<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<meta http-equiv="Content-Type" content="$HTMLDocType" />
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>CoolCleveland.com - PmWiki - Passwords Admin</title>
<link href='https://wiki.coolcleveland.com/wiki/pub/skins/triad/css/pm-core.css' rel='stylesheet' type='text/css' />
<!--HTMLHeader--><style type='text/css'><!--
span.anchor {
float: left;
font-size: 10px;
margin-left: -10px;
width: 10px;
position:relative; top:-0.1em;
text-align: center;
}
span.anchor a { text-decoration: none; }
span.anchor a:hover { text-decoration: underline; }
ol.toc { text-indent:-20px; list-style: none; }
ol.toc ol.toc { text-indent:-40px; }
div.tocfloat { font-size: smaller; margin-bottom: 10px;
border-top: 1px dotted #555555; border-bottom: 1px dotted #555555;
padding-top: 5px; padding-bottom: 5px;
width: 38%; float: right; margin-left: 10px; clear: right;
margin-right:-13px; padding-right: 13px; padding-left: 13px;
background-color: #eeeeee; }
div.toc { font-size: smaller;
padding: 4px; border: 1px dotted #cccccc;
background: #f7f7f7;
margin-bottom: 10px; }
#left-box { width: 170px; }
#right-box { width: 170px; }
--></style><script type="text/javascript">
function toggle(obj) {
var elstyle = document.getElementById(obj).style;
var text = document.getElementById(obj + "tog");
if (elstyle.display == 'none') {
elstyle.display = 'block';
text.innerHTML = "hide";
} else {
elstyle.display = 'none';
text.innerHTML = "show";
}
}
</script> <meta name='robots' content='noindex,nofollow' />
<script type='text/javascript' >
var fontSizeDefault = 90;
var increment = 10;
var cookieName = 'setfontsize';
var fsLabel = 'Text Size';
var fsBigger = 'bigger';
var fsNormal = 'default';
var fsSmaller = 'smaller';
</script>
<script type='text/javascript' src='https://wiki.coolcleveland.com/wiki/pub/skins/triad/fontsizer.js'></script>
<script type='text/javascript' >
var toggleCookies = '1';
var lcookie = 'triad_setLshow';
var rcookie = 'triad_setRshow';
var lshow = '1';
var rshow = '1';
var show = 'Show';
var hide = 'Hide';
var lwidth = '170px';
var rwidth = '170px';
</script>
<script type='text/javascript' src='https://wiki.coolcleveland.com/wiki/pub/skins/triad/togglebars.js'></script>
<link href='https://wiki.coolcleveland.com/wiki/pub/skins/triad/css/layout-triad.css' rel='stylesheet' type='text/css' />
<link href='https://wiki.coolcleveland.com/wiki/pub/skins/triad/css/layout-main.css' rel='stylesheet' type='text/css' />
<link href='https://wiki.coolcleveland.com/wiki/pub/skins/triad/css/layout-print.css' rel='stylesheet' type='text/css' media='print' />
<link href='https://wiki.coolcleveland.com/wiki/pub/skins/triad/css/font-verdana.css' rel='stylesheet' type='text/css' media='screen' />
<link href='https://wiki.coolcleveland.com/wiki/pub/skins/triad/css/c-white.css' rel='stylesheet' type='text/css' media='screen' />
<script type="text/javascript" src="https://wiki.coolcleveland.com/wiki/pub/js/coolcleveland.js"></script>
<link rel="stylesheet" href="https://wiki.coolcleveland.com/wiki/pub/css/user_management.css" type="text/css" />
</head>
<body >
<script type='text/javascript' ><!--
document.cookie = 'javascript=1; path=/';
if (fontSize) { fontSize.fontSizeInit();}
// document.write("<a href='#'></a >");
--></script>
<table id="outer-box" border="0" cellspacing="0" cellpadding="0" >
<tr>
<td id="header-box" colspan="3" valign="top">
<!--PageHeaderFmt-->
<div id='header' class='pageheader'><div class='rfloat' >
<form class='wikisearch' action='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin' method='get'><div><input type='text' name='q' value='Search' class='inputbox searchbox' size='18'
onfocus="preval=this.value; this.value=''; " /> <input type='submit' class='inputbutton searchbutton' value='Go' /><input type='hidden' name='focus' value='on' /><input type='hidden' name='action' value='search' /></div></form> <span style='font-size:83%'>
<script type='text/javascript' >
<!--
if (fsinit==1) document.write(fontSize.allLinks);
else if (fontSize) {
fontSize.fontSizeInit();
document.write(fontSize.allLinks); }
--></script>
</span>
</div><div class='lfloat' >
<p><span style='color: maroon;'><big><strong><a style='color: maroon' class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/HomePage'>CoolCleveland Sandbox</a></strong></big></span>
</p></div>
<div class="clearer"><!-- this is a clearer div --></div>
</div>
<!--/PageHeaderFmt-->
<!--PageTopMenuFmt-->
<div id="topnavbox">
<div id="topnav" class="nav">
<div id="toggleleft">
<script type='text/javascript' ><!--
if (toggleLeft) document.write("<input name='lb' type='button' class='togglebox' value='Hide ↓' onclick='toggleLeft()' />")
--></script>
</div>
