01186: any username accepted with admin password

Summary: any username accepted with admin password
Created: 2010-04-22 20:31
Status: Closed - replied
Category: Bug
Priority: 5
Version: 2.2.15
OS: apache2 php5

Description: i can input any non existing username as long as it have admin's password and pmwiki accepted the login

This is a known and expected behavior, the admin password, as defined by $DefaultPasswords['admin'], should work without any need to fill the username field. The admin password should be really secret. --Petko April 23, 2010, at 02:19 AM

then, it should be noted somewhere (in config.php or installation instruction) to let users aware of this.

This is documented in the 4th-to-last question on AuthUser. If you think it should be placed otherwise on that page or another feel free to make the change. --Peter Bowers May 17, 2010, at 02:21 PM