Tags:
create new tag
view all tags

Feature Proposal: Run the configure script only after authentication

Motivation

If configuration script is not restricted for authentication under webserver then it displays the internals of TWiki instance. Any body can run the configure and get information like directory structure, authentication method used in the TWiki instance which can be used for exploiting the instance.

Description and Documentation

  1. If Administrator(admin account) password is not set in the TWiki, allow configure to set the password.
  2. Add cookies/session capability to the script, when configure is accessed-prompt for password.
  3. Verify the password with admin password of the TWik-then display the current configuration details. Allow user to modify it.
  4. The save operation can be promoted for password and then the TWiki configuration modified.

Examples

Impact

WhatDoesItAffect: API

Implementation

-- Contributors: SopanShewale - 2010-01-13

Discussion

Looks like a sensible enhancement. Special case where cookies are not available should be considered.

-- PeterThoeny - 2010-01-15

I have already coded on some private instance of the TWiki - the screens of the changes look similar to the follow:

If no password provided :

configure_screen_one.gif

If wrong password provided:

configure_screen_one.gif

Correct Password will show the following screen:

configure_screen_three.gif

Asking confirmation to save the changes:

configure_screen_four.gif

Please note here - the password can be changed here..we can move this to the first screen

Finally saved:

configure_screen_five.gif

-- SopanShewale - 2010-01-19

Good spec, I like it.

As discussed in release meeting, this even works if cookies are disabled. Nice work!

-- PeterThoeny - 2010-02-02

TWikibug:Item6410 for code checkin

-- SopanShewale - 2010-03-31

This is implemented and in TWikiRelease05x00x00. Follow-up for usability enhancement is TWikibug:Item6477

-- PeterThoeny - 2010-06-06

Thanks Peter for raising the issue - we need more brainstorming for improving the look and feel and usability of this tool.

-- SopanShewale - 2010-06-07

ChangeProposalForm
TopicClassification FeatureRequest
TopicSummary Run the configure script only after authentication
CurrentState MergedToCore
CommittedDeveloper SopanShewale
ReasonForDecision AcceptedBy7DayFeedbackPeriod
DateOfCommitment 2010-01-13
ConcernRaisedBy

BugTracking TWikibug:Item6410, TWikibug:Item6477
OutstandingIssues

RelatedTopics

InterestedParties

ProposedFor HelsinkiRelease
TWikiContributors SopanShewale
Attachments Attachments
Topic attachments
I Attachment History Action Size Date Who Comment
GIFgif configure_screen_five.gif r1 manage 6.6 K 2010-01-29 - 12:27 SopanShewale  
GIFgif configure_screen_four.gif r1 manage 19.3 K 2010-01-29 - 12:26 SopanShewale  
GIFgif configure_screen_one.gif r1 manage 28.7 K 2010-01-29 - 12:20 SopanShewale prompted for password
GIFgif configure_screen_three.gif r1 manage 30.7 K 2010-01-29 - 12:24 SopanShewale  
GIFgif configure_screen_two.gif r1 manage 16.2 K 2010-01-29 - 12:22 SopanShewale  
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r10 - 2010-06-07 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.