make HTTP SSO possible for IIS or rewriting

DokuWiki silently attemps to resuse received HTTP auth credentials for
user logins. Unfortunately these are only passed to PHP when using
mod_php. IIS pro

make HTTP SSO possible for IIS or rewriting

DokuWiki silently attemps to resuse received HTTP auth credentials for
user logins. Unfortunately these are only passed to PHP when using
mod_php. IIS provides a HTTP_AUTHORIZATION header which now will
be decoded and used as well.

This header can also be faked via mod_rewrite:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E

darcs-hash:20090114153601-7ad00-6c75e8568eda6753834981642eed638b9eb01694.gz

show more ...

ACL user wildcard changed to %USER% FS#1504 :!:

DokuWiki supports a wildcard which gets replaced with the currently loggedin
user in its ACL configuration file.

This patch changes the wildcard from

ACL user wildcard changed to %USER% FS#1504 :!:

DokuWiki supports a wildcard which gets replaced with the currently loggedin
user in its ACL configuration file.

This patch changes the wildcard from @USER@ to %USER% (case sensitive) and
also makes sure the ACL Manager does not replace the wildcard when displaying
the currently set rules.

The change was needed for better compatibility with the User Manager without
complicating the code. The old @USER@ wildcard is still supported, but
changing an ACL rule using it, through the ACL manager will fail.

It is recommended to update ACL rules using the @USER@ wildchar to use the
new %USER% one instead.

darcs-hash:20081216171126-7ad00-94ce0c2afa411abc936f13572efd0e31941901ee.gz

show more ...

removed some illogical path setups

darcs-hash:20081213090400-7ad00-4e21cd75978bb07513f32f5d750658e8d777c59e.gz

show update profile dialog only when logged in

darcs-hash:20081117154409-23886-d0ad833c6bcf96bcc54f6998397de90ff07b7686.gz

fixed missing global scope in auth_setCookie() FS#1530

darcs-hash:20081108225035-6837b-a662b0728205e64f5eaf7bd0003748a5be8a6b2f.gz

Ensure 'smd5' password hashing method is only triggered when available

darcs-hash:20081013123417-f07c6-eaa5586edad17a971f4daf38afac77c6946539f0.gz

remove unused/redundant isvalidemail() function

darcs-hash:20081013123311-f07c6-8dc34c8fb9a170fae412a6c37928e601c1728a18.gz

Fix for FS#1050

Update cookie and session with new details after an "update profile" action

darcs-hash:20081013122958-f07c6-244b949b074ac73711c61833f1fa663e55da19c7.gz

FS#564 FS#1270 new option to disable the rememberme checkbox

darcs-hash:20081012144253-23886-c904f82c559c3ad5477bf921e93cb439a212134d.gz

Fail silently if trying to login through supplied HTTP credentials (FS#1228)

darcs-hash:20081012131042-2b4f5-029f4f0ffa6c89e23653584c8bb41db78834cc73.gz

Empty breadcrumbs on logout (see FS#979)

darcs-hash:20081011161458-19e2d-97001154886654be84d70b1b140743b124a1c763.gz

reopen the session in auth_logoff FS#1484

To clean data from the session correctly on logout, the session needs
to be reopened.

darcs-hash:20081011092157-7ad00-e5cc905b6e04b13fe667690c0e6aad6852425

reopen the session in auth_logoff FS#1484

To clean data from the session correctly on logout, the session needs
to be reopened.

darcs-hash:20081011092157-7ad00-e5cc905b6e04b13fe667690c0e6aad68524254f1.gz

show more ...

more cookie security FS#1490

This patch adds the httponly option to the PHP session cookies and DokuWiki's
auth cookie when supported by the PHP version.

It also adds a new config option 'securecoo

more cookie security FS#1490

This patch adds the httponly option to the PHP session cookies and DokuWiki's
auth cookie when supported by the PHP version.

It also adds a new config option 'securecookie' which is enabled by default.
It makes sure the browser will not sent a cookie set via HTTPS over a
non-secured connection. This option has to be disabled for wikis that only
protect the login with SSL but not the whole wiki.

darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz

show more ...

Wrap user modifications in events

Adds a wrapper function in the basic auth class which is used by the core code
to modify the user database. The wrapper function signals events and delegates
the ac

Wrap user modifications in events

Adds a wrapper function in the basic auth class which is used by the core code
to modify the user database. The wrapper function signals events and delegates
the action to the auth backend.

darcs-hash:20080817141121-79ce3-3300a4342b62a7a18ebcc9a765d87b30a0264621.gz

show more ...

