You are here: Foswiki>Tasks Web>Item15046 (06 Oct 2021, MichaelDaum)Edit Attach

Item15046: User registration is misused for instructions of all kinds

Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Reported By: DanielSchwab
Waiting For: DanielSchwab
Last Change By: MichaelDaum
The user registration can be misused for any information and the people are capable to edit it. I use the wiki, just for my project documentation. Configured without write rights (just for me). But the personal user page, is open for everyone. And they write there realy everything and share it. It begins from travel, WhatsApp data, rules for casinos, and where you can find pages for people over 18, and so on. I removed the Registrationbutton, and so on, but they find always a new solution to store data.

Example: Main/DanielSchwab

Is there a way to stop the write access, after a user registration, include comments?

-- DanielSchwab - 04 Oct 2021

I am not sure what you mean: anybody that registered an account on a Foswiki is supposed to have write access at least to his/her own user profile page. Write access is restricted to the owner of that profile page only by default. Even your own profile page is write restricted to you yourself only, as far as I can see ...

So are you saying that write access to the own user profile page should be prohibited, even for yourself?

-- MichaelDaum - 05 Oct 2021

I think Daniel is asking about (or at least mixing) two different things: one is about configuration of his own site and the other is about permissions here on Neither of these cases constitute any kind of bug in my opinion.

Regarding the case of your private site, I think there's a legitimate support question about how to lock down a site except for private use. To do that, check the following settings in Configure:
  • Under Security and Authentication > Registration, disable user registration (EnableNewUserRegistration). If you need to register someone, just turn it back on temporarily.
  • Under Security and Authentication > Login > AuthScripts make sure "edit" is included in list of scripts requiring authentication. You can also add "view" to that list if you want to restrict all access to your site to registered users - e.g. users will be required to log in as soon as they hit any of the site pages.
  • Under Extensions > Comment Plugin make sure GuestCanComment is disabled. There's a similar setting for MetaCommentPlugin if you are using that.

Regarding, this is a public site that's intentionally set up to foster collaboration. Given that, there's a degree of administrator responsibility to monitor the site that comes with the territory. On, the administrators continuously monitor any new registrations and other edits on user-associated pages for any signs of user spam or inappropriate content and delete any such accounts or content almost immediately.

-- LynnwoodBrown - 05 Oct 2021

First of all. It's not a programming bug. And I agree, continuously monitor any new registrations. But ... If I check, one time in the day for new registered people (mail), I'm too slow, to delete. I try to explain, what they are doing (for example): I could registrate me on "". After confirmin with the mail, I have write access to my private user profile. The Idea from foswiki is, to set my picture, write something about my, and so on. But I can use my user profile (because I have write access) to share links for people over 18, how the security code is from the neighbor house, how I can win poker, and so on. They need access just for any minutes to share the information. If I check every 24 hours for new registered people, they have made their crime business. And I can see the traces.

Is there a way, if people will make a registration, they don't have write access to her own user profile, until I give the rights?

Because I want, allow user registration, but I don't want have a share platform for crime business in the user profile. They don't care when I write: it's not allowed to .....

I hope, I could clarify.

-- DanielSchwab - 05 Oct 2021

Try these config settings:

$Foswiki::cfg{Register}{NeedApproval} = $TRUE;
$Foswiki::cfg{Register}{Approvers} = 'DanielSchwab';

Any registration needs your approval before being processed any further. This comes closest to what you described.

-- MichaelDaum - 06 Oct 2021

ItemTemplate edit

Summary User registration is misused for instructions of all kinds
ReportedBy DanielSchwab
SVN Range
AppliesTo Engine
Priority Normal
CurrentState No Action Required
WaitingFor DanielSchwab
TargetRelease n/a
ReleasedIn n/a
Topic revision: r5 - 06 Oct 2021, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy