Item8601: registration may fail when the Main and/or system webs are restricted to prevent viewing by the guest user.
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: major
reported in
http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item6398 , with a 'resolution' that can't be considered anything but a very bad idea - suspension of ACL's will allow other non-guest leaks of form definition.
Sven will have to write a little code, and a little docco.
--
SvenDowideit - 22 Feb 2010
Forgive my ignorance, but in such a situation, why couldn't the user form simply be given less strict topic permissions?
--
PaulHarvey - 22 Feb 2010
I was going to ask the same question. There is a lack of information in this report that makes it impossible for anyone else other than Sven to deal with it, so making for his feedback.
--
CrawfordCurrie - 18 Apr 2010
For me this is a simple documentation thing.
I think the (tm)wiki solution is silly.
--
KennethLavrsen - 18 Jul 2010
first up, I don't think the (tm)wiki solution is anything other than a lame security hole that someone will find a way to drive their truck through.
but I wondered if there was something we could do to achieve what some of our users
do want - a way to allow registration, without allowing guests access to any of the customized parts of the site.
eg - the guest would only be able to see the System web..
We've come part of the way, and when I read the tmwiki report, i wondered if we could do it properly.
tbh, this is the kind of thing i created the
RegistrationAgent user for - but that said, in a quick test, it works already :/
but that said, imo this deserves an automated test to it continues to work in 10 years time. (which is why the task is set for me
)
wrinkles
- if you try to set DENYWEBVIEW=guest in SitePreferences, adding it to FINALPREFERENCES doesn't appear to work - which means an admin attempting this will need to change every web..
- including the System web's preferences
- but then again, the the rego topic is now so much more complex, and so locking down System web becomes painful - you have to open up all the INCLUDEd topics..
--
SvenDowideit - 22 Jul 2010
and in
http://irclogs.foswiki.org/bin/irclogger_log/foswiki?date=2010-07-22,Thu&sel=201#l197
we see a user try to set DENYWEB in
SitePreferences - and finding that it doesn't work.
this may well be something that we should change in 1.1 - as its the obvious approach.
--
SvenDowideit - 22 Jul 2010
I guess adding DENYWEB and ALLOWWEB to be possible in Default and SitePreferences is something that could cause surprises. It is an enhancement to the current spec.
I would raise a feature proposal for it targetting 1.2.
I support the idea. I am one that runs with DENYWEBVIEW for WikiGuest so that people have to login before they can see or do anything - including registration. So I have to remember to put a DENY setting in all
WebPreferences. I would welcome such an exhancement.
But I will gladly wait from 1.2 instead of risking trouble.
And to those that wonder how you can block registration to guests. You can when do not use the Foswiki password manager. People login using mod_ldap authentication using their corporate login. And all the registration does is to add them to the
TopicUserMapping so they get their login mapped to a nice WikiName.
--
KennethLavrsen - 23 Jul 2010
So are you saying this is not a release blocker for 1.1?
/me is trying to get a picture of what needs doing, and what doesn't
--
CrawfordCurrie - 28 Jul 2010
Yes that is what I am saying.
Changing to a normal priority and assigning to major
--
KennethLavrsen - 28 Jul 2010
Setting to No Action. Registration works fine on Foswiki 2.1.4+ works fine with System and Main webs view restricted.
--
GeorgeClark - 13 Dec 2017