Using DokuWikis ACL feature with pre-authenticated apache users

24 Jun

DokuWiki is a very simple, PHP based wiki. It’s strengh is simplicity. It uses txt files for storage and runs on nearly every Webserver which supports PHP, no database needed.

DokuWiki supports Users and ACLs, so it’s possible to allow editing only to a special group of people. DokuWiki supports many authentication backends, but the default plugins all assume that the wiki has a „login“ button. In my case, the users are already authenticated via htAccess. So I started to search a solution which integrates these users.

In my world, there is something like example.org/private, which contains example.org/private/wiki. The whole private space is protected via htAccess and is used by multiple users with different permissions.

My first approach was to simply disable the ACL feature. However, this solution has some drawbacks: you have no admin interface and all users have the same permissions.

This was not exactly what I want. I found a htAccessAuth Plugin which used a htUsers file as a backend. But I don’t have such a file. And I don’t need to create or delete users via the wiki anyway. So I simply wrote my own plugin:

# inc/auth/external.class.php
<?php
define('DOKU_AUTH', dirname(__FILE__));
require_once(DOKU_AUTH.'/basic.class.php');
 
class auth_external extends auth_basic {
 
  function auth_external() {
    $this->cando['external'] = true;
  }
 
  function trustExternal($user,$pass,$sticky=false){
    global $USERINFO;
 
    $USERINFO['name'] = $_SERVER['PHP_AUTH_USER'];
    $USERINFO['mail'] = $_SERVER['PHP_AUTH_USER'] . '@' . $_SERVER['HTTP_HOST'];
    $USERINFO['grps'] = array();
    $_SERVER['REMOTE_USER'] = $user;
    return true;
  }
 
  function retrieveUsers($start=0,$limit=-1,$filter=null) {
    return array();
  }
 
  function addGroup($group) {
    return false;
  }
 
  function retrieveGroups($start=0,$limit=0) {
    array();
  }
}
?>

The class is really simple. It uses the authenticated user as the username, and generates an e-mail address from the username and the hostname. Groups are not supported.

Next, I edited conf/local.php and added these three lines:

$conf['useacl'] = 1;
$conf['authtype'] = 'external';
$conf['superuser'] = 'jochen';

This uses the new authentication and gives me admin rights. Aside from the generic e-mail address, the solution is pretty generic. There is only one thing left: there is still a logout button, which does… well… nothing. I turned the line „ <?php tpl_button(‚login‘)?>“ in lib/tpl/default/main.php into a comment to remove the button.

I’m relly not sure if anyone else can make use of it. If you can, feel free to copy everything you need.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert