Item2395: Shipped WebPreference topics default to over-riding ACL's with insecure choices (wrong assumption in this bug report)
Priority: Enhancement
Current State: No Action Required
Released In: n/a
Target Release: minor
Applies To: Engine
Component:
Branches:
If an admin sets
DENYWEBVIEW=WikiGuest
in the
Main.SitePreferences
, this is overridden by the shipped settings in the Main, Sandbox and System webs, as their
WebPreferences
topic contains
Set DENYWEBVIEW=
.
this is a poor default, as it assumes that the user wants those webs to be
- indexed by google etc
- reduces the choices admins have, as we strongly discourage modifying shipped topics.
There
Still is text saying
Remove the # to enable any of these settings
, but the #'s appear to have been removed
there seems to be something odd, and worrying going on, in that if i remove the ACL settings from the Sandbox web prefs, it is not denying view to guest, even though that is set to DENYWEBVIEW in the
SitePreferences.
additionally, how to deny view access to the Main web, while still using it to set the defaults? - ok, so maybe that is the problem?
--
SvenDowideit - 22 Nov 2009
I think you are requesting a new feature here.
The
SitePreferences setting has never been able to set access rights globally. It is always per web. Ie you have to define the access in all webs.
If we want to add this it is a new feature and we better think carefully how this will interact with all other access settings people may be using in practical life.
Please limit any activity around this to trunk.
--
KennethLavrsen - 25 Nov 2009
well, it turns out that I actually uncovered an existing and undocumented functionality - I might merge that docco commit to 1.0.8 - i'm still mulling over the consequenses..
I'm certainly not proposing we change the code in 1.0.x - unless there really is an insecurity.
--
SvenDowideit - 25 Nov 2009
I just verified my original assumption.
You cannot define DENYWEBANYTHING in Default- or SitePreferences. I just tried. It does not work.
Unfortunately I did not see the checkin you did so this has confused the hell out of people lately because the
AccessControl says that DENYWEB.. is inherited from site wide preferences but when they try in practical it has no effect.
I have removed the added text and will do further editing.
And I put this item in No Action.
--
KennethLavrsen - 25 Nov 2010