<div id="toggleright"><script type='text/javascript' ><!--
if (toggleRight) document.write("<input name='rb' type='button' class='togglebox' value='↓ Hide' onclick='toggleRight()' />")
--></script>
</div>
<div class='lnav' >
</div>
<div class='rnav' >
<ul><li><big><a accesskey='e' rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?action=edit'>Edit</a></big>
</li><li><big><a accesskey='ak_htmlt' rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?type=htmlsource'>HTML</a></big>
</li><li><big><a accesskey='ak_attr' rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?action=attr'>Attr</a></big>
</li><li><big><a accesskey='ak_attr' rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupAttributes?action=attr'>GroupAttr</a></big>
</li><li><big><a accesskey='h' rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?action=diff'>History</a></big>
</li><li><big><a accesskey='c' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/RecentChanges'>Recent Changes</a></big>
</li></ul></div>
</div></div>
<!--/PageTopMenuFmt-->
</td>
</tr>
<tr>
<!--PageLeftFmt-->
<td id="left-box" valign="top">
<div id='sidebar'>
<div id='sidebarpage'><p><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/Admin'>Sandbox Admin</a><br /><br />
<strong><span style='font-size:144%'><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/ThomasMulready'>TM</a></span></strong><br /><br /><br />
<strong><span style='font-size:144%'><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/Podcasts'>PODCASTS</a></span></strong><br /><br /><br />
<strong><span style='font-size:144%'><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/Jenna'>Jenna</a></span></strong><br /><br /><br />
<strong><span style='font-size:144%'><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/Stephan'>Stephan</a></span></strong><br /><br /><br />
<strong><span style='font-size:144%'><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/ThomasMulreadyAds'>ADS</a></span></strong><br /><br /><br />
<strong><span style='font-size:144%'><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/NewsletterSandbox'>ISSUES</a></span></strong><br /><br /><br />
<strong><span style='font-size:144%'><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/CurrentIndex'>CURRENT</a></span></strong><br /><br /><br /><br />
</p>
<p class='vspace'><span style='font-size:69%'><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Site/SideBar?action=edit'>Edit this Menu</a></span>
</p>
</div>
<div id="sidebarfooter">
<p><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/TriadSkin'>TriadSkin</a><br />powered by <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PmWiki'>PmWiki</a>
</p>
</div>
</div>
</td><!-- end div left -->
<!--/PageLeftFmt-->
<td id="center-box" valign="top">
<div id="contentbox">
<!--PageTitleFmt-->
<div id= 'titlebarbox'>
<div id='titlebar' >
<div class='pagegroup' >
<p><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PmWiki'>PmWiki</a>
</p></div><div class='pagetitle' style='text-align: center;' >
<h1></h1>
</div>
</div>
</div>
<!--/PageTitleFmt-->
<div id='content'>
<!--PageText-->
<div id='wikitext'>
<p>
<a name='trailstart' id='trailstart'></a>
</p><div style='clear:right; float:right; font-size:smaller; background-color:#eee;' >
<p><span class='wikitrail'>< <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Notify'>Notify</a> | <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Documentation?action=edit'>index(#trailstart#trailend)|+</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Documentation?action=edit'>?</a> | <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Ref?action=edit'>count</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Ref?action=edit'>?</a> ></span>
</p></div>
<div style='clear:right;' ><span class='frame rfloat' style='font-size: smaller; background-color: #ffffcc; clear: right;'>administrators (basic) </span>
</div>
<p><span class="wikiword"><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PmWiki'>Pm Wiki</a></span> has built-in support for <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsPassword-protecting?action=edit'>Passwords|password-protecting</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsPassword-protecting?action=edit'>?</a> various areas of the wiki site. Passwords can be applied to individual pages, to <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Wiki?action=edit'>Groups</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Wiki?action=edit'>?</a>, or to the entire wiki site. Note that the password protection mechanisms described here are only a small part of overall system (and wiki) security, see <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Security'>PmWiki.Security</a> for more discussion of this.
