Access control for friends and wizards

From GeneWeb
Jump to navigation Jump to search
Error creating thumbnail: File missing
Language: 
 English • français

Access to the content of a base is controlled through several mechanisms:

  • A server level access control limiting access to a list of persons, verified by a password;
  • A base level access control limiting access to a list of persons, verified by a password.

These two mechanisms restrict to a known list the possible visitors to a base. See Access for details.

  • A generic of specific password mechanism giving to some visitors the status of:
    • Wizard: having total read and write access to the base content;
    • Friend: having total read access to the content of the base;
    • Visitors: (default status) having limited access to the content of the base (persons older than some value, as defined by private_years in the configuration file basename.gwf. Default is 150 years).
Visitors have also access to persons tagged as "public", as defined in Update a person.

Generic access

Generic access is directly defined in the configuration file basename.gwf:

friend_passwd=
wizard_passwd=

Two syntaxes are possible for the value of this parameter:

  • username:password: in this case all users share the same username/password pair;
  • password: in this case, username is optional and left to the choice of the user.
note that username is displayed on some GeneWeb pages such as the welcome.txt page.

For instance, the grimaldi.gwf configuration file of the Geneweb test base (accessed as Demo on this wiki left sidebar) contains:

friend_passwd=grimaldi:friend
wizard_passwd=grimaldi:wizard

Depending on the template, user authentication is achieved through direct entry of username:password in the appropriate input line, or through clicking on a "friend" or "wizard" button, in which case the browser will pop-up a small window with two entry lines for the username and the password. In this case, the : is simply ignored.

Note that the access control pop-up window of GeneWeb may offer in some context a single capture field rather that two. In this case, one should entre the full {{c|username:password]] sequence (or password if there is no username).

Specific access

Specific access control is achieved by defining files containing username:password pairs (usually with extension .auth). The names of those files are directly defined in the configuration file basename.gwf and should reside in the bases folder. There can be several files for several bases:

friend_passwd_file=
wizard_passwd_file=

The syntax of those files is as follows:

username:password 
username:password:comment
username:password:full name:comment
username:password:first-name /last-name:comment

The full name appears in the wizard page, alphabetically sorted. The / helps define the sorting position in the case of compound names. For instance: louis:xyz:Louis de /Broglie will be sorted at letter B and appear as Broglie (Louis de).

When both specific access and generic access are specified in the configuration file basename.gwf, the specific access mechanism takes precedence.

Transmitting user/pass in the url

It is possible to send to the server the username/password pair within the request:

 http://host:2317/Basename?request&w=username:password

In this example, request can be any legitimate GeneWeb request. The only drawback of this method is that the password is transmitted to the server in the clear!!

Access control in CGI mode

When in CGI mode, the access controls described above are operational, and are redundant with other authentication methods proposed by the web server such as .htaccess files with Apache.

As .htaccess allows access control through a list of username/password entries, visitors without a password already don’t have access to databases. In GeneWeb, it is better to set friend_passwd= to null to avoid a second authentication for friends while maintaining a password (or passwords file) for wizards who will need to get authenticated a second time.


GeneWeb Manual

Error creating thumbnail: File missing

Use and manage genealogical databases

Technical annex