SID-02374: How to deny TWikiGuest access to /bin/statistics

Status:	Answered	TWiki version:	6.0.2	Perl version:	5.10.1
Category:	CategoryAccessControl	Server OS:	CentOS 6.10 kernel 2.6.32-754.2.1.el6.x86_64	Last update:	7 years ago

The local security mavens have decided (after a year) that there's a problem with /bin/statistics in that anyone can type in the full url and it will run as TWikiGuest for some reason. I thought I had done the right stuff with twiki.conf and TWikiGuest can't do anything bad that I know of but this is cited as a cross-site scripting problem. So 1) Can I totally disable TWikiGuest, or does that have consequences? 2) Can I specifically deny access to /bin/statistics by TWikiGuest? 3) Am I doing something wrong, ie should outside users always get n when trying to access anything in the TWiki directory structure?

-- John Huber - 2018-10-09

Discussion and Answer

If you use the default template login you can simply add statistics to the {AuthScripts} configure setting.

-- Peter Thoeny - 2018-10-10

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.