[Moin-user] Does this security setup sound good?
Pixologic Documentation Team
doc at pixologic.com
Mon Apr 24 13:01:02 EDT 2006
We'll have four levels of users in our wiki:
1) Admin; can do anything
2) Editors; can read and write anything except admin pages
3) Known users; can read non-admin pages and write "public" pages
4) All; can only read non-admin pages.
The security setup I've decided on goes something like this:
1) in acl_before, we have AdminGroup:everything...
2) In acl_default, we have All:read
3) On admin pages, we have #acl All:None
4) On pages only editable by trusted editors, we have #acl
5) On pages editable by known users, we have #acl
Known:read,write,delete, rename All:read
6) In acl_after, we have All:None
The are templates for AdminPageTemplate, TrustedEditorsTemplate,
KnownEditableTemplate, which contain the acls given above.
As far as I can tell, only the applicable templates appear to known
users. "Create empty page" always appears in the page creation dialog,
but a bit of exmperimentation would seem to indicate that this can't be
used to create "undesired" pages, and even if it did, I've set things up
so that the worse that should happen would be that such a page would
only be a readable blank page.
Does this look like a reasonable setup to you? Can you suggest
better/safer/simpler ways to achieve the same end?
More information about the Moin-user