00508: Problems with Password Duplicates and Cookbook/AuthUser

Summary: Problems with Password Duplicates and Cookbook/AuthUser
Created: 2005-09-05 01:54
Status: Open
Category: Bug
From: davidof
Priority: 1
Version: 2.0.beta54
OS: Win2000sp2/Apache 2.0.5/PHP 4.3.8

Description: Something that can cause confusion is where an admin or attr user and a normal user share a password.

For example a group of pages can be made editble by the administrator by setting the GroupAttributes password to: id:admin. However if user fred has the same password as admin (or maybe if there is an MD5 hash collision) then fred will also be able to edit pages in this group because his 'admin' level password has tacken priority over his lack of priviledge.

It seems that pmwikiauth and authuser check the username/password pair initially to confirm identity but then are interested in passwords as in the original pmwiki philosophy.

To summarize, administrator passwords take precendence over user page or group priviledges. Not neccessarily a bug but something to be aware of. I've documented this in Cookbook/AuthUser.

Of course the way around this is not to set any passwords, just enable admin and edit functions based on id:membername. The password authentication only works if you set passwords. :) Caveman September 14, 2006, at 09:36 PM