Re: wiki on sf

[Alex Schroeder]

Etienne Grossmann <address@hidden> writes:

>   Ok, now I saw, in the latest code, that configpage gets the same
> treatment as configfile, but it is one of the wiki's pages
> (modifiable), while the other is a file outside of the wiki (not
> modifiable). Indeed, setting configpage seems to leave a wide open
> door.

Well, the door is about as open as using ftp or telnet -- the
password travels accross the network in cleartext...  It all depends
on the context.  On my current account I only have ssh access, so
compared to that, the configpage thing is truly very insecure.

> # If the wiki owner changes the passwords, then those users using an old
> # password will no longer be administrators.  The mechanism is really
> # simple:  action=password stores the password you used in the cookie,
> # and as long as you use this cookie, and the password in the cookie
> # matches one of the passwords defined by the wiki owner, you are an
> # administrator.  When the cookie is created, it is valid for 2 years.
> # 
> # One potential problem is connecting from a public computer and using
> # action=password.  Then the cookie will be stored on a public computer
> # for two years.  Personally, this is not a problem for me.  Do you
> # feel that the cookie with the password should expire after the
> # session ends?  Currently the username and the password are stored in
>
>   Lemmesee : the username comes from the CGI object, not from a
> user-filled box. So it is more 'browser information' (e.g. IP) than
> actual username. right?
>
> # the same cookie; this change would require using two cookies instead
> # of one.
>
>   What about a scheme in which, in order to modify a page, you have to
> enter a username and a password. Each time someone checks in ('save'
> button) a page.

Be careful in the use of words here.  The wiki uses some unfortunate
terminology which is counter-intuitive to normal users.

The *Username* is just a tag.  Anybody can use it.  Whenever you edit
a page, you can enter a new username, and you can use the same
username as anybody else.  Your edits will *also* be tagged with IP
or hostname, so basically there is *no authentication*.

The *Password* is independent of the username!  The password just
tells the wiki, that you know the secret word -- nothing else.  This
is a bit like Jeff Raskin's idea for a new login prompt:  Just type
your password.  The username is totally superfluous, because that
effectively only adds a small number of easily guessed bits to your
password.

So, the *wiki* has one or more passwords, and anybody who knows one
of these passwords, qualifies as an administrator.

Implementing the scheme you propose would be possible, but it would
not be much better than having the cookie expire at the end of the
session, I think.  I will make the expiry time customizable.  Then you
can put 10 minutes, or nothing (ie. the current session) in there.

>   Alternatively, we can leave the wiki just plain open. Anyone can
> change anything. How do you restore a page to its old version? (didn't
> find it at http://emacswiki.wikiwikiweb.de/cgi-bin/oddmuse.pl).

I just added this to the wiki.  Here is the executive summary:

# Click "View other revisions" at the bottom.
# From the history, find the last good revision, and view it.  Assume it is 
Revision 246.
# Click "Edit revision 246 of this page" at the bottom.
# Put  "revert" or something similar into the summary and click "Save".

Alex.
-- 
http://www.emacswiki.org/cgi-bin/alex.pl



-------------------------------------------------------------
Octave is freely available under the terms of the GNU GPL.

Octave's home on the web:  http://www.octave.org
How to fund new projects:  http://www.octave.org/funding.html
Subscription information:  http://www.octave.org/archive.html
-------------------------------------------------------------