[Moin-user] Does this security setup sound good?

Pixologic Documentation Team doc at pixologic.com
Mon Apr 24 13:01:02 EDT 2006

We'll have four levels of users in our wiki:

1) Admin; can do anything
2) Editors; can read and write anything except admin pages
3) Known users; can read non-admin pages and write "public" pages
4) All; can only read non-admin pages.

The security setup I've decided on goes something like this:

1) in acl_before, we have AdminGroup:everything...
2) In acl_default, we have All:read
3) On admin pages, we have #acl All:None
4) On pages only editable by trusted editors, we have #acl 
EditorGroup:read,write,delete,rename All:read
5) On pages editable by known users, we have #acl 
Known:read,write,delete, rename All:read
6) In acl_after, we have All:None

The are templates for AdminPageTemplate, TrustedEditorsTemplate, 
KnownEditableTemplate, which contain the acls given above.

As far as I can tell, only the applicable templates appear to known 
users. "Create empty page" always appears in the page creation dialog, 
but a bit of exmperimentation would seem to indicate that this can't be 
used to create "undesired" pages, and even if it did, I've set things up 
so that the worse that should happen would be that such a page would 
only be a readable blank page.

Does this look like a reasonable setup to you? Can you suggest 
better/safer/simpler ways to achieve the same end?

Many thanks,

More information about the Moin-user mailing list