how I get the member management to work or what ZAPconfig does (in very simple terms)?

Just for you to know, I'm using version 2.2.0-beta65 (2007-11-17) of PMwiki and had authuser enabled. Thanks for pointing me in the right direction! Chris August 12, 2008, at 03:47 PM

Hi, Chris. I started to take on responsibility for maintaining this recipe a year ago, and was working on some better documentation for it, but gave up when I realized that it was not the right tool for the job -- that I could get the same functionality or better without the headache if I used a different CMS that had the functionality built in rather than as an add-on. I love PmWiki, but IMHO it is not designed to work this way. I wish you the best of luck. Ben Stallings August 12, 2008, at 10:30 AM


What would you recommend as a member management system then? Its critical that I have it setup so that users can self-register. -Chris

It's been a while, but I just downloaded the latest version of PmWiki, enabled authuser, zap and zaptoolbox, (in that order) cut and pasted the registration and login forms above, and it worked perfectly. I did nothing with the ZAP config page, or any other customizations. Could you explain more precisely what error you were having? Perhaps it was a permissions problem or something to do with your server configuration.

Of course if you are looking for something like PmWiki with this already built in, you could try That's what I'm currently using. Good luck. Caveman

Hello All, I wanted to add some comments since I have been using Zap for a while now and the more I use pmwiki and zap the more I understand things. I do believe that zap documentation is not clear enough or does not enough examples. Something to point though is that the more I use it and work with zap the more I find ways to implement.

What I am going to do is to add some code here below the way I have implemented MemberMgmt. Maybe that example could help somebody else.

On the Side Bar I use the following Lines:

* [[Main/Register]]     
*[[Profiles/Profiles|Users List]]

(:if enabled AuthId:)
* [[{=$FullName}?action=logout | Log Out {$AuthId}]]
(:if !enabled AuthId:)
* [[Main/Login]]

In the Register Page Basically I use the Same Code Shown Above for Registration.

In the Profiles Page I use the following Lines to show a User List:

!! :: Registered Users
(:pagelist group=Profiles -RecentChanges:)

Also in Profiles/GroupFooter with the Lines Below the profile page will show all data from that user only if the user has loged in. When Not Authenticated the message "We Are Sorry, You Are Not Aloud to View This Page !" will be shown.

(:if equal {$AuthId} {$Name}:)
Nombre: {$:RealName} [[<<]]
Pais: {$:Country} [[<<]]
Sexo: {$:Gender} [[<<]]

We Are Sorry, You Are Not Aloud to View This Page !

With little tewaks is ver easy to change the user profile information. Not sure at this moment if the password could be change. But basically I am pretty sure that most of the features of CMS can be implemented with this receipe.

Marte October 2, 2008

October 10, 2008, at 07:39 PM --jj?
I found this from the mailing list, which is very helpful:

"Just a quick announcement that I've just updated the ZAP code for some
rather useful member mgmt features.

To automatically add a member to a (membership) group, use a command
like the following in a ZAP form:

(:zap group_ChessClub="+Bob":)
Use -Name to drop names, or define out right by inserting a CSV list.
For example, do a search of your member profiles for some string, and
output the pagelist to a csv list.  Instant groups!  You can also
automatically subscribe people to certain groups when they login based
on whatever criteria you wish.

I've also managed to fix the CSV list to take much more user abuse in
terms of unnecessary spaces, etc.

Membership information is stored on pages like Memberships.ChessClub
with pages that look simply like


To display the members of a group, you can do a {(grouplist ChessClub
'fmt')} using the same syntax (actually the same function) as the
existing list markup expression. So you can display many interesting
ways. Checks for read permission on the membership page or returns

To conditionals have been added:

(:if group_exists ChessClub:)


(:if group_member ChessClub Caveman:)

When a person logs in using ZAP's authentication scheme, all existing
groups are checked and memberships are automatically added to the
session array for use in AuthUser conditions, etc. I should note, ZAP
can also set the passwords for specific groups/pages using the attr
command to make this even cooler!

Also reworked is the Login and Register function so that when a person
enters an invalid member name, it is automatically converted to a
proper page name fmt (using the MakePageName function), and sets their
authid appropriately. So if a person registers as test 123 they will
be assigned to Profiles.Test123, and have an authid Test123, but can
login as test 123 with no problem.  Works great!

Thanks esp to Ben for his inspiration on this last point, and to Pm
for his help with the group mgmt information. I'll be uploading the
new scripts shortly and trying to keep up with the documentation as
I'm able.

Please let me know if anyone notices any bugs or problems, or has
suggestions for improving things.


Talk page for the MemberMgmt recipe (users?).