[Moin-user] Does this security setup sound good?

[Thomas Waldmann]

>  1) "acl_before" grants all rights to our AdminGroup

This is correct as the admins should have those rights - no matter what 
happens or what is set on the page.

>  2) "acl_default" grants read-only rights to all users.

This means that nobody except AdminGroup can edit a page that has no 
page acls. Nobody except AdminGroup can create a page.

>  3) The AdminTemplate uses "All: " to grant no writes to everyone. 
> Therefore, AdminGroup can access these pages via the rights in 
> "acl_before", but no one else can use them, not even see them.

Correct.

>  4) The EditorsTemplate uses "EditorGroup:read,write,delete,revert 
> All:read" to allow editors to edit "official" pages, and everyone else 
> to read them
>   5) The PublicTemplate uses "Known:read,write,delete,revert All:read" 
> to allow known users to edit public pages, and everyone to read them.

Be aware that only people having "admin" rights are able to setup page 
ACLs. So those templates are only useful for AdminGroup.

> "acl_after" is currently blank.

Usually this is correct.

> This provides three levels of pages: admin, which are completely closed 
> off except to admin users; "official" documentation pages, which can be 
> edited by admin users and specified trusted editors, and read by 
> everyone; and "public" documentation pages, which can be edited by all 
> known users, and read by anyone.

Correct.

> So to return the original question; can anyone suggest a better way to 
> set this up to achieve the same effect?

If this is what you want, then this is a correct setup.

> And, is there any way to disable the option that allows creation of a 
> completely blank page?

In your setup, noone except the admins can save a page.

And moin doesn't allow you to save a completely empty (0 bytes) page.