</p>
<p class='vspace'>Authors can use <span class="wikiword">Pm Wiki</span> to add passwords to individual pages and <span class="wikiword"><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/WikiGroups'>Wiki Groups</a></span> as described in <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Passwords'>Passwords</a>. However, <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/WikiAdministrator'>WikiAdministrators</a> can also set passwords in <em>local/config.php</em> as described below. (Please note that one cannot set passwords reliably in per group or per page customization files. See the <a href='#faq'>| FAQ section</a> for details.)
</p>
<p class='vspace'><a name='authlevel' id='authlevel'></a>
</p><h2>Password basics</h2>
<p><span class="wikiword">Pm Wiki</span> supports several levels of access to wiki pages, known as authorisation level:
</p><ul><li><strong><code>read</code></strong> passwords allow viewing the contents of wiki pages
</li><li><strong><code>edit</code></strong> passwords control editing and modification of wiki pages (effective against <a class='categorylink' href='https://wiki.coolcleveland.com/wiki/Category/Spam'>spam</a>)
</li><li><strong><code>attr</code></strong> passwords control who is able to set passwords on pages (and potentially other future attributes)
</li><li><strong><code>upload</code></strong> password, if uploads are enabled, controls uploading of files and attachments
</li><li>in addition all <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Available?action=edit'>actions</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Available?action=edit'>?</a> can be password authorised
</li><li><strong><code>admin</code></strong> password allows an administrator to override the passwords set for any individual page or group.
</li></ul><p class='vspace'>By default, <span class="wikiword">Pm Wiki</span> has the following password settings:
</p><ul><li>The <code>admin</code> and <code>upload</code> passwords are locked by default.
</li><li>The Main and <span class="wikiword">Pm Wiki</span> groups have a locked <code>attr</code> password (in their respective GroupAttributes pages).
</li><li>The pages in the Site group except Site.SideBar are locked against editing; by default the <span class="wikiword"><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Site/SideBar'>Site.Side Bar</a></span> page requires the admin or the site-wide edit password.
</li></ul><p class='vspace'>An <code>admin</code> password can be used to overcome "locked" passwords, other than that, no password will allow access.
</p>
<p class='vspace'>See <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Passwords'>Passwords</a> for information about setting per-page and per-group passwords.
The remainder of this page describes setting site-wide passwords from the <em>local/config.php</em> file.
