[
https://issues.apache.org/jira/browse/JSPWIKI-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596063#action_12596063
]
Aaron Hamid commented on JSPWIKI-266:
-------------------------------------
Hi guys, account creation moderation is pretty close but still leaves the
ability for arbitrary people to request accounts, forcing the administrator to
disapprove them. While this makes sense for sites where there is some criteria
for external users to have accounts, if the site is not intended for external
users then this can be confusing (for end users who think they can have
accounts) and require extra work for the administrator. Approval workflow for
page edits I think is similarly useful, but doesn't quite fit this request (the
administrator would also have to consistently reject all edits).
Ideally there would be some additional permission (e.g. "createProfile") that
could simply be removed from anonymous users. Disallowing all self-account
creation is ideal for a site where membership is private, e.g. a personal web
page. I have seen JSPWiki used like this and I think it would be a great way
to maintain a personal web presence, except for this issue. It may be possible
currently by implementing external authentication and special url-based
authorization, but I'd rather not throw away the existing JSPWiki authn/authz
scheme and have to reproduce it outside of the product if it is easy to just
add this into it.
Thanks!
> Add ability to restrict account creation
> ----------------------------------------
>
> Key: JSPWIKI-266
> URL: https://issues.apache.org/jira/browse/JSPWIKI-266
> Project: JSPWiki
> Issue Type: New Feature
> Components: Authentication&Authorization
> Reporter: Aaron Hamid
>
> This is a formal feature request (because I could not find an existing issue)
> for the "Admin Creates User Profiles" Idea here:
> http://www.jspwiki.org/wiki/IdeaAdminCreatesUserProfiles
> Once way to implement it would be, that a different permission,
> "createProfile", be added, still configurable in the jspwiki.policy file.
> This way the desired policy could be configured such that the admin group has
> the "createProfile" permission, while the Authenticated have their
> "editProfile" permission.
> Workarounds are presented here
> http://www.jspwiki.org/wiki/AllowOnlyAdministratorCreateUserAccounts but have
> drawbacks, including allowing arbitrary junk accounts or forcing security to
> be configured external to the application.
> The proposal above, a new "createProfile" permission, seems like a
> straightforward way to address this concern directly in the product expanding
> its usefulness without weird workarounds.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
