Priority: Normal
Current State: Closed
Released In: n/a
Target Release:
I was just browsing a site as guest where
SKIN=metacomment,pattern
and every topic has the comment editbox stuff on it.
when guest types and clicks submit, they get the 'submitting' modal, and behind it they see the templatelogin ui
so a user gets the ui, even on docco topics in System web - which we really don't want to have the .txt files modified
on - clearly, this breaks the topic ACL's as the .txt file
is modified - which imo really just needs to be spelt out very clearly in the plugin docco.
how do you like the irony of:
<!-- Do _not_ attempt to edit this topic; it is auto-generated. -->
META:COMMENT{name="1.1371130184" author="WikiGuest" date="1371130184" fingerPrint="f96cc30f3e6e13d3a4d02d947843c246" modified="1371130184" ref="" state="new, approved" text="testing" title="testing"}
--
SvenDowideit - 13 Jun 2013
See
Extensions.MetaCommentPlugin#Permissions
--
MichaelDaum - 13 Jun 2013
indeed, I did read that, and it does not indicate that by default, adding
MetaCommentPlugin to your site enables the guest user to modify any topic.
--
SvenDowideit - 13 Jun 2013
I'll add a
$Foswiki::cfg{MetaCommentPlugin}{AnonymousCommenting} = 0;
... which extends the allow-comment check in case the user isn't authenticated yet. If switched off (default), anonymous commenting is disabled. So you explicitly have to switch it on to open the site in that respect. Normal acl checks for 'COMMENT' still apply as expected.
Means:
- you can't have anonymous commenting using acls unless you switch on the
{AnonymousCommenting}
flag
- when
{AnonymousCommenting}
is switched on, you still can deny anonymous commenting using acls
--
MichaelDaum - 13 Aug 2013