This question about Configuration: Answered
Best practice to lock down the Main web
With the default configuration, non-admin users are allowed to modify some pages in the Main web (e.g. AdminUserLeftBar
) and create new pages.
What is the best practice to lock down the Main web for modification?
(To see what happens if e.g. the WikiGroups
page is writable by normal users, see http://www.foswiki.org/Main/WikiGroups?rev=5
- note the Chinese letters at the bottom of the page)
- 02 Sep 2011
Some core Foswiki developers are of the opinion that the "normal" Foswiki installation is behind a firewall, on a company intranet, where locking down the wiki "out-of-the-box" might only serve to prevent the success of this kind of wiki in that situation. We deliberately run foswiki.org with "out-of-the-box" ACLs, to as they say "eat our own dogfood".
So, I started the Development.SecurityChecklists
discussion, so that we can consider a solution or at least some sort of configuration guide/checklist for those of us running public wikis who don't want to constantly weed out wiki spam. I would be very grateful if you could contribute to that discussion.
To more specifically answer your question, you do need to configure the WebPreferences
in every (root/top-level) web, including Main web, with the desired ACLs appropriate for your installation.
I use a kind of "AcceptedGroup", which is given WEBCHANGE permission in Sandbox and Main webs.
I don't add people to this group directly; "AcceptedGroup" simply contains all other WikiGroups
. So membership of "AcceptedGroup" is via one of the other (usually project/theme related) WikiGroups
Newly registered users are not members of any group at first, so they are unable to modify topics in Main or Sandbox.
A new user must contact a member of the research group they're interested in collaborating with (or they contact a site admin, with this information), at which point they are added to one of the WikiGroups
(and by extension) the AcceptedGroup.
If you lock down the users web (Main), you do
need to list RegistrationAgent
so that the registration agent can create new user topics.
See also Question744
I hope that helps. Please contribute to Development.SecurityChecklists
to help us improve this aspect of Foswiki.
- 04 Sep 2011