[ewiki] Re: auth_perm_ring.php

> Had to make a small fix to auth_perm_ring.php
>
>          {
>             $required_ring = $ring;
>             break;   #- break required here
>          }

EXACTLY!


> ewiki.php.   The problem was that if someone entered an invalid
> login/password, they would have to close the browser completely in order
> to get the auth dialog again.  I didn't think it was necessary to fetch
> the user name if the perms for the page have not been checked yet.  I do
> not know if this breaks any other auth module, but it problably would
> not.

That's a bit more complicated I think. Its true that there isn't an easy
way to unlogin for HTTP auth, but this was more a design decision in
the _method_http plugin.  The problem with http auth is, that you'd normally
receive unendless relogin boxes if username or password mismatch, without
being informed about that. So I garbaged the _method_http to only query for
the authentication infos once, and afterwards allow the custom error message
to appear.
But probably it's better to include the failure/permission notice as auth
realm together with the http auth request.

The first $pf_login() in ewiki_auth() is required to get the username
and password before letting one of the permission plugins decide on it.
It should have behaved READONLY here (getting username and password from
CGI environment vars), if it activated the auth request, then there is
a bug in _method_http:

> /*
>       #-- nobody is currently logged in, so try to fetch username,
>       #   the login <form> is not yet enforced
>       if ($pf_login && empty($ewiki_auth_user)) {
>          $pf_login($data, 0);
>       }
> */


> Users without CVS access get updates about 8-24 hours after a commit has
> been made so I cannot test the latest till tomorrow.

I don't know if that limit still exists, but there is also a way to get
a more recent CVS snapshot - but only as complete tarball.bz2 from our
/downloads/ dir. It is built currently only once a day (around 11:00 UTC
or so?), but sometimes also during the day (when I do).


Regards,
mario

Other related posts: