[Moin-user] Permissions for New Account page
Paul Boddie
paul at boddie.org.uk
Wed Jul 29 07:28:34 EDT 2015
On Wednesday 29. July 2015 03.37.20 Barry Demchak wrote:
>
> I have inherited a Moin Moin that has an odd behavior:
>
> The new account page (ourdomain.com/cgi-bin/moin.cgi/?action=newaccount)
> displays just fine if I'm already logged in. But if I'm not logged in (as
> would a new user be), I get a permission violation ("You are not allowed to
> use this action.").
>
> I think the permission setup is missing the point . a new user can't
> already be logged in. Or . possibly I'm missing the point. (Could this be
> intended to operate this way??)
It could be the case that new users would be added manually by superusers:
https://moinmo.in/FeatureRequests/DisableUserCreation
This is also covered here:
https://moinmo.in/HowTo/ManagingAccountCreation
> Can you help me get this New Account page configured so that new users can
> create accounts?
If your authentication mechanism makes use of existing accounts from other
systems (the Web server, LDAP, and so on), then new account creation probably
isn't required anyway.
Otherwise, it might be useful to allow new account creation, but then it is
important to introduce additional measures to prevent spam registrations. Off
the top of my head, I suggest:
Account verification: https://moinmo.in/HowTo/ManagingAccountCreation
Textchas for registration and editing: https://moinmo.in/HelpOnSpam
A trusted editors group (see the ManagingAccountCreation page above)
This is what we used for the Mailman Wiki and it seems to work fairly well.
Some more details...
Account verification works fairly well, but it doesn't really seem to stop
spammers. At most, it just filters out some of them, but it also manages to
slow down registrations, too.
Textchas are effective, but you have to choose a good question: "what is 2 +
2" or similar things are not effective; you need to choose something that a
random spammer would not be able to find out by just looking at the question.
Various wikis choose to have the answer to a simple "what is the password"
question as a secret that is shared by other means.
Having a trusted editors group may mean that you impose access control on the
entire wiki insisting that before anyone can edit anything they must be added
to the trusted editors group. Thus, "groupless" users may only read things and
cannot start editing straight away. This effectively adds another hurdle for
spammers: they may get as far as registering an account, but then their
account needs to be "approved".
Once upon a time, I did make an extension that permitted the review of edits
so that people could just start editing, but where their edits were queued and
hidden from site users, but it's arguably better to just put obstacles in the
path of spammers as early as possible in order to prevent later tidying-up or
administration effort. For genuine users, the above measures shouldn't really
be much of a burden.
[...]
> https://sosa.ucsd.edu/confluence/display/~bdemchak/Home
And if your department ever wishes to migrate from Confluence...
https://moinmo.in/ConfluenceConverter
...we may have the solution for that as well. ;-)
Paul
More information about the Moin-user
mailing list