TWiki has a wealth of configurable options. Too many. It is extremely confusing, especially when options are not justified by their comments. And a number of the options are frankly a bit pointless. So, if you think a configuration option should be cast in stone (or at least lead) then list it here.

{Register}{HidePasswd}

As far as we (Soronthar and CDot) can tell from RegistrationSendsPasswordToWebMaster, this option was added to avoid having to make a decision about whether the password should be hidden or not in the mail to a user. the default is to hide the password, and I'd be willing to bet that it is never changed in a user site.

-- CrawfordCurrie - 24 Apr 2006

Agree that we should junk this one - it's bad security practice to allow this.

-- RichardDonkin - 26 Apr 2006

MartinCleaver has reported that at least one of his clients asked for the password to be delivered in plain text. The question is if we want to accomodate them or educate them

-- RafaelAlvarez - 26 Apr 2006

Thanks Raf. Or we could let them select at the time of the password reset.

-- MartinCleaver - 26 Apr 2006

{AntiSpam}{EmailPadding}, {AntiSpam}{RobotsAreWelcome}, {AllowInlineScript}, {RemoveImgInMailNotify}, {ForceUnsafeRegexes}

These are all examples of options relating to "is this a public site" versus "is this behind a firewall". They apply when either the site is vulnerable to hacking or robots,. In general, these options should always be applied when it is a public site, and rarely on a private site. Much easier for the admin to make this sort of global choice than to have to deal with each option in isolation.

We may want to keep the individual options around, but I think they should be hidden behind a "Public TWiki" option/tab/drawer.

-- CrawfordCurrie - 27 Apr 2006