You are here: Foswiki>Tasks Web>Item14628 (08 Jul 2021, MichaelDaum)Edit Attach

Item14628: InstallationGuidePart2 still recommends editing topics in the System web.

Priority: Security
Current State: No Action Required
Released In: n/a
Target Release: minor
Applies To: Engine
Reported By: GeorgeClark
Waiting For:
Last Change By: MichaelDaum
We still have issues with not shadowing topics into the Users web.

  • Very first bullet on tailoring your web site look & feel says to edit ChangePassword, ResetPassword and ChangeEmailAddress.
  • Pattern skin includes "!System.WebTopBar System.WebTopBarExample". It should probably also allow a Usersweb based override.
  • Bottom bar same situation - Tailored by a topic in the System web.

Actually I'm changing this to a security task. The concept of including any topic from the user writeable Usersweb in preference to a System topic should not be used. If the admin has NOT overridden these topics, then any user can create a topic in Usersweb to replace or deface the topic. This is particularly bad with UserRegistration in that it could be used to capture or alter registrations.

As a minimal change, anything that overrides a System topic with a Usersweb topic should be changed. Either we keep the system configuration in the System web or consider a new "admin-only" Local/System web or something like that. But for security purposes, we should find and eliminate the Usersweb overrides ASAP.

This probably needs a feature proposal.

-- GeorgeClark - 15 Feb 2018

Not sure this is going to be addressed on 2.1.x branch. Rescheduling it to 2.2.x (master atm) as this code has been rewritten a lot in there.

-- MichaelDaum - 25 May 2020

We should rewrite those apps using view templates instead of INCLUDEs and shadow topics. So people can simply switch the cover/skin to customize.

-- MichaelDaum - 08 Jul 2021

ItemTemplate edit

Summary InstallationGuidePart2 still recommends editing topics in the System web.
ReportedBy GeorgeClark
Codebase trunk
SVN Range
AppliesTo Engine
Priority Security
CurrentState No Action Required
TargetRelease minor
ReleasedIn n/a
Topic revision: r3 - 08 Jul 2021, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy