Yes, we will get the documentation a bit better to emphasize this. And how
to fix it. The key is to edit the web.config file to add a location section
(I have just finished validating this procedure on my site with SQL-based
Forms authentication)
after the line in your web.config that contains </system.web> and before the
last line </configuration> add a section like this
<location path="admin">
<system.web>
<authorization>
<allow roles="WikiAdministrators" />
<deny users="?" />
</authorization>
</system.web>
</location>
This should control admin properly
John Davidson
On Feb 12, 2008 12:41 PM, Shannon Ma <[EMAIL PROTECTED]> wrote:
> So with FlexWiki 2.0, its as-designed to allow anonymous users to change
> the Wiki's config… such as namespaces and even the raw configuration?
>
>
>
> Shannon
>
>
>
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *John Davidson
> *Sent:* Tuesday, February 12, 2008 9:59 AM
> *To:* FlexWiki Users Mailing List
> *Subject:* Re: [Flexwiki-users] [SPAM-LOW] Re: Forms Based Authentication
>
>
>
> So when you have the flexwiki.config file with the 'ManageNamespace'
> permission set only to 'role:WikiAdministrators' and log in as a user who
> has that role do you see the 'Lock Topic' button and link?
>
>
>
> If you do then role-based permissions are working correctly.
>
>
>
> Then to lock down the Admin page I would edit _NormalBorders (the
> LeftBorder: property) so that what is now:
>
>
>
> MenuItem("Show Main FlexWiki Administration Page", "Administration Page",
> federation.LinkMaker.SimpleLinkTo("admin/default.aspx")),
>
> namespace.HasManageNamespacePermission.IfTrueIfFalse
>
> ({
>
> [
>
> MenuItem("Show Topic Lock Management Page", "Topic Locks",
> federation.LinkMaker.SimpleLinkTo("admin/TopicLocks.aspx")),
>
>
>
> becomes
>
>
>
> namespace.HasManageNamespacePermission.IfTrueIfFalse
>
> ({
>
> [
>
> MenuItem("Show Topic Lock Management Page", "Topic Locks",
> federation.LinkMaker.SimpleLinkTo("admin/TopicLocks.aspx")),
>
> MenuItem("Show Main FlexWiki Administration Page", "Administration Page",
> federation.LinkMaker.SimpleLinkTo("admin/default.aspx")),
>
>
>
> this is not an absolute permission block (more security via obscurity - as
> the user would not see the link, but could still access the pages by
> creating the link manually). If this is a real problem, please submit a
> feature request to manage Admin features when using Forms management
>
>
>
> John Davidson
>
>
>
>
>
>
>
> On Feb 12, 2008 9:32 AM, Shannon Ma <[EMAIL PROTECTED]> wrote:
>
> Scratch the first part, I added my AspNetSqlRoleProvider to the
> roleManager tag. Now if I can only lockdown the Admin page with forums auth
> J.
>
>
>
> Shannon
>
>
>
> *From:* Shannon Ma [mailto:[EMAIL PROTECTED]
> *Sent:* Tuesday, February 12, 2008 9:13 AM
>
>
> *To:* 'FlexWiki Users Mailing List'
>
> *Subject:* RE: [Flexwiki-users] [SPAM-LOW] Re: Forms Based Authentication
>
>
>
> Thanks John… hard coding the username works.
>
>
>
> Do I have to add any providers to the role manager tag? It's attempting
> to connect to a local SQL Express database.
>
>
>
> Also, how would you recommend locking down the Admin page with forums
> authentication? I don't think I can lock it down with Windows permissions.
>
>
>
> Thanks again!
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Flexwiki-users mailing list
> Flexwiki-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/flexwiki-users
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Flexwiki-users mailing list
Flexwiki-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flexwiki-users
