Item14628: InstallationGuidePart2 still recommends editing topics in the System web.
Priority: Security
Current State: No Action Required
Released In: n/a
Target Release: minor
Applies To: Engine
Component:
Branches:
We still have issues with not shadowing topics into the Users web.
- Very first bullet on tailoring your web site look & feel says to edit ChangePassword, ResetPassword and ChangeEmailAddress.
- Pattern skin includes "!System.WebTopBar System.WebTopBarExample". It should probably also allow a Usersweb based override.
- Bottom bar same situation - Tailored by a topic in the System web.
Actually I'm changing this to a security task. The concept of including any topic from the user writeable Usersweb in preference to a System topic should not be used. If the admin has NOT overridden these topics, then any user can create a topic in Usersweb to replace or deface the topic. This is particularly bad with UserRegistration in that it could be used to capture or alter registrations.
As a minimal change, anything that overrides a System topic with a Usersweb topic should be changed. Either we keep the system configuration in the System web or consider a new "admin-only" Local/System web or something like that. But for security purposes, we should find and eliminate the Usersweb overrides ASAP.
This probably needs a feature proposal.
--
GeorgeClark - 15 Feb 2018
Not sure this is going to be addressed on 2.1.x branch. Rescheduling it to 2.2.x (master atm) as this code has been rewritten a lot in there.
--
MichaelDaum - 25 May 2020
We should rewrite those apps using view templates instead of
INCLUDEs and shadow topics. So people can simply switch the cover/skin to customize.
--
MichaelDaum - 08 Jul 2021