Authentication required for raw view

configure lists the following as requiring authentication:

attach,changes,compare,compareauth,edit,manage,oops,preview,previewauth,restauth,rdiff,rdiffauth,register,rename,resetpasswd,rest,rest auth,save,statistics,upload,viewauth,viewfileauth

However, when a guest tries to view the raw wiki text of a topic, e.g. http://wiki.cfcl.com/Projects/Access/Utiles/NB/AS?raw=on they are presented with a login screen.

This should not happen. How do I fix it?

-- VickiBrown - 05 Mar 2016

I was sure that this was in the release notes, but we obviously missed a new feature. See Security and Authentication > Access Control > {FeatureAccess}{AllowRaw}. It's an expert feature, so click that button as well - lower left corner.

This was added as a security enhancement. In addition to access to Raw view, we added controls on access to history, also configured under Access Control. The url param debugenableplugins was also restricted.

The reason for the history restrictions was badly behaved bots. nofollow, and robots.txt was not enough for some, which were following every rev= link of ever topic. The raw restrictions were added to protect some more sensitive wiki applications.

(By the way, configure has a "search" facility - search for "raw" and this comes up.)

-- GeorgeClark - 05 Mar 2016

The checkins were under Tasks.Item12875, which was restricted to the Security group until today. It was all covered on a Development discussion related to a variety of possible security exposures. A lot of sites still run the older versions of Foswiki, so no sense feeding this to the search engines.

-- GeorgeClark - 05 Mar 2016