cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item13386 (05 Jul 2015, GeorgeClark)Edit Attach

Item13386: {LoginManager} = 'none' applies ACL checks, locks user out of configure, and faults if bin/login accessed.

pencil
Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: AccessControl
Branches: master
Reported By: JozefMojzis
Waiting For:
Last Change By: GeorgeClark

How to reproduce

  1. Bootstrap
    • create an fresh installation of the foswiki
    • bootstrap it (i'm using tools/lighhtpd.pl for the testing)
    • set the internal admin password
    • save
    • check the working wiki
    • quit the browser
  2. Reconfig
    • in the configure -> Security -> Login
    • set the {LoginManager} to none
    • save
  3. try the result
    • can't create any topic, nor edit any (the CHANGE access is missing for the WikiGuest
    • can't access the configure to restore back
    • completely locked out - need manually from the shell restore the !LocalSite.cfg
  4. the needs
    • warn the user about the ACL for the WikiGuest, because he can't edit any his old topic
    • somewhat allow to access the configure

-- JozefMojzis - 26 Apr 2015

The setting of "none" is documented as allowing full access with no restrictions.
  • none - Don't support logging in, all users have access to everything.

  1. Foswiki::Configure::Auth should just return and not throw any errors if LoginManager is set to 'none'.
  2. Foswiki::Access::TopicACLAccess should allow all access when LoginManager is set to 'none'

TopicACLReadOnlyAccess should probably still enforce read-only.

Note there is another related error: bin/login script throws an error:
Foswiki detected an internal error - please check your Foswiki logs and webserver logs for more information.

Can't locate object method "login" via package "Foswiki::LoginManager"

-- GeorgeClark - 26 Apr 2015
 

ItemTemplate edit

Summary {LoginManager} = 'none' applies ACL checks, locks user out of configure, and faults if bin/login accessed.
ReportedBy JozefMojzis
Codebase 1.2.0 beta1, 1.1.9, trunk
SVN Range
AppliesTo Engine
Component AccessControl
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:3a0c76f91d74 distro:3fd6f1804fa1
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:3a0c76f91d74 distro:3fd6f1804fa1
ItemBranchCheckins
Release01x01Checkins
Topic revision: r4 - 05 Jul 2015, GeorgeClark - This page was cached on 21 Mar 2018 - 20:21.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License