</p>
<p class='vspace'><a name='settingsitewidepasswords' id='settingsitewidepasswords'></a>
</p><h2>Setting site-wide passwords</h2>
<p>One of the first things an admin should do is set an <code>admin</code> password for the site. This is done via a line like the following in the <em>local/config.php</em> file:
</p>
<div class='vspace'></div><div class='indent'><a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['admin'] = pmcrypt('secret_password');
</div><p class='vspace'>Note that the pmcrypt() call is required for this -- <span class="wikiword">Pm Wiki</span> stores and processes all passwords internally as encrypted strings. <span style='font-style: italic; color: green;'> See the <a style='color: green' href='#crypt'>| crypt section</a> below for details about eliminating the cleartext password from the configuration file.</span>
</p>
<p class='vspace'>To set the entire site to be editable only by those who know an "edit" password, add a line like the following to <em>local/config.php</em>:
</p>
<div class='vspace'></div><div class='indent'><a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['edit'] = pmcrypt('edit_password');
</div><p class='vspace'>Similarly, you can set a password for any <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Available?action=edit'>action(s)</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Available?action=edit'>?</a>, via <code class='escaped'>$DefaultPasswords['read']</code>, <code class='escaped'>$DefaultPasswords['edit']</code>, and <code class='escaped'>$DefaultPasswords['upload']</code> to control default <code>read</code>, <code>edit</code>, and <code>upload</code> passwords for the entire site. The default passwords are used for pages and groups which do not have passwords set, and as additional passwords for pages and groups which do have passwords set. Also, each of the <a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a> values may be arrays of encrypted passwords:
</p>
<div class='vspace'></div><div class='indent'><a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['read'] = array(pmcrypt('alpha'), pmcrypt('beta'));
</div><div class='indent'><a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['edit'] = pmcrypt('beta');
</div><p class='vspace'>This says that either "alpha" or "beta" can be used to read pages, but only the "beta" password will allow someone to edit a page. Since <span class="wikiword">Pm Wiki</span> remembers any passwords entered during the current session, the "beta" password will allow both reading and writing of pages, while the "alpha" password allows reading only. A person without either password would be unable to view pages at all.
</p>
<p class='vspace'>To lock an action so that only admins can perform it, use <code>'@lock'</code> as the value, without <code>pmcrypt</code>:
</p>
<div class='vspace'></div><div class='indent'><a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['edit'] = '@lock';
</div><div class='vspace'></div><h2>Setting passwords by reference</h2>
<p><span style='font-style: italic; color: green;'> This is an unintended feature.</span>
</p>
<p class='vspace'>Setting passwords by reference allows you to change the password for a whole set of pages as easily as you can change site-wide passwords. (Otherwise you would have to update each page's attributes individually.) Enter in the or :
</p><div class='indent'> @_site_MyLevel2
</div><p class='vspace'>And in the local configuration file set the actual password with lines like this:
</p><div class='indent'> <a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['<span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/MyLevel2?action=edit'>My Level 2</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/MyLevel2?action=edit'>?</a></span>'] = array(pmcrypt('secret'), '@admins');
</div><div class='indent'> <a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['<span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/MyLevel9?action=edit'>My Level 9</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/MyLevel9?action=edit'>?</a></span>'] = array('$1$NuBV/Mcc$GG3J60h.<span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/TLczUTRKhoVPM?action=edit'>T Lcz UTR Kho VPM</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/TLczUTRKhoVPM?action=edit'>?</a></span>.');
</div><p class='vspace'>Note that passwords set by reference in a configuration file currently can not be used as a site-wide default. However, you could explicitly specify your @_site_level at the group level for every group to achieve the same effect. Once specified as a group attribute, the password applies to all pages in the group unless overridden, just like any other password.
</p>
<div class='vspace'></div><h2>Identity-based authorization (username/password logins, <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/AuthUser'>AuthUser</a>)</h2>
<p>Unlike many systems which have <strong>identity-based</strong> systems for controlling access to pages (e.g., using a separate <em>username</em> and <em>password</em> for each person), <span class="wikiword">Pm Wiki</span> defaults to a <em>password-based</em> system as described above. In general password-based systems are often easier to maintain because they avoid the administrative overheads of creating user accounts, recovering lost passwords, and mapping usernames to permitted actions.
</p>
<p class='vspace'>However, <span class="wikiword">Pm Wiki</span>'s <em>authuser.php</em> script augments the password-based system to allow access to pages based on a username and password combination. See <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/AuthUser'>AuthUser</a> for more details on controlling access to pages based on user identity.
</p>
<div class='vspace'></div><h2>Security holes ...</h2>
<p>Administrators need to carefully plan where passwords are applied to avoid opening inadvertent security holes. If your wiki is open (anyone can read and edit), this would not seem to be a concern, <strong>except</strong>, a malicious or confused user could apply a read password to a group and make the group completely unavailable to all other users. At the very least, even an open wiki should have a site-wide "admin" password and a site-wide "attr" password set in config.php. The <em>sample-config.php</em> file distributed with <span class="wikiword">Pm Wiki</span> indicates that the <span class="wikiword">Pm Wiki</span> and Main groups have "attr" locked by default, but if anyone creates a new group, "attr" is unlocked. Administrators must remember to set "attr" passwords for each new group (if desired) in this case. An easier solution is to include these lines in <em>config.php</em> :
</p>
<div class='vspace'></div><div class='indent'><pre class='escaped'>
$DefaultPasswords['admin'] = pmcrypt('youradminpassword');
$DefaultPasswords['attr'] = pmcrypt('yourattrpassword');
</pre>
</div><div class='vspace'></div><h2>Encrypting passwords in <em>config.php</em> <a name='crypt' id='crypt'></a></h2>
<p>One drawback to using the pmcrypt() function directly to set passwords in <em>config.php</em> is that anyone able to view the file will see the unencrypted password. For example, if <em>config.php</em> contains
</p>
<div class='vspace'></div><div class='indent'><a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['admin'] = pmcrypt('mysecret');
</div><p class='vspace'>then the "mysecret" password is in plain text for others to see. However, a wiki administrator can obtain and use an encrypted form of the password directly by using <code class='escaped'>?action=crypt</code> on any <span class="wikiword">Pm Wiki</span> url on the target wiki (or just jump to <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?action=crypt'>PasswordsAdmin?action=crypt</a> on your own wiki). This action presents a form that generates encrypted versions of passwords for use in the <em>config.php</em> file. For example, when <code class='escaped'>?action=crypt</code> is given the password "<code>mysecret</code>", <span class="wikiword">Pm Wiki</span> will return a string like
</p>
<div class='vspace'></div><div class='indent'><code class='escaped'>$1$hMMhCdfT$mZSCh.BJOidMRn4SOUUSi1</code>
</div><p class='vspace'>The string returned from <code class='escaped'>?action=crypt</code> can then be placed directly into config.php, as in:
</p>
<div class='vspace'></div><div class='indent'><a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['admin'] = '$1$hMMhCdfT$mZSCh.BJOidMRn4SOUUSi1';
</div><p class='vspace'>Note that in the encrypted form the <em>pmcrypt</em> function and parentheses are removed, since the password is already encrypted. Also, the encrypted password must be in single quotes. In this example the password is still "<code>mysecret</code>", but somebody looking at <em>config.php</em> won't be able to see that just from looking at the encrypted form. <em>?action=crypt</em> may give you different encryptions for the same password--this is normal (and makes it harder for someone else to determine the original password).
</p>
<p class='vspace'>Please note that the encrypted password should be created with ?action=crypt on the wiki that will use it. A password encrypted on one system may or may not be usable on another.
</p>
<div class='vspace'></div><h2>Removing passwords</h2>
<p>To remove a site password entirely, such as the default locked password for uploads, just set it to empty:
</p>
<div class='vspace'></div><div class='indent'><a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['upload'] = '';
</div><p class='vspace'>You can also use the special password "@nopass" via <code>?action=attr</code> to have a non-password protected page within a password-protected group, or a non-password protected group with a site-wide default password set.
</p>
<div class='vspace'></div><h2>Revoking or invalidating passwords</h2>
<p>If a password is compromised and the wiki administrator wants to quickly invalidate all uses of that password on a site, a quick solution is the following in <em>local/config.php</em>:
</p>
<div class='vspace'></div><div class='indent'><pre class='escaped'>
$ForbiddenPasswords = array('secret', 'tanstaafl');
if (in_array(@$_POST['authpw'], $ForbiddenPasswords))
unset($_POST['authpw']);
</pre>
</div><p class='vspace'>This prevents "secret" and "tanstaafl" from ever being accepted as a
valid authorization password, regardless of what pages may be
using it.
</p>
<div class='vspace'></div><h2>See Also</h2>
<ul><li>The <a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#HandleAuth'><code class='varlink'>$HandleAuth</code></a> array, which sets the required authentication level that is necessary to perform an action.
</li><li><a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/RequireAuthor' rel='nofollow'>Cookbook:RequireAuthor</a>
</li></ul><p class='vspace'><a name='protectingactions' id='protectingactions'></a>
</p><h2>Protecting actions (example)</h2>
<p>Each <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Available?action=edit'>action(s)</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Available?action=edit'>?</a> can be password protected. Cookbook authors providing scripts with own actions can use this also, but I'll limit the example to a (by default) not protected <code class='escaped'>?action=source</code>. This action shows the wikisource of the actual page. Sometimes you don't want that especially to <a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/protect' rel='nofollow'>email</a> or when using some <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Conditional?action=edit'>markup</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Conditional?action=edit'>?</a> which should not be discovered easily or only by persons that are allowed to edit the page.
