Item8601: registration may fail when the Main and/or system webs are restricted to prevent viewing by the guest user.

reported in http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item6398 , with a 'resolution' that can't be considered anything but a very bad idea - suspension of ACL's will allow other non-guest leaks of form definition.

Sven will have to write a little code, and a little docco.

-- SvenDowideit - 22 Feb 2010

Forgive my ignorance, but in such a situation, why couldn't the user form simply be given less strict topic permissions?

-- PaulHarvey - 22 Feb 2010

I was going to ask the same question. There is a lack of information in this report that makes it impossible for anyone else other than Sven to deal with it, so making for his feedback.

-- CrawfordCurrie - 18 Apr 2010

For me this is a simple documentation thing.

I think the (tm)wiki solution is silly.

-- KennethLavrsen - 18 Jul 2010

first up, I don't think the (tm)wiki solution is anything other than a lame security hole that someone will find a way to drive their truck through.

but I wondered if there was something we could do to achieve what some of our users do want - a way to allow registration, without allowing guests access to any of the customized parts of the site.

eg - the guest would only be able to see the System web..

We've come part of the way, and when I read the tmwiki report, i wondered if we could do it properly.

tbh, this is the kind of thing i created the RegistrationAgent user for - but that said, in a quick test, it works already :/

but that said, imo this deserves an automated test to it continues to work in 10 years time. (which is why the task is set for me )

wrinkles

1. if you try to set DENYWEBVIEW=guest in SitePreferences, adding it to FINALPREFERENCES doesn't appear to work - which means an admin attempting this will need to change every web..
   • including the System web's preferences
   • but then again, the the rego topic is now so much more complex, and so locking down System web becomes painful - you have to open up all the INCLUDEd topics..

-- SvenDowideit - 22 Jul 2010

and in http://irclogs.foswiki.org/bin/irclogger_log/foswiki?date=2010-07-22,Thu&sel=201#l197

we see a user try to set DENYWEB in SitePreferences - and finding that it doesn't work.

this may well be something that we should change in 1.1 - as its the obvious approach.

-- SvenDowideit - 22 Jul 2010

I guess adding DENYWEB and ALLOWWEB to be possible in Default and SitePreferences is something that could cause surprises. It is an enhancement to the current spec.

I would raise a feature proposal for it targetting 1.2.

I support the idea. I am one that runs with DENYWEBVIEW for WikiGuest so that people have to login before they can see or do anything - including registration. So I have to remember to put a DENY setting in all WebPreferences. I would welcome such an exhancement.

But I will gladly wait from 1.2 instead of risking trouble.

And to those that wonder how you can block registration to guests. You can when do not use the Foswiki password manager. People login using mod_ldap authentication using their corporate login. And all the registration does is to add them to the TopicUserMapping so they get their login mapped to a nice WikiName.

-- KennethLavrsen - 23 Jul 2010

So are you saying this is not a release blocker for 1.1?

/me is trying to get a picture of what needs doing, and what doesn't

-- CrawfordCurrie - 28 Jul 2010

Yes that is what I am saying.

Changing to a normal priority and assigning to major

-- KennethLavrsen - 28 Jul 2010

Setting to No Action. Registration works fine on Foswiki 2.1.4+ works fine with System and Main webs view restricted.

-- GeorgeClark - 13 Dec 2017

Commenting is disabled while not logged in