Introduction
If BibORB is used in a collaborative way, you may want to define who can add, modify or delete references. Presently, two authentication methods are supported: MySQL and files.
Access restriction using .htaccess
This method allows to restrict the access to BibORB pages. A user will have to enter a valid pair (username,password) to access BibORB. Then, the rules (add, edit, delete) are defined by one of the authentication methods supported by BibORB ie., presently, MySQL an Files (see following sections).
The first step is to create a file containing a list of trusted users storing their username and password. This can be achieved using the program htpasswd. The following command creates a file named .htpasswd_biborb initially filled with a password for the user foo.
htpasswd -c .htpasswd_biborb foo New password: ****** Re-type new password: ******
To add a new user to the password file:
htpasswd .htpasswd_biborb anotherFoo New password: ****** Re-type new password: ******
Then, uncomment the following lines in .htaccess:
AuthName BibORB Restricted Area AuthType Basic AuthUserFile /path/to/.htpasswd_biborb require valid-user
To secure the password files, uncomment also the lines:
<Files .ht*> deny from all </Files>
MySQL authentication
Values to defined in config.php:
/**
* If TRUE, this will disable authentification.
* All users will have the administrator status
*/
define("DISABLE_AUTHENTICATION",TRUE);
/**
* Authentication methods: mysql, files
* Used if DISABLE_AUTHENTICATION = FALSE
*/
define("AUTH_METHOD",'mysql');
The next step is to correctly set up php/auth_backends/auth.mysql.php. This is done by defining:
/**
The database configuration
*/
$host = "localhost";
$db = "biborb";
$dbuser = "biborb-admin";
$pass = "biborbdev";
$table = "biborb_users";
$auth_table = "biborb_auth";
$pref_table = "user_preferences"
$host: address of the machine hosting the database.$db: name of the database.$dbuser: a valid MySQL user which has access to the database.$pass: its password.$table: the table containing valid biborb users and passwords.$auth_table: the table that defined authorizations for biborb users.$pref_table: the table that defined biborb users preferences.
data/biborb.sql contains the SQL structure used with the MySQL authentication. Have a look to php/auth_backends/auth.mysql.php for details about the structure of the database.
Files authentication
If you don't want or don't have access to a database, you can configure authorizations using files.
Values to defined in config.php:
/**
* If TRUE, this will disable authentification.
* All users will have the administrator status
*/
define("DISABLE_AUTHENTICATION",TRUE);
/**
* Authentication methods: mysql, files
* Used if DISABLE_AUTHENTICATION = FALSE
*/
define("AUTH_METHOD",'files');
Files used to defines access are php/auth_backends/bib_access.txt and data/auth_files/bib_users.txt
data/auth_files/bib_users.txt: it contains a list of user/password:user:crypted_password,isAdminwhereisAdmin=1if the user is an administrator (all privileges, add/delete bibliographies), 0 otherwise.testuser:testpass,0 admin:admin,1
Usephp/auth_backends/crypt_password.phpto crypt your password, then copy it inbib_users.txt.data/auth_files/bib_access.txt: it defines the users' privileges on each database (a: add reference,d: delete reference,m: update reference)abibliography:testuser*m,anotheruser*adm anotherbiblio:testuser*adm,anotheruser*am
Users preferences are stored in the folder data/auth_files. Consequently, this folder must be writtable by the webserver. For instance you can change the group of the directory to the one of you webserver and set it writtable by this group.
chrgp www-data data/auth_files chmod g+w data/auth_files
Finally, to secure the installation, prevent the access to these files by uncomenting the following lines in the .htaccess file:
<Files bib_*.txt > Deny from all </Files> <Files pref_*.txt> Deny from all </Files>