</p>
<p class='vspace'>There are several solutions for that:
</p><ol><li>Limit "source" only to editors add the following to your <em>local/config.php</em>:
<div class='vspace'></div><div class='indent'><code class='escaped'>$HandleAuth['source'] ='edit';</code>
</div><div class='vspace'></div></li><li>For using "source" with an own password, then add:
<div class='vspace'></div><div class='indent'><code class='escaped'>$HandleAuth['source'] ='source';</code>
</div><div class='indent'><code class='escaped'>$DefaultPasswords['source'] = pmcrypt('secret');</code> # <em>see above</em>
</div></li></ol><p class='vspace'>If you additionally want to set the password in the attributes page add:
</p>
<div class='vspace'></div><dl><dd><div class='indent'><code class='escaped'>$PageAttributes['passwdsource'] = "$['Set new source password']";</code>
</div></dd></dl><p class='vspace'>In general, adding the prefix 'passwd' to an action name in the <code class='escaped'>$PageAttributes</code> array indicates that you wish for the given field to be encrypted when saved to disk.
</p>
<p class='vspace'>The full set of steps to add new password handling for an action such as "diff" would be:
</p>
<div class='vspace'></div><div class='indent'><pre class='escaped'>
# add a new (encrypted) field to the attr page
$PageAttributes['passwddiff'] = '$[Set new history password:]';
# clear the default password for 'diff'
$DefaultPasswords['diff'] = '';
# Tell PmWiki that the 'diff' password allows action 'diff'.
$HandleAuth['diff'] = 'diff';
# Tell PmWiki that a 'read' password
# (or optionally the 'edit') password
# is also sufficient to enable 'diff'.
# Of course, the 'admin' password will work too.
$AuthCascade['diff'] = 'read'; ## or 'edit'
</pre>
</div><div class='vspace'></div><div class='faq' > <a name='faq' id='faq'></a>
<p class='vspace question'> There seems to be a default password. What is it? <a name='pwlocked' id='pwlocked'></a></p>
<p> There isn't any valid password until you set one. <a href='#settingsitewidepasswordsPasswords'>admin</a> describes how to set one.
</p>
<p class='vspace'><span class="wikiword">Pm Wiki</span> comes "out of the box" with <a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#DefaultPasswords'><code class='varlink'>$DefaultPasswords</code></a>['admin'] set to '*'. This doesn't mean the password is an asterisk, it means that default admin password has to be something that encrypts to an asterisk. Since it's impossible for the pmcrypt() function to ever return a 1-character encrypted value, the admin password is effectively locked until the admin sets one in config.php.
</p>
<p class='vspace question'> How do I use passwd-formatted files (like .htpasswd) for authentication?</p>
<p> See <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/AuthUser'>AuthUser</a>, <a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/HtpasswdForm' rel='nofollow'>Cookbook:HtpasswdForm</a> or <a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/UserAuth2' rel='nofollow'>Cookbook:UserAuth2</a>.
</p>
<p class='vspace question'> Is there anything I can enter in a <span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupAttributes?action=edit'>Group Attributes</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupAttributes?action=edit'>?</a></span> field to say 'same as the admin password'? If not, is there anything I can put into the config.php file to have the same effect?</p>
<p class='vspace'> Enter '@lock' in <span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupAttributes?action=edit'>Group Attributes</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupAttributes?action=edit'>?</a></span>?action=attr to require an admin password for that group.
</p>
<p class='vspace question'> How do I edit protect, say, all <span class="wikiword"><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/RecentChanges'>Recent Changes</a></span> pages?</p>
<p> see <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Security#wikivandalism'>Security#wikivandalism</a>.
