SID-00045: Understanding the Registration Process
Status: |
Answered |
TWiki version: |
4.1.2 |
Perl version: |
5.8.5 |
Category: |
CategoryRegistration |
Server OS: |
RHEL4 |
Last update: |
15 years ago |
I'd like to better understand the TWiki registration process. I thought I had "locked down" registration, so that users could not register themselves but logged in via Kerberos and Apache externally. This seemed to work for quite some time. However, yesterday, for the first time I can remember, I got an email notification that someone had completed the registration process themselves and created a user account local to TWiki. I'm not sure what could have changed, as the only recent configuration change made to the TWiki site in the past year was applying the recent anti-vulnerability patch to the 'configure' script.
In data/log200901.txt, I see the following entries:
18 Jan 2009 - 13:48 |
MyUsersKerberosName | view |
TWikiRegistration | | my-proxy's-IP-address |
18 Jan 2009 - 13:49 |
MyUsersTWikiName | regstart |
MyUsersTWikiName |
users-email@addressPLEASENOSPAM.com | my-proxy's-IP-address |
18 Jan 2009 - 13:50 |
MyUsersKerberosName | view |
TWikiUsers| | my-proxy's-IP-address |
In data/.htpasswd, I see the following entries:
MyUsersTWikiName:AnEncryptedPassword:
The topic
MyUsersTWikiName does not exist, there is nothing relevant in data/RegistrationApprovals/, and the user's name has not been added to the
TWikiUsers topic.
Have I just been lucky that users have never tried to register in this manner before? or has something changed that I should have fixed after upgrading from Cairo to 4.1.2 (or the recent patch)?
What is the best way to both prevent such registration attempts in the future, and let the user know what's going on? I assume a 'deny' rule in the Apache configuration is in order, as well as a manual edit of the Registration page (which I thought I had made but may have been overwritten at some point). Details on these, as well as other recommended measures, would be very much appreciated.
Thank you!
--
JohnDeStefano - 19 Jan 2009
Discussion and Answer
The {Register}{EnableNewUserRegistration} configure setting should take care of disabling new user registrations. I think this is available since TWiki 4.2, so you would need to upgrade.
--
PeterThoeny - 19 Jan 2009
If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.