= Description =

If you setup in wikiconfig.py `acl_rights_default = 'UserGroup:read,write,delete,revert'` this does not prevent anonymous users to read several underlay pages. Because they have the right All:read. But why? -- ReimarBauer <<DateTime(2006-06-06T14:54:29Z)>>


== Details ==

## If you got a traceback, please save the traceback page as html and attach here:
## attachment:traceback.html

## if the bug is in this wiki, just kill the table and write: This Wiki.

## If a traceback is not available, please fill in the details here:
|| '''!MoinMoin Version''' ||  1.5.3||
|| '''OS and Version''' ||  linux ||
|| '''Python Version''' || 2.3.5 ||
|| '''Server Setup''' || fcgi ||
|| '''Server Details''' || apache2 ||


== Workaround ==
## How to deal with the bug until it is fixed


= Discussion =
Why shouldn't they have All:read? What's your suggestion?
  But isn't the questions really, why should All '''explicitely''' be given the right to read these pages? If the entire Wiki has All:read (for instance in acl_rights_after), then surely they should have read access to these pages as well. But what if I'm trying to create an all internal wiki, for authenticated users only? Why should all the world be given explicit permission to read the underlay pages? If - for example - my internal wiki users assume, all info they add to any pages will remain internal, this assumption is violated for the underlay pages. I'd like to have full control, here. The suggestion below seems like a good approach to me.

I would prefer a different Group e.g. !MoinPagesGroup which includes `* All` so it is easier to change the rules for all pages without editing them. 

If the wiki rules to be not anonymous to do anything with the pages I am not sure if it is neccesary to search in the help pages in this wiki.  
The acl rights should not be different handled for the underlay system pages. -- ReimarBauer <<DateTime(2006-06-06T16:15:12Z)>>

e.g. `#acl MoinPagesEditorGroup:read,write,delete,revert MoinPagesGroup:read`

That is more a workaround but it is easily to exchange `* All` on that page with `* Known` or the User Group -- ReimarBauer <<DateTime(2006-06-06T21:25:05Z)>>
----

As we have an action for login since 1.6, we could change this now (note that 1.5.x still used the !UserPreferences page for login and if that page did not have read rights, no login was possible!).

How about using this for most underlay pages:
{{{
#acl -All:write default
}}}
That would:
 * take away write access for most people (except if they are given write rights by `acl_rights_before`)
 * for every other right, it would just use the same rights as given in `acl_rights_default`

Pro:
 * the !MoinPagesEditorGroup is not needed any more in the distribution (and would just live in master wiki's acl_rights_before)
 * no other (new) group pages needed either
 * works without editing a group if you take away All:read from default acl

Contra:
 * just an idea, not practically tested yet
 * ...?

= Plan =
## This part is for Moin``Moin developers:

 * Priority: 
 * Assigned to:
 * Status: fixed in 1.7

----
## If you are a moin core developer, replace the category to Category* in these cases:
## Category MoinMoinNoBug - if this is not a bug.
## Category MoinMoinBugConfirmed - if you can confirm the bug on current code.
## Category MoinMoinBugFixed - after the bug is fixed in current code.
CategoryMoinMoinBugFixed