[Moin-user] Does this security setup sound good?

Robert Schumann robert at cantab.net
Wed Apr 26 11:28:09 EDT 2006 

On Wed, 2006-04-26 at 12:28 -0500, Kenneth McDonald wrote:
> --In your setup, noone except the admins can save a page.
> 
> However, I would've thought that the permissions given in the "public 
> page" template:
> 
>     5) The PublicTemplate uses "Known:read,write,delete,revert All:read" 
> to allow known users to edit public pages, and everyone to read them.
> 
> would allow Known users to save such pages. Am I missing something?

It seems to me that the thing you're missing is that PublicTemplate has
no control over the rights available to the person using it.  (Someone
please correct me if I'm wrong!)

The permissions that apply to a new page - including one created from a
template - are the default permissions (and of course the acl_before
conditions if they apply).  Your default permissions say All:read.  That
means, when a known user tries to edit a page, they fall into the class
all and are not allowed to edit and they're certainly not allowed to
apply ACLs - so even if they could edit the page they would not be
allowed to save it with the ACLs you've included in PublicTemplate.

Templates cannot alter ACLs.  Period.

The HelpOnAccessControlLists page is really quite informative, and if
you have such a demanding set of requirements you should probably take
some time to read it closely.

> 
> and finally, I'd mis-phrased the following question:
> 
> > And, is there any way to disable the option that allows creation of a 
> > completely blank page?
> [Your answer] moin doesn't allow you to save a completely empty (0 
> bytes) page.
> 
> What I'd really meant was, under the standard setup, Moin allows the 
> creation of a page from templates, or from a completely blank page. I'd 
> like to restrict things so that templates are the _only_ options for 
> creating pages.

Well, since users can easily delete all the content of a template and
start from a blank page anyway, the answer is No, you can't restrict
things.

What you can do, and what it seems you're trying to do, is edit the
system page MissingPage on your site.  It is in the underlay, but when
you edit it a new version will be created in your data/pages directory
and that will be used instead of the default system page.

Just edit out the bit from this page where it says "Create new empty
page".

Robert.

More information about the Moin-user mailing list