[Moin-user] Permissions for New Account page

Barry Demchak idekerlab.bdemchak at gmail.com
Wed Jul 29 20:58:18 EDT 2015 

Hi, Paul --

Thanks for the excellent response.

In going through all of the options and issues you present, I think I'm
likely lucky to have exactly the configuration I do -- which is that to get
an ID, a new user has to know someone who already has an ID. It could well
be that our wiki was set up this way on purpose precisely to circumvent
spammers and DoS attacks. If that's the case, the major failing is in our
own documentation about how to get an ID, which I can easily correct (and
have!).

Thanks for your treatment of all of the options ... I'll hold onto your
reply in case we ever want to mix things up.

As for changing from Confluence to Moin Moin, it's a fun idea and I
appreciate your pointing it out. The Confluence instance you're referring to
is essentially static. The group that owns it hasn't produced much in the
last 2-3 years, so it probably wouldn't be useful to address this.

That said, I'm very happy to consider Moin Moin for new uses ...
particularly based on the product documentation and your great reply.

Have a great week!

-----Original Message-----
From: Paul Boddie [mailto:paul at boddie.org.uk] 
Sent: Wednesday, July 29, 2015 4:29 AM
To: moin-user at lists.sourceforge.net
Subject: Re: [Moin-user] Permissions for New Account page

On Wednesday 29. July 2015 03.37.20 Barry Demchak wrote:
> 
> I have inherited a Moin Moin that has an odd behavior:
> 
> The new account page 
> (ourdomain.com/cgi-bin/moin.cgi/?action=newaccount)
> displays just fine if I'm already logged in. But if I'm not logged in 
> (as would a new user be), I get a permission violation ("You are not 
> allowed to use this action.").
> 
> I think the permission setup is missing the point . a new user can't 
> already be logged in. Or . possibly I'm missing the point. (Could this 
> be intended to operate this way??)

It could be the case that new users would be added manually by superusers:

https://moinmo.in/FeatureRequests/DisableUserCreation

This is also covered here:

https://moinmo.in/HowTo/ManagingAccountCreation

> Can you help me get this New Account page configured so that new users 
> can create accounts?

If your authentication mechanism makes use of existing accounts from other
systems (the Web server, LDAP, and so on), then new account creation
probably isn't required anyway. 

Otherwise, it might be useful to allow new account creation, but then it is
important to introduce additional measures to prevent spam registrations.
Off the top of my head, I suggest:

Account verification: https://moinmo.in/HowTo/ManagingAccountCreation

Textchas for registration and editing: https://moinmo.in/HelpOnSpam

A trusted editors group (see the ManagingAccountCreation page above)

This is what we used for the Mailman Wiki and it seems to work fairly well. 
Some more details...

Account verification works fairly well, but it doesn't really seem to stop
spammers. At most, it just filters out some of them, but it also manages to
slow down registrations, too.

Textchas are effective, but you have to choose a good question: "what is 2 +
2" or similar things are not effective; you need to choose something that a
random spammer would not be able to find out by just looking at the
question. 
Various wikis choose to have the answer to a simple "what is the password" 
question as a secret that is shared by other means.

Having a trusted editors group may mean that you impose access control on
the entire wiki insisting that before anyone can edit anything they must be
added to the trusted editors group. Thus, "groupless" users may only read
things and cannot start editing straight away. This effectively adds another
hurdle for
spammers: they may get as far as registering an account, but then their
account needs to be "approved".

Once upon a time, I did make an extension that permitted the review of edits
so that people could just start editing, but where their edits were queued
and hidden from site users, but it's arguably better to just put obstacles
in the path of spammers as early as possible in order to prevent later
tidying-up or administration effort. For genuine users, the above measures
shouldn't really be much of a burden.

[...]

> https://sosa.ucsd.edu/confluence/display/~bdemchak/Home

And if your department ever wishes to migrate from Confluence...

https://moinmo.in/ConfluenceConverter

...we may have the solution for that as well. ;-)

Paul

----------------------------------------------------------------------------
--
_______________________________________________
Moin-user mailing list
Moin-user at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/moin-user

More information about the Moin-user mailing list