You are here: Foswiki>Tasks Web>Item8601 (13 Dec 2017, GeorgeClark)Edit Attach

Item8601: registration may fail when the Main and/or system webs are restricted to prevent viewing by the guest user.

pencil
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: major
Applies To: Engine
Component: AccessControl, TopicUserMappingContrib
Branches:
Reported By: SvenDowideit
Waiting For:
Last Change By: GeorgeClark
reported in http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item6398 , with a 'resolution' that can't be considered anything but a very bad idea - suspension of ACL's will allow other non-guest leaks of form definition.

Sven will have to write a little code, and a little docco.

-- SvenDowideit - 22 Feb 2010

Forgive my ignorance, but in such a situation, why couldn't the user form simply be given less strict topic permissions?

-- PaulHarvey - 22 Feb 2010

I was going to ask the same question. There is a lack of information in this report that makes it impossible for anyone else other than Sven to deal with it, so making for his feedback.

-- CrawfordCurrie - 18 Apr 2010

For me this is a simple documentation thing.

I think the (tm)wiki solution is silly.

-- KennethLavrsen - 18 Jul 2010

first up, I don't think the (tm)wiki solution is anything other than a lame security hole that someone will find a way to drive their truck through.

but I wondered if there was something we could do to achieve what some of our users do want - a way to allow registration, without allowing guests access to any of the customized parts of the site.

eg - the guest would only be able to see the System web..

We've come part of the way, and when I read the tmwiki report, i wondered if we could do it properly.

tbh, this is the kind of thing i created the RegistrationAgent user for - but that said, in a quick test, it works already :/

but that said, imo this deserves an automated test to it continues to work in 10 years time. (which is why the task is set for me smile )

wrinkles

  1. if you try to set DENYWEBVIEW=guest in SitePreferences, adding it to FINALPREFERENCES doesn't appear to work - which means an admin attempting this will need to change every web..
    • including the System web's preferences
    • but then again, the the rego topic is now so much more complex, and so locking down System web becomes painful - you have to open up all the INCLUDEd topics..

-- SvenDowideit - 22 Jul 2010

and in http://irclogs.foswiki.org/bin/irclogger_log/foswiki?date=2010-07-22,Thu&sel=201#l197

we see a user try to set DENYWEB in SitePreferences - and finding that it doesn't work.

this may well be something that we should change in 1.1 - as its the obvious approach.

-- SvenDowideit - 22 Jul 2010

I guess adding DENYWEB and ALLOWWEB to be possible in Default and SitePreferences is something that could cause surprises. It is an enhancement to the current spec.

I would raise a feature proposal for it targetting 1.2.

I support the idea. I am one that runs with DENYWEBVIEW for WikiGuest so that people have to login before they can see or do anything - including registration. So I have to remember to put a DENY setting in all WebPreferences. I would welcome such an exhancement.

But I will gladly wait from 1.2 instead of risking trouble.

And to those that wonder how you can block registration to guests. You can when do not use the Foswiki password manager. People login using mod_ldap authentication using their corporate login. And all the registration does is to add them to the TopicUserMapping so they get their login mapped to a nice WikiName.

-- KennethLavrsen - 23 Jul 2010

So are you saying this is not a release blocker for 1.1?

/me is trying to get a picture of what needs doing, and what doesn't

-- CrawfordCurrie - 28 Jul 2010

Yes that is what I am saying.

Changing to a normal priority and assigning to major

-- KennethLavrsen - 28 Jul 2010

Setting to No Action. Registration works fine on Foswiki 2.1.4+ works fine with System and Main webs view restricted.

-- GeorgeClark - 13 Dec 2017
 

ItemTemplate edit

Summary registration may fail when the Main and/or system webs are restricted to prevent viewing by the guest user.
ReportedBy SvenDowideit
Codebase 1.0.9, trunk
SVN Range
AppliesTo Engine
Component AccessControl, TopicUserMappingContrib
Priority Normal
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease major
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
Topic revision: r12 - 13 Dec 2017, GeorgeClark - This page was cached on 16 May 2020 - 09:48.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy