[Moin-user] Does this security setup sound good?

Kenneth McDonald kenneth.m.mcdonald at sbcglobal.net
Wed Apr 26 10:30:04 EDT 2006 

Thomas,

Thanks again for the great feedback. You made the following statement 
towards the end of your comments:


--In your setup, noone except the admins can save a page.

However, I would've thought that the permissions given in the "public 
page" template:

    5) The PublicTemplate uses "Known:read,write,delete,revert All:read" 
to allow known users to edit public pages, and everyone to read them.

would allow Known users to save such pages. Am I missing something?

and finally, I'd mis-phrased the following question:

> And, is there any way to disable the option that allows creation of a 
> completely blank page?
[Your answer] moin doesn't allow you to save a completely empty (0 
bytes) page.

What I'd really meant was, under the standard setup, Moin allows the 
creation of a page from templates, or from a completely blank page. I'd 
like to restrict things so that templates are the _only_ options for 
creating pages.

Thanks again,
Ken

P.S. Guess I should start putting some of this into the Moin documentation.



>>  2) "acl_default" grants read-only rights to all users.
>
> This means that nobody except AdminGroup can edit a page that has no 
> page acls. Nobody except AdminGroup can create a page.
>
>>  3) The AdminTemplate uses "All: " to grant no writes to everyone. 
>> Therefore, AdminGroup can access these pages via the rights in 
>> "acl_before", but no one else can use them, not even see them.
>
> Correct.
>
>>  4) The EditorsTemplate uses "EditorGroup:read,write,delete,revert 
>> All:read" to allow editors to edit "official" pages, and everyone 
>> else to read them
>>   5) The PublicTemplate uses "Known:read,write,delete,revert 
>> All:read" to allow known users to edit public pages, and everyone to 
>> read them.
>
> Be aware that only people having "admin" rights are able to setup page 
> ACLs. So those templates are only useful for AdminGroup.
>
>> "acl_after" is currently blank.
>
> Usually this is correct.
>
>> This provides three levels of pages: admin, which are completely 
>> closed off except to admin users; "official" documentation pages, 
>> which can be edited by admin users and specified trusted editors, and 
>> read by everyone; and "public" documentation pages, which can be 
>> edited by all known users, and read by anyone.
>
> Correct.
>
>> So to return the original question; can anyone suggest a better way 
>> to set this up to achieve the same effect?
>
> If this is what you want, then this is a correct setup.
>
>> And, is there any way to disable the option that allows creation of a 
>> completely blank page?
> And moin doesn't allow you to save a completely empty (0 bytes) page.
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job 
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache 
> Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Moin-user mailing list
> Moin-user at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/moin-user
>

More information about the Moin-user mailing list