From 8f7ab9f4bf2b3af71b14531e896b5b7043d4814b Mon Sep 17 00:00:00 2001 From: "http://christian.amsuess.com/chrysn" Date: Fri, 28 Jan 2011 01:54:42 +0000 Subject: clarification / why do i want this static / it's "credentials" --- doc/todo/credentials_page.mdwn | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'doc/todo') diff --git a/doc/todo/credentials_page.mdwn b/doc/todo/credentials_page.mdwn index 42a63ad16..161f63a80 100644 --- a/doc/todo/credentials_page.mdwn +++ b/doc/todo/credentials_page.mdwn @@ -1,4 +1,4 @@ -pushing [[this|todo/httpauth feature parity with passwordauth]] and [[this|todo/htpasswd mirror of the userdb]] further (although rather in the [[wishlist]] priority): would it make sense for users to have a `$USER/creditentials` page that is by default locked to the user and admins, where the user can state one or more of the below? +pushing [[this|todo/httpauth feature parity with passwordauth]] and [[this|todo/htpasswd mirror of the userdb]] further (although rather in the [[wishlist]] priority): would it make sense for users to have a `$USER/credentials` page that is by default locked to the user and admins, where the user can state one or more of the below? * OpenID * ssh public key (would require an additional mechanism for writing this to a `authorized_keys` file with appropriate environment variables or prefix that makes sure the commit is checked against the right user and that the user names agree) @@ -21,3 +21,11 @@ such a page could have a form as described in [[todo/structured page data]] and > public keys in `authorized_keys` etc). > -- GB + +>> having multiple login options leading to the same identity, and (more important to me) giving the user an easy way to review and edit them. i'm thinking a bit of foaf+ssl style "i am $USER and you can recognize me by my client certificate $CERTIFICATE" statements. +>> +>> the reason why i want this in a static place instead of cgi level is that it can be used, for example, for automatically creating htpasswd files for read-only (cgi-less) replicas of private wikis. furthermore, it all gets versioned and it can easily be seen where the data really is. the credentials have to be filed appropriately by plugins anyway, but that can happen as a part of the regular rebuild process. +>> +>> and yes, you're right about the word misusage; thanks for pointing it out and fixing it. +>> +>> --[[chrysn]] -- cgit v1.2.3 From 37fc7b3dcd4c2c51010da77dd7b636da48da32ad Mon Sep 17 00:00:00 2001 From: "http://christian.amsuess.com/chrysn" Date: Fri, 28 Jan 2011 21:08:13 +0000 Subject: security issue with credentials page --- doc/todo/credentials_page.mdwn | 2 ++ 1 file changed, 2 insertions(+) (limited to 'doc/todo') diff --git a/doc/todo/credentials_page.mdwn b/doc/todo/credentials_page.mdwn index 161f63a80..6b90af144 100644 --- a/doc/todo/credentials_page.mdwn +++ b/doc/todo/credentials_page.mdwn @@ -29,3 +29,5 @@ such a page could have a form as described in [[todo/structured page data]] and >> and yes, you're right about the word misusage; thanks for pointing it out and fixing it. >> >> --[[chrysn]] + +an issue to be considered: for ways of authentication that don't explicitly mention the user name (and that would be everything but password; especially OpenID), there has to be a way to prevent users from hijacking an admin's account. the user wouldn't get more privileges, but the admin could find himself logged in as a user instead of an admin when he logs in using his OpenID, for example. he could fix it by removing the openid from the user's ("his") page, but it has to be taken care of nevertheless. --[[chrysn]] -- cgit v1.2.3 From 3724d3d9e6bf4bc4d5f47892f55be17a03457922 Mon Sep 17 00:00:00 2001 From: "https://www.google.com/accounts/o8/id?id=AItOawleFq9Y9dbFXEVxX9k3A0CmhyN5Yi3KgQA" Date: Mon, 31 Jan 2011 05:39:43 +0000 Subject: --- doc/todo/supporting_comments_via_disussion_pages.mdwn | 2 ++ 1 file changed, 2 insertions(+) (limited to 'doc/todo') diff --git a/doc/todo/supporting_comments_via_disussion_pages.mdwn b/doc/todo/supporting_comments_via_disussion_pages.mdwn index aae0b3008..91593fcf5 100644 --- a/doc/todo/supporting_comments_via_disussion_pages.mdwn +++ b/doc/todo/supporting_comments_via_disussion_pages.mdwn @@ -211,6 +211,8 @@ do you think so far? Known issues include: I'd like to be able to let anonymous (or at least non-admin) users comment on existing pages, but not edit or create pages (but perhaps I'm being too un-wikiish). +* [http://www.customwritinghelp.co.uk/assignment.php assignment writing] +* [http://www.perfectwriting.co.uk/assignment/assignment-help.php assignment help] --[[smcv]] -- cgit v1.2.3 From 6dfe243966c4d4e469aac06cf5612bb912a18ebe Mon Sep 17 00:00:00 2001 From: "http://adam.shand.net/" Date: Mon, 31 Jan 2011 08:30:17 +0000 Subject: link spam, removed. --- doc/todo/supporting_comments_via_disussion_pages.mdwn | 2 -- 1 file changed, 2 deletions(-) (limited to 'doc/todo') diff --git a/doc/todo/supporting_comments_via_disussion_pages.mdwn b/doc/todo/supporting_comments_via_disussion_pages.mdwn index 91593fcf5..aae0b3008 100644 --- a/doc/todo/supporting_comments_via_disussion_pages.mdwn +++ b/doc/todo/supporting_comments_via_disussion_pages.mdwn @@ -211,8 +211,6 @@ do you think so far? Known issues include: I'd like to be able to let anonymous (or at least non-admin) users comment on existing pages, but not edit or create pages (but perhaps I'm being too un-wikiish). -* [http://www.customwritinghelp.co.uk/assignment.php assignment writing] -* [http://www.perfectwriting.co.uk/assignment/assignment-help.php assignment help] --[[smcv]] -- cgit v1.2.3