 |
|
You are here: Foswiki>Support Web>SupportQuestions>Question934 (04 Sep 2011, PaulHarvey)Edit Attach
This question about Configuration: Answered
Best practice to lock down the Main web
With the default configuration, non-admin users are allowed to modify some pages in the Main web (e.g. AdminUserLeftBar or WikiGroups) and create new pages. What is the best practice to lock down the Main web for modification? (To see what happens if e.g. the WikiGroups page is writable by normal users, see http://www.foswiki.org/Main/WikiGroups?rev=5 - note the Chinese letters at the bottom of the page) -- ChristianDHeureuse - 02 Sep 2011 Some core Foswiki developers are of the opinion that the "normal" Foswiki installation is behind a firewall, on a company intranet, where locking down the wiki "out-of-the-box" might only serve to prevent the success of this kind of wiki in that situation. We deliberately run foswiki.org with "out-of-the-box" ACLs, to as they say "eat our own dogfood". So, I started the Development.SecurityChecklists discussion, so that we can consider a solution or at least some sort of configuration guide/checklist for those of us running public wikis who don't want to constantly weed out wiki spam. I would be very grateful if you could contribute to that discussion. To more specifically answer your question, you do need to configure the WebPreferences in every (root/top-level) web, including Main web, with the desired ACLs appropriate for your installation. I use a kind of "AcceptedGroup", which is given WEBCHANGE permission in Sandbox and Main webs. I don't add people to this group directly; "AcceptedGroup" simply contains all other WikiGroups. So membership of "AcceptedGroup" is via one of the other (usually project/theme related) WikiGroups. Newly registered users are not members of any group at first, so they are unable to modify topics in Main or Sandbox. A new user must contact a member of the research group they're interested in collaborating with (or they contact a site admin, with this information), at which point they are added to one of the WikiGroups (and by extension) the AcceptedGroup. If you lock down the users web (Main), you do need to list RegistrationAgent in Main.WebPreferencesALLOWWEBCHANGE so that the registration agent can create new user topics.
See also Question744
I hope that helps. Please contribute to Development.SecurityChecklists to help us improve this aspect of Foswiki.
-- PaulHarvey - 04 Sep 2011
QuestionForm edit
| Subject | Configuration |
| Extension | |
| Version | |
| Status | Answered |
| Related Topics | SecurityChecklists |
Edit | Attach | Print version | History: r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r2 - 04 Sep 2011, PaulHarvey
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy