Description
If you setup in wikiconfig.py acl_rights_default = 'UserGroup:read,write,delete,revert' this does not prevent anonymous users to read several underlay pages. Because they have the right All:read. But why? -- ReimarBauer 2006-06-06 14:54:29
Details
MoinMoin Version |
1.5.3 |
OS and Version |
linux |
Python Version |
2.3.5 |
Server Setup |
fcgi |
Server Details |
apache2 |
Workaround
Discussion
Why shouldn't they have All:read? What's your suggestion?
But isn't the questions really, why should All explicitely be given the right to read these pages? If the entire Wiki has All:read (for instance in acl_rights_after), then surely they should have read access to these pages as well. But what if I'm trying to create an all internal wiki, for authenticated users only? Why should all the world be given explicit permission to read the underlay pages? If - for example - my internal wiki users assume, all info they add to any pages will remain internal, this assumption is violated for the underlay pages. I'd like to have full control, here. The suggestion below seems like a good approach to me.
I would prefer a different Group e.g. MoinPagesGroup which includes * All so it is easier to change the rules for all pages without editing them.
If the wiki rules to be not anonymous to do anything with the pages I am not sure if it is neccesary to search in the help pages in this wiki. The acl rights should not be different handled for the underlay system pages. -- ReimarBauer 2006-06-06 16:15:12
e.g. #acl MoinPagesEditorGroup:read,write,delete,revert MoinPagesGroup:read
That is more a workaround but it is easily to exchange * All on that page with * Known or the User Group -- ReimarBauer 2006-06-06 21:25:05
As we have an action for login since 1.6, we could change this now (note that 1.5.x still used the UserPreferences page for login and if that page did not have read rights, no login was possible!).
How about using this for most underlay pages:
#acl -All:write default
That would:
take away write access for most people (except if they are given write rights by acl_rights_before)
for every other right, it would just use the same rights as given in acl_rights_default
Pro:
the MoinPagesEditorGroup is not needed any more in the distribution (and would just live in master wiki's acl_rights_before)
- no other (new) group pages needed either
works without editing a group if you take away All:read from default acl
Contra:
- just an idea, not practically tested yet
- ...?
Plan
- Priority:
- Assigned to:
- Status: fixed in 1.7