</p>
<p class='vspace question'> How can I read password protect all pages in a group except the <span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/HomePage?action=edit'>Home Page</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/HomePage?action=edit'>?</a></span> using configuration files?</p>
<p class='vspace'> As described in <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupCustomizations'>PmWiki.GroupCustomizations</a> per-group or per-page configuration files should not be used for defining passwords. The reason is that per-group (or per-page) customization files are only loaded for the current page. So, if <code>$DefaultPasswords['read']</code> is set in <em>local/<span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupA?action=edit'>Group A</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupA?action=edit'>?</a></span>.php</em>, then someone could use a page in another group to view the contents of pages in <span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupA?action=edit'>Group A</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupA?action=edit'>?</a></span>. For example, <span class="wikiword"><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Main/WikiSandbox'>Main.Wiki Sandbox</a></span> could contain:
</p>
<div class='vspace'></div><dl><dd><div class='indent'>(:include GroupA.SomePage:)
</div></dd></dl><p class='vspace'>and because the <em><span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupA?action=edit'>Group A</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/GroupA?action=edit'>?</a></span>.php</em> file wasn't loaded (we're looking at <span class="wikiword"><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Main/WikiSandbox'>Main.Wiki Sandbox</a></span> --> <em>local/Main.php</em>), there's no read password set.
</p>
<p class='vspace question'> How can I password protect the creation of new pages?</p>
<p> See <a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/LimitWikiGroups' rel='nofollow'>Cookbook:LimitWikiGroups</a>, <a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/NewGroupWarning' rel='nofollow'>Cookbook:NewGroupWarning</a>, <a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/LimitNewPagesInWikiGroups' rel='nofollow'>Cookbook:LimitNewPagesInWikiGroups</a>.
</p>
<p class='vspace question'> How do I change the password prompt screen?</p>
<p> If your question is about how to make changes to that page... edit <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Site/AuthForm'>Site.AuthForm</a>. If your question is about how to change which page you are sent to when prompted for a password, you might check out the <a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/CustomAuthForm' rel='nofollow'>Cookbook:CustomAuthForm</a> for help.
</p>
<p class='vspace question'> How do I change the prompt on the attributes (<code>?action=attr</code>) screen?</p>
<p> Simply create a new page at <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/Site/AttrForm?action=edit'>Site.AttrForm</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/Site/AttrForm?action=edit'>?</a>, and add the following line of code to <code>config.php</code>:
</p><dl><dd><div class='indent'><code>$PageAttrFmt = 'page:<span class="wikiword"><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/Site/AttrForm?action=edit'>Site.Attr Form</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/Site/AttrForm?action=edit'>?</a></span>';</code>
</div></dd></dl><p class='vspace'>Note that this only changes the text above the password inputs on the attributes page, but doesn't change the inputs themselves - the inputs have to be dealt with separately. See <a class='urllink' href='http://www.pmwiki.org/wiki/Cookbook/CustomAttrForm' rel='nofollow'>Cookbook:CustomAttrForm</a> for more info.
</p>
<p class='vspace question'> I get http error 500 "Internal Server Error" when I try to log in. What's wrong?</p>
<p> This can happen if the encrypted passwords are not created on the web server that hosts the <span class="wikiword">Pm Wiki</span>.<br />The crypt function changed during the PHP development, e.g. a password encrypted with PHP 5.2 can not be decrypted in PHP 5.1, but PHP 5.2 can decrypt passwords created by PHP 5.1.<br />This situation normally happens if you prepare everything on your local machine with the latest PHP version and you upload the passwords to a webserver which is running an older version.<br />The same error occurs when you add encrypted passwords to local/config.php.
</p>
<p class='vspace'>Solution: Create the passwords on the system with the oldest PHP version and use them on all other systems.
