 |
|
Item2395: Shipped WebPreference topics default to over-riding ACL's with insecure choices (wrong assumption in this bug report)
Priority: Enhancement
Current State: No Action Required
Released In: n/a
Target Release: minor
Current State: No Action Required
Released In: n/a
Target Release: minor
Applies To: Engine
Component:
Branches:
Component:
Branches:
DENYWEBVIEW=WikiGuest in the Main.SitePreferences, this is overridden by the shipped settings in the Main, Sandbox and System webs, as their WebPreferences topic contains Set DENYWEBVIEW=.
this is a poor default, as it assumes that the user wants those webs to be - indexed by google etc
- reduces the choices admins have, as we strongly discourage modifying shipped topics.
Remove the # to enable any of these settings, but the #'s appear to have been removed
there seems to be something odd, and worrying going on, in that if i remove the ACL settings from the Sandbox web prefs, it is not denying view to guest, even though that is set to DENYWEBVIEW in the SitePreferences.
additionally, how to deny view access to the Main web, while still using it to set the defaults? - ok, so maybe that is the problem?
-- SvenDowideit - 22 Nov 2009
I think you are requesting a new feature here.
The SitePreferences setting has never been able to set access rights globally. It is always per web. Ie you have to define the access in all webs.
If we want to add this it is a new feature and we better think carefully how this will interact with all other access settings people may be using in practical life.
Please limit any activity around this to trunk.
-- KennethLavrsen - 25 Nov 2009
well, it turns out that I actually uncovered an existing and undocumented functionality - I might merge that docco commit to 1.0.8 - i'm still mulling over the consequenses..
I'm certainly not proposing we change the code in 1.0.x - unless there really is an insecurity.
-- SvenDowideit - 25 Nov 2009
I just verified my original assumption.
You cannot define DENYWEBANYTHING in Default- or SitePreferences. I just tried. It does not work.
Unfortunately I did not see the checkin you did so this has confused the hell out of people lately because the AccessControl says that DENYWEB.. is inherited from site wide preferences but when they try in practical it has no effect.
I have removed the added text and will do further editing.
And I put this item in No Action.
-- KennethLavrsen - 25 Nov 2010 ItemTemplate edit
| Summary | Shipped WebPreference topics default to over-riding ACL's with insecure choices (wrong assumption in this bug report) |
| ReportedBy | SvenDowideit |
| Codebase | 1.0.7, trunk |
| SVN Range | Foswiki-1.0.7, Sun, 20 Sep 2009, build 5061 |
| AppliesTo | Engine |
| Component | |
| Priority | Enhancement |
| CurrentState | No Action Required |
| WaitingFor | |
| Checkins | distro:915d9088893d |
| TargetRelease | minor |
| ReleasedIn | n/a |
Edit | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 25 Nov 2010, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy