Note: wget must be in the system path, as it is used to make the http request.
* If set to 'modify', authentication is required to modify the wiki. * If set to 'read', atuhentication is required to view the wiki. * If set to 'none', authentication is never required, and pages can be edited anonymously. API changes: * currentUser moved to Authentication module * requireAuthentication added to Config * Added AuthenticationLevel type * requireUser renamed authenticate, parameter for AuthenticationLevel added; requireUserThat renamed authenticateUserThat
You can now use RPXNow authentication by setting authentication-method to rpx and setting rpx-domain and rpx-key appropriately.
Resolves Issue #69.
If you want to make a wiki read-only accessible to everyone, but writable only to those who authenticate, you can put your /_login URL only under authentication. The /_logout method here is untested and probably won't work.
+ Now the currently logged in user is taken from the REMOTE_USER request header. + This can be set externally (as by mod_auth_cas) or by a gitit filter that runs before the other wiki handlers. + This gitit filter, withUser, is set in config and will differ depending on whether we're using form authentication (in which case the user will be extracted from a session) or http authentication (in which case it will be extracted from the "authorization" request header). (When we're using gitit with an external system that sets REMOTE_USER, we can set this to id.) + Config also specifies authHandler, which includes handlers for urls like _login and _logout. This can be set to use the form-based authentication handlers or a pared-down logout handler for HTTP authentication. + The requireUser combinator checks that a user is logged in before running a handler; if not, we divert to the _login page with a 'destination' parameter with the URL to return to. This replaces the old ifLoggedIn. + A GET parameter is now used for 'destination', rather than a cookie. Also, we try not to rely on 'referer' except as a fallback.
+ Config sets these appropriately. + They can be specified in a calling program. + The login/out box is now no longer hidden when non-form authentication is used.
Gitit did not verify that a change password request is genuine when it receives the final POST. It has been changed to re-verify the reset code, otherwise an attacker could simply steal anyone's account by spoofing a POST request. Thanks to Robin Green for the patch.
This is useful for wikis embedded in applications that have their own user handling.