Item2395: Shipped WebPreference topics default to over-riding ACL's with insecure choices (wrong assumption in this bug report)

Priority: Enhancement
Current State: No Action Required
Released In: n/a
Target Release: minor
Applies To: Engine
Reported By: SvenDowideit
Waiting For:
Last Change By: KennethLavrsen
If an admin sets DENYWEBVIEW=WikiGuest in the Main.SitePreferences, this is overridden by the shipped settings in the Main, Sandbox and System webs, as their WebPreferences topic contains Set DENYWEBVIEW=.

this is a poor default, as it assumes that the user wants those webs to be
  1. indexed by google etc
  2. reduces the choices admins have, as we strongly discourage modifying shipped topics.

There Still is text saying Remove the # to enable any of these settings, but the #'s appear to have been removed

there seems to be something odd, and worrying going on, in that if i remove the ACL settings from the Sandbox web prefs, it is not denying view to guest, even though that is set to DENYWEBVIEW in the SitePreferences.

additionally, how to deny view access to the Main web, while still using it to set the defaults? - ok, so maybe that is the problem?

-- SvenDowideit - 22 Nov 2009

I think you are requesting a new feature here.

The SitePreferences setting has never been able to set access rights globally. It is always per web. Ie you have to define the access in all webs.

If we want to add this it is a new feature and we better think carefully how this will interact with all other access settings people may be using in practical life.

Please limit any activity around this to trunk.

-- KennethLavrsen - 25 Nov 2009

well, it turns out that I actually uncovered an existing and undocumented functionality - I might merge that docco commit to 1.0.8 - i'm still mulling over the consequenses..

I'm certainly not proposing we change the code in 1.0.x - unless there really is an insecurity.

-- SvenDowideit - 25 Nov 2009

I just verified my original assumption.

You cannot define DENYWEBANYTHING in Default- or SitePreferences. I just tried. It does not work.

Unfortunately I did not see the checkin you did so this has confused the hell out of people lately because the AccessControl says that DENYWEB.. is inherited from site wide preferences but when they try in practical it has no effect.

I have removed the added text and will do further editing.

And I put this item in No Action.

-- KennethLavrsen - 25 Nov 2010

ItemTemplate edit

Summary Shipped WebPreference topics default to over-riding ACL's with insecure choices (wrong assumption in this bug report)
ReportedBy SvenDowideit
Codebase 1.0.7, trunk
SVN Range Foswiki-1.0.7, Sun, 20 Sep 2009, build 5061
AppliesTo Engine
Priority Enhancement
CurrentState No Action Required
Checkins distro:915d9088893d
TargetRelease minor
ReleasedIn n/a
Topic revision: r5 - 25 Nov 2010, KennethLavrsen - This page was cached on 23 Nov 2020 - 19:57.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy