Summary: Just a quick guide for people to set up AuthUser to lock down their site.
Version: 1.0
Prerequisites: pmwiki
Maintainer: XES
Categories: CMS Security

Questions answered by this recipe

This section is optional; use it to indicate the types of questions (if any) this recipe is intended to answer.


A quick way to lock down your wiki but still allow authenticated users to edit your website, similar to a CMS system


Quick start for AuthUser authentication in PmWiki

This is a quick guide to using the AuthUser system in PmWiki. We will create a group of admins for the website, starting with only one admin (yourname).

For more documentation: See http://pmwiki.org/wiki/PmWiki/AuthUser

  1. Temporarily protect the admin functions of your wiki by adding an admin password to PmWiki. This won't be permanent, but will give you admin privileges while you set up your first AuthUser account. Add the following to config.php:
    $DefaultPasswords['admin'] = crypt('itsmytemporarysecret');
  2. Restrict reading the SiteAdmin/AuthUser page to the @admins group. Go to http://yourwiki.com/pmwiki.php?n=SiteAdmin/AuthUser&action=attr
    then put "@admins" in the "read" field''. Now only the actual administrator can read the page (no one is in the @admins group at this time, and AuthUser is not turned on yet).
    It will ask for a password. Use the one (example: itsmytemporarysecret) from the previous step.
  3. Edit the SiteAdmin/AuthUser page to add yourself as a member of @admin. Add this line to SiteAdmin/AuthUser:
    @admins: yourname
  4. Make yourself a name and password in AuthUser. Add this line to SiteAdmin/AuthUser:
    yourname: (:encrypt YourPassword:)
    Q: Does the order of assigning ID/pwd and group membership matter? A: Not really: these changes don't take effect until you do the step where you turn the AuthUser script on, below.
    This will save an encrypted version of the password on the page, but no one can read it because you blocked the reading of the page already.
    You now have an account with @admin privileges, not that @admin can do very much at the moment.
  5. Turn on the AuthUser system. Add this to config.php:
  6. Change the admin password for the system to allow @admins group members to administer the site. Change the line in config.php where you assigned the temporary password to this:
    $DefaultPasswords['admin'] = '@admins';
  7. Limit editing to people with an id/username [1]: Add the following to config.php:
    $DefaultPasswords['edit'] = 'id:*';
    That is enough to lock the system down and get you started with AuthUser. You can limit editing to admins only (use '@admins') or other users that are defined on the Site/AuthUser page.
  8. Assign usernames and passwords by signing in with YourName and YourPassword and adding the following line to SiteAdmin/AuthUser:
    username: (:encrypt UserPassword:)
  9. Assign new admin users to the @admins group by signing in as any current admin and add their name to the list:
    @admins: yourname,username

Once this is done, you may add normal users by adding their username/password to the page, but do NOT add them to the @admins group. You may create other user groups and group users under them at any time. You may choose another name for admins such as @moderators to administrate the system by following the same directions and changing the group name with admin permissions in config.php.

Release Notes

If the recipe has multiple releases, then release notes can be placed here. Note that it's often easier for people to work with "release dates" instead of "version numbers".


Adding $DefaultPasswords['edit'] = 'id:*'; to config.php (step 7) enables any logged in user to edit any page unless group attributes or page attributes set something different.
A good solution is to use

$DefaultPasswords['edit'] = '@editors';

and to define the @editors user group in the SiteAdmin.AuthUser page e.g.

@editors: Alice,John

This space is for User-contributed commentary and notes. Please include your name and a date along with your comment.

Hello, i've tried the above steps to the T and have not been able to login to the wiki with my username and password as set in SiteAdmin.AuthUser

it says:

Name/password not recognized

I'm at a loss any help would be greatly appreciated.

PmWiki version 2.2.36

Thank you in advance

My first question would be to double check whether step #1 works on its own. The easy way to test this is to try http://yourdomain.com/Main/HomePage?action=login & http://yourdomain.com/Main/HomePage?action=logout on a page with a section that has (:if auth admin:)some text(:ifend:). When you log out, can you see the "some text"? If you can still see "some text" and you are logged out, then something's wrong with your wiki. Are you on a Windows server? A linux server? The only time I've had problems like that was on some non-linux hosting service. I had to follow the instructions to create a new temp directory for PmWiki -- and I found that answer somewhere on PmWiki.org. If that's your problem, I'll see if I can find that. XES April 06, 2012, at 09:04 PM

See Also

Several recipes describing CMS (Content Management Systems) describe how to show edit / upload links and search results to those who are allowed to use them, but not the rest.



Talk page for the QuickStartForAuthUser recipe (users).