darcs-hash:20081117154409-23886-d0ad833c6bcf96bcc54f6998397de90ff07b7686.gz

darcs-hash:20081108225035-6837b-a662b0728205e64f5eaf7bd0003748a5be8a6b2f.gz

darcs-hash:20081013123417-f07c6-eaa5586edad17a971f4daf38afac77c6946539f0.gz

darcs-hash:20081013123311-f07c6-8dc34c8fb9a170fae412a6c37928e601c1728a18.gz

Update cookie and session with new details after an "update profile" action

darcs-hash:20081013122958-f07c6-244b949b074ac73711c61833f1fa663e55da19c7.gz

darcs-hash:20081012144253-23886-c904f82c559c3ad5477bf921e93cb439a212134d.gz

darcs-hash:20081012131042-2b4f5-029f4f0ffa6c89e23653584c8bb41db78834cc73.gz

darcs-hash:20081011161458-19e2d-97001154886654be84d70b1b140743b124a1c763.gz

To clean data from the session correctly on logout, the session needs
to be reopened.

darcs-hash:20081011092157-7ad00-e5cc905b6e04b13fe667690c0e6aad68524254f1.gz

This patch adds the httponly option to the PHP session cookies and DokuWiki's
auth cookie when supported by the PHP version.

It also adds a new config option 'securecookie' which is enabled by default.
It makes sure the browser will not sent a cookie set via HTTPS over a
non-secured connection. This option has to be disabled for wikis that only
protect the login with SSL but not the whole wiki.

darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz

Adds a wrapper function in the basic auth class which is used by the core code
to modify the user database. The wrapper function signals events and delegates
the action to the auth backend.

darcs-hash:20080817141121-79ce3-3300a4342b62a7a18ebcc9a765d87b30a0264621.gz

This patch adds support for Apache style salted MD5 hashs (apr1). It also fixes
smd5 for systems where crypt() does not support MD5 hashs.

Unit tests were added.

darcs-hash:20080728181616-7ad00-d0980557111cb05662ea1bcf4a78aa2b74ac90d0.gz

When only an array of groups but no username where passed to auth_aclcheck()
it defaulted to use the @ALL group only. This is not critical because this
does not happen anywhere in the code.

Only exception is when building the plain english explanation of an ACL rule
in the ACL manager.

darcs-hash:20080608101051-7ad00-0abd42f84c04473ad4fca149893a1b4d931ece48.gz

darcs-hash:20080603203138-7ad00-cce00e99b64c53b6ffa11748262a3a8c2cd1e37e.gz

This patch adds a way to create a token for an authenticated user which is stored
in the session. When a subsequent request resends this token, the request will be
authenticated automatically without the need for any cookies or credential
rechecking.

The auth token expires with the session. Requesting a new token will invalidate
the old one. Sending a wrong token will result in a 401 and any existing token
will be revoked.

This is currently not used anywhere in the code but can be used for browser
intitiated client software (flash, applets, ...).

Note this is unreleated to the anti CSRF sectoken implementation.

Users who want to make use of this mechanism will probably need to pass the
session id and a valid sectoken in addtion to the authtoken

darcs-hash:20080603193450-7ad00-2f35ddde16a31c4f2699e0e6050b3c4277b2bc64.gz

darcs-hash:20080315105202-7ad00-455d343db7d52a5af92361719bee1d60b6c8107d.gz

This patch allows $conf['superuser'] and $conf['manager'] to be lists
of values instead of only a single value. So one can put:

  $conf['superuser']

darcs-hash:20080227142515-19e2d-c160914589f71531583e7ddaab1fc6a81996efa1.gz

There were a few problems with name encoding for groups and users
introduced in the recent aclcheck change

darcs-hash:20080226172257-7ad00-d591f0d2f2219a2b23f93060c65b8fb5f46bd1d7.gz

darcs-hash:20080215154316-7ad00-d052e2eed8e47e62ff639cd66d7debb4bfd293fc.gz

darcs-hash:20080215121716-7ad00-35d275212e0e3c41626ed64d9096aad10f4ad2db.gz

A reference file is now stored in data/cache/sessionpurge and is used to
check if user sessions are still valid.