Enhancements for password hashing (maybe fixes FS#1440)

This patch adds support for Apache style salted MD5 hashs (apr1). It also fixes
smd5 for systems where crypt() does not support MD5 hashs.

Un

Enhancements for password hashing (maybe fixes FS#1440)

This patch adds support for Apache style salted MD5 hashs (apr1). It also fixes
smd5 for systems where crypt() does not support MD5 hashs.

Unit tests were added.

darcs-hash:20080728181616-7ad00-d0980557111cb05662ea1bcf4a78aa2b74ac90d0.gz

show more ...

check ACLs correctly if only groups but no user is given FS#1415

When only an array of groups but no username where passed to auth_aclcheck()
it defaulted to use the @ALL group only. This is not cri

check ACLs correctly if only groups but no user is given FS#1415

When only an array of groups but no username where passed to auth_aclcheck()
it defaulted to use the @ALL group only. This is not critical because this
does not happen anywhere in the code.

Only exception is when building the plain english explanation of an ACL rule
in the ACL manager.

darcs-hash:20080608101051-7ad00-0abd42f84c04473ad4fca149893a1b4d931ece48.gz

show more ...

reopen the session for storing the auth token

darcs-hash:20080603203138-7ad00-cce00e99b64c53b6ffa11748262a3a8c2cd1e37e.gz

authentication via session tokens

This patch adds a way to create a token for an authenticated user which is stored
in the session. When a subsequent request resends this token, the request will be

authentication via session tokens

This patch adds a way to create a token for an authenticated user which is stored
in the session. When a subsequent request resends this token, the request will be
authenticated automatically without the need for any cookies or credential
rechecking.

The auth token expires with the session. Requesting a new token will invalidate
the old one. Sending a wrong token will result in a 401 and any existing token
will be revoked.

This is currently not used anywhere in the code but can be used for browser
intitiated client software (flash, applets, ...).

Note this is unreleated to the anti CSRF sectoken implementation.

Users who want to make use of this mechanism will probably need to pass the
session id and a valid sectoken in addtion to the authtoken

darcs-hash:20080603193450-7ad00-2f35ddde16a31c4f2699e0e6050b3c4277b2bc64.gz

show more ...

Fix for password updates FS#1352

darcs-hash:20080315105202-7ad00-455d343db7d52a5af92361719bee1d60b6c8107d.gz

Superuser and manager now can be comma separated lists

This patch allows $conf['superuser'] and $conf['manager'] to be lists
of values instead of only a single value. So one can put:

$conf['super

Superuser and manager now can be comma separated lists

This patch allows $conf['superuser'] and $conf['manager'] to be lists
of values instead of only a single value. So one can put:

$conf['superuser']

darcs-hash:20080227142515-19e2d-c160914589f71531583e7ddaab1fc6a81996efa1.gz

show more ...

fix usage of is_admin in auth_aclcheck

There were a few problems with name encoding for groups and users
introduced in the recent aclcheck change

darcs-hash:20080226172257-7ad00-d591f0d2f2219a2b23f

fix usage of is_admin in auth_aclcheck

There were a few problems with name encoding for groups and users
introduced in the recent aclcheck change

darcs-hash:20080226172257-7ad00-d591f0d2f2219a2b23f93060c65b8fb5f46bd1d7.gz

show more ...

Use auth backend to verify password on profile update FS#1328

darcs-hash:20080215154316-7ad00-d052e2eed8e47e62ff639cd66d7debb4bfd293fc.gz

Make session reference file check overridable for auth backends

darcs-hash:20080215121716-7ad00-35d275212e0e3c41626ed64d9096aad10f4ad2db.gz

invalidate all user session cache when userdatabase is changed FS#1085

A reference file is now stored in data/cache/sessionpurge and is used to
check if user sessions are still valid.

To accomondat

invalidate all user session cache when userdatabase is changed FS#1085

A reference file is now stored in data/cache/sessionpurge and is used to
check if user sessions are still valid.

To accomondate for slow auth backends DokuWiki caches user info for
a certain time in the user session.

darcs-hash:20080215114923-7ad00-6874d5211efce7d07e54de37244becc2387c1ba7.gz

show more ...

make sure not supported profile fields are not accepted FS#1329

darcs-hash:20080213214505-7ad00-8ff1974ccbab38168f95072faaeb53134f95b926.gz