wiki specific authentication keys for specific api calls...

0 views
Skip to first unread message

Tim

unread,
Jun 12, 2008, 1:48:15 PM6/12/08
to PBwiki API Hackers
It'd be cool if the wiki administrator could set a static
authentication key for specific api calls....
these could be like passwords for those calls..

my use case for this would be for the adduser call... if you could set
"xyz123" as the wiki specific authentication key for that command,
then you could put a publicly accessible link on your frontpage that
would allow you to register yourself for the page...

This seems like it could be an alternative to the invite keys of
pbwiki 1.0...

Thoughts?
-Tim

Nathan Schmidt

unread,
Jun 12, 2008, 2:40:09 PM6/12/08
to tim.l...@gmail.com, PBwiki API Hackers
Tim,

I like the idea of individually delegated auth for operations but at
the same time we've got a pretty involved auth/security mechanism as
is. I'll need to sleep on it and see if I can come up with a
reasonable way of integrating your approach into what's there already.

In particular your use case, which is self-service user administration
sounds very close to a feature we'll be releasing very soon - 'Request
Access' -- which will allow most of this functionality for users who
aren't already part of your wiki. While this doesn't give you the
automatic round-trip it's a start.

Even if we were to have op-granularity keys, for the AddUser op it'd a
bit more tricky -- you don't want to be just handing out a form which
would allow someone to add themselves at an arbitrary permission, it'd
need to be 'key-able-to-adduser-at-read-permision' which is a bit of
plumbing I hadn't anticipated.

Meanwhile, you could always host just a form somewhere else, catch the
posted email and run the request from your server, then redirect the
user back to the wiki. That's a little bit convoluted but is doable
today.

-n

Tim

unread,
Jun 12, 2008, 5:15:24 PM6/12/08
to PBwiki API Hackers
you're right...
that works great!

go ahead and add yourself to this wiki:

http://copytest2.pbwiki.com/addself

--still would be nice to have an entirely pbwiki way to do this :)

ASP page for adding users:

<html>
<body>
<%
username = Request.QueryString("username")
email = Request.QueryString("email")
wikiname = Request.QueryString("wiki")


if wikiname="" then
Response.Write("No Wiki Specified...")
Response.End
elseif wikiname = "copytest2" then
wikiadmin_email = "REDACTED"
wikiadmin_password = "REDACTED"
else
Response.Write("Unrecognized wiki <i>" + wikiname + "</i>...")
Response.End
end if
%>
<!--
<h1>Hello</h1>
<%= username %><br>
<%= email %><br>
-->

<%

dim objXMLHTTP
set objXMLHTTP = Server.CreateObject("Microsoft.XMLHTTP")
url = "https://my.pbwiki.com/"
login_post_data = "u_email=" + wikiadmin_email + "&u_password=" +
wikiadmin_password + "&u_remember=checked&submit_submit=Log+in&wiki="

objXMLHTTP.Open "POST", url, false
objXMLHTTP.SetRequestHeader "Content-type", "application/x-www-form-
urlencoded"
objXMLHTTP.Send login_post_data

if objXMLHTTP.status = 200 then
url = "http://" + wikiname + ".pbwiki.com/api_v2/op/AddUser/perm/
read/_type/jsontext/email/" + email +"/name/"+username+"/perm/edit"
objXMLHTTP.Open "GET", url, false
objXMLHTTP.Send
end if

%>
<br>
default password: email
<br>
<small>response:</small>
<table border=1><tr><td>
<%= objXMLHTTP.ResponseText %>
</td></tr></table><br>
<a href="http://<%=wikiname%>.pbwiki.com">Return</a>
</body>
</html>


On Jun 12, 11:40 am, "Nathan Schmidt" <nathan.schm...@pbwiki.com>
wrote:
> > -Tim- Hide quoted text -
>
> - Show quoted text -

Nathan Schmidt

unread,
Jun 12, 2008, 6:10:21 PM6/12/08
to tim.l...@gmail.com, PBwiki API Hackers
Dude, you're blowing my mind here.

I agree it'd be great to have a PBwiki-only solution for that. I've
been sketching out a mechanism for the
rights-for-particular-operations keys and I think I have a workable
solution, will update if/when that's something available to test out.

My ideal world (short of a sort of 'Self-serve add-users plugin' )
would allow something like this on the page, though we do fairly
aggressive html sanitizing which removes form elements, needs a
workaround to work ...

Add yourself here:<br/>
<form method=post action=https://nathan.pbwiki.com/api_v2/>
run the op<input type=text name=op value=AddUser /><br/>
your email<input type=text name=email /><br/>
make up a new password<input type=password name=password /><br/>
your perm will be read<input type=text name=perm value="read" /><br/>
using opkey_adduser_read<input type=text name=opkey_adduser_read
value="FAKE-KEY" /><br/>
redirect _after_success<input type=text name=_after_success
value="/FrontPage" /><br/>
<input type=submit />
</form>

Tim

unread,
Jun 13, 2008, 5:09:03 PM6/13/08
to PBwiki API Hackers
awesome.. quick turn around time on that new admin method (can't beat
service like that!)

question though. I'm creating a form like this:
form_html += "<form method=post action=/api_v2/>";
form_html += "<b>Email:</b><br><input name=email>";
form_html += "<input name=op value=AddUser type=hidden>";
form_html += "<input name=_type value=jsontext type=hidden>";
form_html += "<input name=admin_key value=" + adduser_key + "
type=hidden>";
form_html += "<input name=perm value=read type=hidden>";
form_html += "<input name=password value=email type=hidden><br>";
form_html += "<input value='Sign Up!' type=submit>";
form_html += "<input type=hidden name=_after_success value='/
signupsuccess'>";
form_html += "<input type=hidden name=_after_error value='/
signupfailed'>";
form_html += "</form>";

but if I put "bob" in for my email address... rather than getting sent
to signupfailed I'm getting a server error 500.

am I doing something wrong?


On Jun 12, 3:10 pm, "Nathan Schmidt" <nathan.schm...@pbwiki.com>
wrote:
> >> - Show quoted text -- Hide quoted text -
Reply all
Reply to author
Forward
0 new messages