Bug: Registration is not complete if the web twiki protected
Hello, I have this configuration . In the Web TWiki/WebPreferencesSet DENYWEBVIEW = Set ALLOWWEBVIEW = TWikiAdminGroup Set DENYWEBCHANGE = Set ALLOWWEBCHANGE = TWikiAdminGroup Set DENYWEBRENAME = Set ALLOWWEBRENAME = TWikiAdminGroupWhen I try to add the user, i have a problem during the registration . The log in a normal way is like this :
Main.AdmT | view | TWiki.TWikiRegistration Main.NewU | save | Main.NewU Main.NewU | save | Main.TWikiUsers Main.NewU | register | Main.NewU | New@user.orgThe problem is in line 3 because the new user can not modify TWikiUsers
Test case
Environment
| TWiki version: | TWikiBetaRelease2004x07x30 |
| TWiki plugins: | DefaultPlugin, EmptyPlugin, InterwikiPlugin |
| Server OS: | Debian |
| Web server: | |
| Perl version: | |
| Client OS: | |
| Web Browser: |
Follow up
A note for others who might have this problem: I fixed this in my own twiki install by commenting out line 211 of .../cgi-bin/twiki/register, the line which adds the new user to the TWikiUsers topic. Unfortunate side effect: you must manually add users to TWikiUsers when they register. -- EdwardPiou - 29 Jun 2005 Version Wed, 08 Feb 2006 build 8740: code has changed from EdwardPiou's note.- lib/TWiki/UI/Register.pm is used
- sub finish() calls $session->{users}->createUser(...)
This should be classified as a Security Problem. The TWiki Web should be protected against update by TWikiGuest. Or better still, registration should not be in the TWiki Web.
Fix record
Not sure that this is the case if the TWiki web is protected... I've seen this condition for the Main web, as that is where the Main.TWikiUsers file is kept. I agree that having the Main web viewable by only registered users is desirable... on one of my sites I had people give telephone numbers etc that I didn't want to expose to low-lifes. From DakarRelease the RegisterCgiScriptRewrite entailed a change to make TWikiUsers changeable by only the TWikiRegistrationAgent - registration is now executed by this slightly privileged user. This means that the Main web can be denied to TWikiGuest. I don't remember whether I tested it but I wouldn't be surprised if the orginal problem has been solved. Certainly it would not take much effort to solve now. -- MartinCleaver - 12 Mar 2006 Version Wed, 08 Feb 2006 build 8740: Uses the TWikiRegistrationAgent to make changes. If TWikiRegistrationAgent does not have change permission for Main, then the confirmation step will fail when the new-user page can not be made. -- AlanGrover - 15 Mar 2006 Solution Add Main.TWikiRegistrationAgent to ALLOWWEBCHANGE on Main.WebPreferences. Can Main.TWikiRegistrationAgent be added by default to ALLOWWEBCHANGE on Main.WebPreferences? -- AlanGrover - 15 Mar 2006 Is this behavior documented? I could not find it in ManagingUsers, TWikiInstallationGuide or TWikiUserAuthentication -- RafaelAlvarez - 12 Aug 2008| WebForm | |
|---|---|
| TopicClassification | BugReport |
| TopicSummary | Security Problem :- In order to allow registration, the TWiki web and key files have to be writable by TWikiGuest |
| InterestedParties | AntonAylward AlanGrover |
| AssignedTo | |
| AssignedToCore | |
| ScheduledFor | |
| RelatedTopics | |
| SpecProgress | |
| ImplProgress | |
| DocProgress | |
Topic revision: r8 - 2008-08-12 - RafaelAlvarez
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.