</p>
<p class='vspace question'> I only want users to have to create an 'edit' password, which is automatically used for their 'upload' & 'attr' passwords (without them having to set those independently). How do I do this?</p>
<p> By setting <code class='escaped'>$HandleAuth</code> like so:
</p><pre> <a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#HandleAuth'><code class='varlink'>$HandleAuth</code></a>['upload'] = 'edit';
// And to prevent a <span class="wikiword"><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/WikiSandbox'>Wiki Sandbox</a></span> from having it's 'attr' permissions changed
// except by the admin (but allowing editors to change it on their own pages/group)
if(($group=="Site") || ($group=="Main") || ($group=="Category") ||
($group=="<span class="wikiword"><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/SiteAdmin/SiteAdmin'>Site Admin</a></span>") || ($group=="<span class="wikiword">Pm Wiki</span>") ) {
<a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#HandleAuth'><code class='varlink'>$HandleAuth</code></a>['attr'] = 'admin'; // for all main admin pages, set 'attr' to 'admin' password
} else {
<a class='varlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/SecurityVariables#HandleAuth'><code class='varlink'>$HandleAuth</code></a>['attr'] = 'edit'; // if you can edit, then you can set attr
}
</pre><p class='vspace'>
</p></div><div style='clear:right; float:right; font-size:smaller; background-color:#eee;' >
<p><span class='wikitrail'>< <a class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Notify'>Notify</a> | <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Documentation?action=edit'>index(#trailstart#trailend)|+</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Documentation?action=edit'>?</a> | <a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/Ref?action=edit'>count</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/Ref?action=edit'>?</a> ></span>
</p></div>
<p><a name='trailend' id='trailend'></a>
<a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/PmWiki/LtLt?action=edit'><<</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/PmWiki/LtLt?action=edit'>?</a>
</p><div style='background-color: #ffe; border-top: 1px solid black; font-size: .8em;' >
<p>This page may have <span class='commentout-pmwikiorg'> a more recent version on <a class='urllink' href='http://www.pmwiki.org' rel='nofollow'>pmwiki.org</a>: <a class='urllink' href='http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin' rel='nofollow'>PmWiki:PasswordsAdmin</a>, and </span> a talk page: <a class='urllink' href='http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin-Talk' rel='nofollow'>PmWiki:PasswordsAdmin-Talk</a>.
</p></div>
</div>
<div class="clearer"><!-- this is a clearer div --></div>
</div>
</div><!-- end div contentbox -->
<!--PageFootMenuFmt-->
<div id ='footnavbox'>
<div id='footnav' class='navbuttons'><ul><li><a rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?action=edit'>Edit</a>
</li><li><a rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?action=diff'>Page History</a>
</li><li><a accesskey='ak_source' rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?action=source'>Source</a>
</li><li><a accesskey='ak_upload' rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/PmWiki/PasswordsAdmin?action=upload'>Attach File</a>
</li><li><a rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/Site/Search?q=link=PmWiki.PasswordsAdmin'>Backlinks</a>
</li><li><a rel='nofollow' class='wikilink' href='https://wiki.coolcleveland.com/wiki/Site/Search?q=PmWiki/'>List Group</a>
</li></ul><div class='vspace'></div><div class='indent'><em>Page last modified on October 03, 2017, at 07:04 AM</em>
</div>
</div>
</div>
<!--/PageFootMenuFmt-->
</td><!-- end div center -->
<!--PageRightFmt-->
<td id="right-box" valign="top">
<div id="rightbar"><p><br />
</p><ul><li><a class='urllink' href='http://www.coolcleveland.com/' rel='nofollow'>Home</a>
</li><li><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Sandbox/Admin'>Admin</a>
</li><li><a class='urllink' href='https://wiki.coolcleveland.com/wiki/AdminPanel/AdminPanel' rel='nofollow'>Admin Panel</a>
</li><li><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Main/UserSettings'>UserSettings</a>
</li><li><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Main/UserAccount'>UserAccount</a>
</li></ul><p class='vspace'><span class='rfloat'> </span>
<small><a class='wikilink' href='https://wiki.coolcleveland.com/wiki/Site/RightBar?action=edit'>Edit this menu</a></small>
</p>
<div class='vspace'></div>
</div>
</td><!-- end div right -->
<!--/PageRightFmt-->
</tr>
<tr>
<!--PageFooterFmt-->
<td id="footer-box" colspan="3" valign="top">
<div id="footer"><p style='text-align: center;'><a class='createlinktext' rel='nofollow'
href='https://wiki.coolcleveland.com/wiki/Site/Triad-ConfigurationSkin?action=edit'>config</a><a rel='nofollow'
class='createlink' href='https://wiki.coolcleveland.com/wiki/Site/Triad-ConfigurationSkin?action=edit'>?</a> <em>** pmwiki-2.2.107 **</em>
</p>
</div>
</td>
<!--/PageFooterFmt-->
</tr>
</table><!-- end div outer -->
<!--HTMLFooter-->
</body>
</html>