To accomondate for slow auth backends DokuWiki caches user info for
a certain time in the user session.

darcs-hash:20080215114923-7ad00-6874d5211efce7d07e54de37244becc2387c1ba7.gz

darcs-hash:20080213214505-7ad00-8ff1974ccbab38168f95072faaeb53134f95b926.gz

darcs-hash:20080212213222-19e2d-d8a2261fa83d6482afe213ffb41611ae723811de.gz

darcs-hash:20071102181850-7ad00-9c2c9b0ef953274b8abdadd95c53e8f4e1982810.gz

The use of realpath() to clean up relative file names caused some
trouble in certain setups relying on symlinks or having restricitve
file structure setups.

This patch replaces all realpath() calls with a PHP only replacement
which should solve those problems.

darcs-hash:20070930184250-7ad00-512ff04c95f57fc9eaf104f80372237a3c94286f.gz

This patch adds a security token to all forms generated through the new
form class. However it is only checked for possible dangerous actions like
editing or profile changes.

darcs-hash:20070830191429-7ad00-445efea47a09a4823dfe9e3434ba5b355a80daf6.gz

darcs-hash:20070819211829-7ad00-7f2dbd3d7ad6b4568b8f34209fbcffda6e110f4c.gz

darcs-hash:20070805203312-d26fc-cab8dbfff8a2d5f7299fa4462771bafc00135728.gz

darcs-hash:20070625210929-7ad00-034c5839bbca3e697d360f72dffcf9d927fea755.gz

Instead of disabling the whole ACL feature when the auth backend is unavailable
just degrade the user to an anonymous user.

darcs-hash:20070625205228-7ad00-19cfa3c302b4ee63f0a6562823c5d550f9c9755c.gz

Introduces a DOKU_REL constant always pointing to the DokuWiki directory regardless
of the used canonical setting.

darcs-hash:20070603191451-7ad00-a5227a3632b3337f5da90551d3166d9b5db56638.gz

This fix adds a new configuration setting, 'auth_security_timeout', which controls the duration (seconds) before authentication
information is rechecked.  The default value is set to 900 seconds (15 minutes). Wiki installations particularly concerned
about security should set this value to 0.

DokuWiki maintains a copy of the most recent authentication details in both a browser cookie and server session.  Normally these
values are compared on each page visit.  If the comparison passes the user is accepted. The same data will be used over and
over until either the cookie or the session expires.  FS#1085 is concerned with updates to the original authentication data not
being able to affect this comparison.  The new 'auth_security_timeout' setting will force expiration of the saved data after the
specified period has elapsed.

Re-authentication may affect page response, especially on systems which use remote authentication systems.

This fix is considered partial and should be reviewed after the next release with a view to extending the authentication class
to allow those mechanisms which are able to control when DW should revoke authentication.

darcs-hash:20070528194747-d26fc-f471004da604eb66f7131c470e446b98c29d801b.gz

darcs-hash:20070302100506-19e2d-342a0477340aa6b2c5fb7e08c520053b7dc33608.gz

This saves a lot of ACL lines for users namespaces for example:

users:*               @ALL        1
users:@USER@          @USER@      8

darcs-hash:20070301230309-19e2d-90a00b70a2af546fd5194ade614c130e9f7864eb.gz

darcs-hash:20070106122851-7ad00-9b3b2923e2f917107b29c4dacfc1047b2845a5db.gz

darcs-hash:20070109213155-7ad00-9594bbf5c0730221b46f31bb40f31997a09ab4b4.gz

This patch adds support for a manager option as suggested in
http://www.freelists.org/archives/dokuwiki/11-2006/msg00314.html

darcs-hash:20061203134104-7ad00-72ff6422bbb4f79be325c7e77255e1eee32d0f6b.gz

A simple event to inject additional HTML into the editform. This probably
needs to be improved.

darcs-hash:20061114220825-7ad00-ce868b8d8a25f5120c49dc018b8fd1024aff6e12.gz

darcs-hash:20061104174349-9b6ab-74e7c5a3e7a14d12253d36a9d09a35866125a7ec.gz

darcs-hash:20061103160700-7ad00-01c7039c591ebdffcbe283984b23b2bb4ed4bc74.gz