Button Button

From valebedev at gmail.com Mon Dec 1 16:02:14 2008 From: valebedev at gmail.com (Vladimir Lebedev) Date: Mon Dec 1 15:06:47 2008 Subject: [Sputnik-list] HTTP-auth for Sputnik Message-ID: 14370124.1941228154530328.JavaMail.wal@macpro-wal.local

Dear all,

Is it possible to authenticate an user via simple http authentication? I need this in order to conceal both content and structure of my wiki from anonymous visitors.

Thank you very much in advance,

Vladimir

From yuri at sims.berkeley.edu Mon Dec 1 17:07:26 2008 From: yuri at sims.berkeley.edu (Yuri Takhteyev) Date: Mon Dec 1 16:11:52 2008 Subject: [Sputnik-list] HTTP-auth for Sputnik In-Reply-To: 14370124.1941228154530328.JavaMail.wal@macpro-wal.local References: 14370124.1941228154530328.JavaMail.wal@macpro-wal.local Message-ID: fa4efbc00812011107y5198654enc1bba622df14ef1c@mail.gmail.com

I can suggest three options. First, you can definitely simply put Sputnik behind http authentication, as you would with any site. Your users will need to then do http authentication before they see anything. Sputnik wouldn't know whether they actually authenticated and who they are logged in as, but this may not matter. This is also by far the most secure way to protect your Sputnik.

Another alternative is to use Sputnik authentication, but change it to really limit what information is displayed to non-authenticated users. You can edit permissions in @Root and prohibit nearly all actions to non-authenticated users (just comment out most of the options there), leaving just enough to allow them to login. You can also hide the navigation bar quite easily for users who are not logged in by editing sputnik/templates node and changing

$donavsections[=[

 <li class='$class' id='$id'>
  <a $link>$title</a>
  <ul class='$class'> <!-- ul.back will be hidden via CSS -->
   $subsections[[<li class='$class'><a $link>$title</a></li>]]
   <li style="display:none">&nbsp;</li>
  </ul>
 </li>]=]

to

$ifloggedin[======[ $donavsections[=[

 <li class='$class' id='$id'>

  <a $link>$title</a>

  <ul class='$class'> <!-- ul.back will be hidden via CSS -->

   $subsections[[<li class='$class'><a $link>$title</a></li>]]

   <li style="display:none">&nbsp;</li>

  </ul>

 </li>]=]

]======]

Finally, it should be possible to change sputnik to actually pick up authentication information from the headers. The less elegant way to do this would be to edit Sputnik:translate_request () in sputnik/lua/sputnik/init.lua to look at HTTP headers and set request.user as you like. A better way of doing this would be to write an a new authentication module using sputnik/lua/sputnik/auth/simple.lua as an example. (The authentication API would need to be extended a little bit to allow passing the headers.)

  • yuri

On Mon, Dec 1, 2008 at 10:02 AM, Vladimir Lebedev valebedev@gmail.com wrote:

Dear all,

Is it possible to authenticate an user via simple http authentication? I need this in order to conceal both content and structure of my wiki from anonymous visitors.

Thank you very much in advance,

Vladimir

Sputnik-list mailing list Sputnik-list@lists.luaforge.net http://lists.luaforge.net/cgi-bin/mailman/listinfo/sputnik-list

-- http://sputnik.freewisdom.org/

From valebedev at gmail.com Tue Dec 2 05:56:26 2008 From: valebedev at gmail.com (Vladimir Lebedev) Date: Tue Dec 2 05:01:04 2008 Subject: [Sputnik-list] HTTP-auth for Sputnik In-Reply-To: fa4efbc00812011107y5198654enc1bba622df14ef1c@mail.gmail.com Message-ID: 2650059.2061228204582629.JavaMail.wal@macpro-wal.local

Dear Yuri,

Thanks a lot for your help! I put "$ifloggedin" in a couple more places in sputnik/template and now it seems to be OK for the beginning.

I'm not sure that I'll be able to write a new authentication plugin - I quit my programming carrier more then 15 years ago... Though if I try, I'll let you know! :)

Best regards, Vladimir

----- ???????? ????????? ----- ??: "Yuri Takhteyev" yuri@sims.berkeley.edu ????: "Vladimir Lebedev" valebedev@gmail.com ?????: sputnik-list@lists.luaforge.net ????????????: ???????????, 1 ??????? 2008 ? 22:07:26 GMT +03:00 ??????, ?????-?????????, ????????? ????: Re: [Sputnik-list] HTTP-auth for Sputnik

I can suggest three options. First, you can definitely simply put Sputnik behind http authentication, as you would with any site. Your users will need to then do http authentication before they see anything. Sputnik wouldn't know whether they actually authenticated and who they are logged in as, but this may not matter. This is also by far the most secure way to protect your Sputnik.

Another alternative is to use Sputnik authentication, but change it to really limit what information is displayed to non-authenticated users. You can edit permissions in @Root and prohibit nearly all actions to non-authenticated users (just comment out most of the options there), leaving just enough to allow them to login. You can also hide the navigation bar quite easily for users who are not logged in by editing sputnik/templates node and changing

$donavsections[=[

 <li class='$class' id='$id'>
  <a $link>$title</a>
  <ul class='$class'> <!-- ul.back will be hidden via CSS -->
   $subsections[[<li class='$class'><a $link>$title</a></li>]]
   <li style="display:none">&nbsp;</li>
  </ul>
 </li>]=]

to

$ifloggedin[======[ $donavsections[=[

 <li class='$class' id='$id'>

  <a $link>$title</a>

  <ul class='$class'> <!-- ul.back will be hidden via CSS -->

   $subsections[[<li class='$class'><a $link>$title</a></li>]]

   <li style="display:none">&nbsp;</li>

  </ul>

 </li>]=]

]======]

Finally, it should be possible to change sputnik to actually pick up authentication information from the headers. The less elegant way to do this would be to edit Sputnik:translate_request () in sputnik/lua/sputnik/init.lua to look at HTTP headers and set request.user as you like. A better way of doing this would be to write an a new authentication module using sputnik/lua/sputnik/auth/simple.lua as an example. (The authentication API would need to be extended a little bit to allow passing the headers.)

  • yuri

On Mon, Dec 1, 2008 at 10:02 AM, Vladimir Lebedev valebedev@gmail.com wrote:

Dear all,

Is it possible to authenticate an user via simple http authentication? I need this in order to conceal both content and structure of my wiki from anonymous visitors.

Thank you very much in advance,

Vladimir

Sputnik-list mailing list Sputnik-list@lists.luaforge.net http://lists.luaforge.net/cgi-bin/mailman/listinfo/sputnik-list

-- http://sputnik.freewisdom.org/