read
passwords allow viewing the contents of wiki pages
edit
passwords control editing and modification of wiki pages
attr
passwords control who is able to set passwords on pages (and potentially other future attributes)
upload
passwords control uploading of files and attachments
admin
password that allows an administrator to override the passwords set for any individual page or group.
By default, PmWiki has the following password settings:
admin
and upload
passwords are locked by default.
attr
password (in their respective GroupAttributes pages).
admin
password can be used to overcome "locked" passwords, other than that, no password will allow access.
See Passwords for information about setting per-page and per-group passwords. The remainder of this page describes setting site-wide passwords from the local/config.php file.
admin
password for the site. This is done via a line like the following in the local/config.php file:
$DefaultPasswords
['admin'] = crypt('secret_password');
Note that the crypt() call is required for this -- PmWiki stores and processes all passwords internally as encrypted strings. See the crypt section below for details about eliminating the cleartext password from the configuration file.
To set the entire site to be editable only by those who know an "edit" password, add a line like the following to local/config.php:
$DefaultPasswords
['edit'] = crypt('edit_password');
Similarly, you can set $DefaultPasswords['read']
, $DefaultPasswords['edit']
, and $DefaultPasswords['upload']
to control default read
, edit
, and upload
passwords for the entire site. The default passwords are used only for pages and groups which do not have passwords set. Also, each of the $DefaultPasswords
values may be arrays of encrypted passwords:
This says that either "alpha" or "beta" can be used to read pages, but only the "beta" password will allow someone to edit a page. Since PmWiki remembers any passwords entered during the current session, the "beta" password will allow both reading and writing of pages, while the "alpha" password allows reading only. A person without either password would be unable to view pages at all.$DefaultPasswords
['read'] = array(crypt('alpha'), crypt('beta'));$DefaultPasswords
['edit'] = crypt('beta');
$DefaultPasswords['admin'] = crypt('youradminpassword'); $DefaultPasswords['attr'] = crypt('yourattrpassword');
$DefaultPasswords
['admin'] = crypt('mysecret');
then the "mysecret" password is in plain text for others to see. However, a wiki administrator can obtain and use an encrypted form of the password directly by using ?action=crypt
on any PmWiki url (or just jump to PasswordsAdmin?action=crypt). This action presents a form that generates encrypted versions of passwords for use in the config.php file. For example, when ?action=crypt
is given the password "mysecret
", PmWiki will return a string like
$1$hMMhCdfT$mZSCh.BJOidMRn4SOUUSi1
The string returned from ?action=crypt
can then be placed directly into config.php, as in:
$DefaultPasswords
['admin'] = '$1$hMMhCdfT$mZSCh.BJOidMRn4SOUUSi1';
Note that in the encrypted form the crypt keyword and parentheses are removed, since the password is already encrypted. Also, the encrypted password must be in single quotes. In this example the password is still "mysecret
", but somebody looking at config.php won't be able to see that just from looking at the encrypted form. Crypt may give you different encryptions for the same password--this is normal (and makes it harder for someone else to determine the original password).
$DefaultPasswords
['upload'] = '';
You can also use the special password "@nopass" via ?action=attr
to have a non-password protected page within a password-protected group, or a non-password protected group with a site-wide default password set.
$ForbiddenPasswords = array('secret', 'tanstaafl'); if (in_array(@$_POST['authpw'], $ForbiddenPasswords)) unset($_POST['authpw']);This prevents "secret" and "tanstaafl" from ever being accepted as a valid authorization password, regardless of what pages may be using it.
$HandleAuth
array, which sets the required authentication level that is necessary to perform an action.
?action=source
. This action shows the wikisource of the actual page. Sometimes you don't want that especially when using some conditional markup which should not be discovered easily or only by persons that are allowed to edit the page.
There are several solutions for that:
$HandleAuth['source'] ='edit';
$HandleAuth['source'] ='source';
$DefaultPasswords['source'] = crypt(secret);
# see above
$PageAttributes['passwdsource'] = "$['Set new source password']";
$PageAttributes
array indicates that you wish for the given field to be encrypted when saved to disk.
The full set of steps to add new password handling for an action such as "diff" would be:
# add a new (encrypted) field to the attr page $PageAttributes['passwddiff'] = '$[Set new history password]'; # clear the default password for 'diff' $DefaultPasswords['diff'] = ''; # Tell PmWiki that the 'diff' password allows action 'diff'. $HandleAuth['diff'] = 'diff'; # Tell PmWiki that a 'read' password # (or optionally the 'edit') password # is also sufficient to enable 'diff'. # Of course, the 'admin' password will work too. $AuthCascade['diff'] = 'read'; ## or 'edit'
There seems to be a default password. What is it?
There isn't any valid password until you set one. PasswordsAdmin describes how to set one. PmWiki comes "out of the box" with$DefaultPasswords
['admin'] set to '*'. This doesn't mean the password is an asterisk, it means that default admin password has to be something that encrypts to an asterisk. Since it's impossible for the crypt() function to ever return a 1-character encrypted value, the admin password is effectively locked until the admin sets one in config.php.
How do I use passwd-formatted files (like .htpasswd) for authentication?
See AuthUser or Cookbook:UserAuthIs there anything I can enter in a GroupAttributes field to say 'same as the admin password'? If not, is there anything I can put into the config.php file to have the same effect?
For the sitewide edit password (in config.php), use '@_site_edit'. I haven't tested this, but I think one can also use '@_site_admin', '@_site_read', '@_site_attr', etc. for the other site-wide passwords set in config.php. '@admin' is used to specify the site admin password.How do I edit protect, say, all RecentChanges pages?
(needs answer)