Re: [pmwiki-users] Custom Action and Authentication

Tue, 11 Feb 2014 05:51:32 -0800

I don't have the potential to review and debug all this but you need to NOT have a username $_POST['authid'] at all, not empty, just not set, if you only use "shared password" protection.
Is it possible that you have some function calls to CondAuth(), RetrieveAuthPage(), PageVar(), FmtPageName() or other core function before you have set $_POST['authpw']? Some of these functions, if they retrieve content from the wiki.d files, will cache the authorization levels. 


Typically, any function call in config.php, or in a recipe included from  
config.php, can cache the levels. The function you set with $HandleActions  
is called much later, at the end of the processing. So you may want to  
assingn the $_POST['authpw'] value before any function call and before any  
included recipe.


Petko


P.S. There is no point in calling CondAuth() before RetrieveAuthPage().  
CondAuth() actually returns (boolean)RetrieveAuthPage() so you do the same  
CPU-intensive operation twice.



Crisses writes:


On Feb 11, 2014, at 3:42 AM, Petko Yotov wrote:


Petko Yotov writes:


Crisses writes:

« HTML content follows »
Hi,


I've spent a day trying to fix this, so I have to figure that the  
documentation or myself (or both) aren't up to the task...





I have an array of (xml scalar) variables being passed to PmWiki via ? 
action=xmlrpc, including the author & password.  All the xmlrpc functions  
are in their own classes, including extracting the password from the xml  
data.  It works just fine, can dump the vars and all is (apparently?) in  
order.





I'm using basic PmWiki passwording.  I've set up the password to be  
passed to $_POST['authpw'] and the username to go into $_POST['authid']  
and (global) $Author.







If you use basic PmWiki passwording (shared password) you need to set  
$_POST['authpw'] before calling RetrieveAuthPage().



Or, you should be able to call SessionAuth($pagename, $pass); before  
calling RetrieveAuthPage(), no need to set $_POST['authpw'].



After you have authenticated, just get and return the PHPSESSID cookie when  
you access the other pages, no need to repost user/pass every time.


Petko







Apparently I'm still not "getting it"....  Note: I'm just using basic  
passwords (for now) and not trying to make it compatible with authuser.php  
(yet).




I don't think the XMLRPC clients (Ecto, MarsEdit, etc.) have session cookies.  
 




$password and $username are set just fine as far as I can tell from the  
scalarval() (no whitespace chars added, etc...).  xes_error & xes_dump are  
debug functions which write to the error_log.  xes_dump does a print_r($var,  
true).  $page and $page['text'] comes out blank every time, unless I use  
ReadPage().  CondAuth would work to skip the rest of the loop, but the auth  
fails.  The remainder of the GetRecentPages function runs fine when I use  
ReadPage including client-side XML output, and with authentication the blank  
pages are sent to the XMLRPC client as if nothing else is wrong.





(parent function(s) called via $HandleActions['xmlrpc'] = 'HandleXMLRPC'; )


...




        // Retrieves a certain number of PmWiki pages ordered by date
        public static function GetRecentPages($params) {
                xes_error("Calling GetRecentPages.");
                global $XMLRPC_AuthPage;

                $blogidp=$params->getParam(0); $groupname=$blogidp- 
>scalarval();
                $usernamep=$params->getParam(1); $username=$usernamep- 
>scalarval();
                $passwordp=$params->getParam(2); $password=$passwordp- 
>scalarval();

                $passp=$params->getParam(3); $number=$passp->scalarval();
                ValidateUser($username,$password);


                // Gather pages in an array for sorting by time
                $grouppages = $fullpages = Array();
                $pattern = "/^$groupname\\./";
                $grouppages = ListPages($pattern);
                foreach($grouppages as $pagename) {
                        xes_dump($pagename, "Next Name: ");
                        // Skip pages we do not have access to

                        if (! CondAuth($pagename, 'edit')) xes_error("No Text  
4 u!");
                        $page = RetrieveAuthPage($pagename, 'edit', false,  
0);

                        #$page = ReadPage($pagename);
                        xes_dump($page, "Page: ");
                        $fullpages[] = $page;
                }
                //Needs an empty error! No pages found....


                function ComparePageTime($a, $b) {
                        if ($a['time'] > $b['time']) return -1;
                        if ($a['time'] < $b['time']) return 1;
                        return 0;
                }
                usort($fullpages, "ComparePageTime");


                $arrayval = Array();
                $pagenum = 0;
                // Only return as many pages as are requested
                foreach($fullpages as $page) {
                        if($pagenum++ >= $number) break;


                        $arrayval[]= BloggerXMLRPC::PageAsXMLStruct($page);
                }
                $myVal=new xmlrpcval($arrayval, "array");
                return new xmlrpcresp($myVal);
        }


...






separate "helper" function (I know it's not performing validation, I  
inherited the namespace from the former recipe author and haven't corrected  
it yet -- it used to support UserAuth and return false on failure):




function ValidateUser ($username, $password) {
        global $Author;
        xes_error("Calling ValidateUser");
        $Author = $_POST['authid'] = $username;
        $_POST['authpw'] = $password;
        return true;
}





Crisses

--If PmWiki plug-ins are recipes, then I'm a chef! Or at least a line cook.  
 :)


_______________________________________________
pmwiki-users mailing list
pmwiki-users@pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-users






















					Reply via email to