[dokuwiki] Re: CAS support for DW

Guy Brand writes:

  Hello,

A colleague from university of Bordeaux, France, is working on
authentication through CAS[1,2] in Dokuwiki. He managed to get it
working by using CAS only for user/password checking in CAS, DW's
ACLs, profiles, etc are used directly inside DW. Now he is facing a
problem: using CAS, users auto-registration, users password change
or users profile updates must be forbidden. Here are some changes he
made:


    - removed DOKU_COOKIE use from auth_login;
    - removed $user, $pass, auth_browseruid, $USERINFO, variables from
      SESSION ;

  Question: what impact have these changes on the security of DW? In
  particular, in his modified DW, it's CAS which is taking care of the
  "browser uid", what issues can this raise?

Hard to say without the code. However many places rely on the info in the $USERINFO variable, so thing may break unexpectedly. The much better method would be using th current devel version and write an auth backend for CAS (by implementing the TrustExternal method) and set the $cando properties correctly.


Andi

--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: