cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Configuration: Answered

Best practice to lock down the Main web

With the default configuration, non-admin users are allowed to modify some pages in the Main web (e.g. AdminUserLeftBar or WikiGroups) and create new pages.

What is the best practice to lock down the Main web for modification?

(To see what happens if e.g. the WikiGroups page is writable by normal users, see http://www.foswiki.org/Main/WikiGroups?rev=5 - note the Chinese letters at the bottom of the page)

-- ChristianDHeureuse - 02 Sep 2011

Some core Foswiki developers are of the opinion that the "normal" Foswiki installation is behind a firewall, on a company intranet, where locking down the wiki "out-of-the-box" might only serve to prevent the success of this kind of wiki in that situation. We deliberately run foswiki.org with "out-of-the-box" ACLs, to as they say "eat our own dogfood".

So, I started the Development.SecurityChecklists discussion, so that we can consider a solution or at least some sort of configuration guide/checklist for those of us running public wikis who don't want to constantly weed out wiki spam. I would be very grateful if you could contribute to that discussion.

To more specifically answer your question, you do need to configure the WebPreferences in every (root/top-level) web, including Main web, with the desired ACLs appropriate for your installation.

I use a kind of "AcceptedGroup", which is given WEBCHANGE permission in Sandbox and Main webs.

I don't add people to this group directly; "AcceptedGroup" simply contains all other WikiGroups. So membership of "AcceptedGroup" is via one of the other (usually project/theme related) WikiGroups.

Newly registered users are not members of any group at first, so they are unable to modify topics in Main or Sandbox.

A new user must contact a member of the research group they're interested in collaborating with (or they contact a site admin, with this information), at which point they are added to one of the WikiGroups (and by extension) the AcceptedGroup.

If you lock down the users web (Main), you do need to list RegistrationAgent in Main.WebPreferences ALLOWWEBCHANGE so that the registration agent can create new user topics.

See also Question744

I hope that helps. Please contribute to Development.SecurityChecklists to help us improve this aspect of Foswiki.

-- PaulHarvey - 04 Sep 2011

QuestionForm edit

Subject Configuration
Extension
Version
Status Answered
Related Topics SecurityChecklists
Topic revision: r2 - 04 Sep 2011, PaulHarvey - This page was cached on 23 Mar 2018 - 07:01.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License