[Moin-user] Does this security setup sound good?

Kenneth McDonald kenneth.m.mcdonald at sbcglobal.net
Wed Apr 26 13:31:06 EDT 2006 

Darn. That would mean that anytime we want to create an admin or 
"official" (editable only by us) page, we'd have to put in the necessary 
acl by hand? That's very error prone. I was hoping that templates would 
more or less function as:

1) Assuming the acls in the template give read and write access to the 
user trying to create a new page, copy the template _exactly_ to the new 
page.

2) Let user edit it as if that had already been an existing page.

For what it's worth, all of my templates show up if I'm trying to create 
a page as an Admin user, but _only_ the template for known users shows 
up if am logged in as my test "normal" user. I shall have to investigate 
further.

Thx,
Ken

Robert Schumann wrote:
> On Wed, 2006-04-26 at 12:28 -0500, Kenneth McDonald wrote:
>   
>> --In your setup, noone except the admins can save a page.
>>
>> However, I would've thought that the permissions given in the "public 
>> page" template:
>>
>>     5) The PublicTemplate uses "Known:read,write,delete,revert All:read" 
>> to allow known users to edit public pages, and everyone to read them.
>>
>> would allow Known users to save such pages. Am I missing something?
>>     
>
> It seems to me that the thing you're missing is that PublicTemplate has
> no control over the rights available to the person using it.  (Someone
> please correct me if I'm wrong!)
>
> The permissions that apply to a new page - including one created from a
> template - are the default permissions (and of course the acl_before
> conditions if they apply).  Your default permissions say All:read.  That
> means, when a known user tries to edit a page, they fall into the class
> all and are not allowed to edit and they're certainly not allowed to
> apply ACLs - so even if they could edit the page they would not be
> allowed to save it with the ACLs you've included in PublicTemplate.
>
> Templates cannot alter ACLs.  Period.
>
> The HelpOnAccessControlLists page is really quite informative, and if
> you have such a demanding set of requirements you should probably take
> some time to read it closely.
>
>   
>> and finally, I'd mis-phrased the following question:
>>
>>     
>>> And, is there any way to disable the option that allows creation of a 
>>> completely blank page?
>>>       
>> [Your answer] moin doesn't allow you to save a completely empty (0 
>> bytes) page.
>>
>> What I'd really meant was, under the standard setup, Moin allows the 
>> creation of a page from templates, or from a completely blank page. I'd 
>> like to restrict things so that templates are the _only_ options for 
>> creating pages.
>>     
>
> Well, since users can easily delete all the content of a template and
> start from a blank page anyway, the answer is No, you can't restrict
> things.
>
> What you can do, and what it seems you're trying to do, is edit the
> system page MissingPage on your site.  It is in the underlay, but when
> you edit it a new version will be created in your data/pages directory
> and that will be used instead of the default system page.
>
> Just edit out the bit from this page where it says "Create new empty
> page".
>
> Robert.
>
>
>

More information about the Moin-user mailing list