Hi, Paul -- Thanks for the excellent response.
In going through all of the options and issues you present, I think I'm likely lucky to have exactly the configuration I do -- which is that to get an ID, a new user has to know someone who already has an ID. It could well be that our wiki was set up this way on purpose precisely to circumvent spammers and DoS attacks. If that's the case, the major failing is in our own documentation about how to get an ID, which I can easily correct (and have!). Thanks for your treatment of all of the options ... I'll hold onto your reply in case we ever want to mix things up. As for changing from Confluence to Moin Moin, it's a fun idea and I appreciate your pointing it out. The Confluence instance you're referring to is essentially static. The group that owns it hasn't produced much in the last 2-3 years, so it probably wouldn't be useful to address this. That said, I'm very happy to consider Moin Moin for new uses ... particularly based on the product documentation and your great reply. Have a great week! -----Original Message----- From: Paul Boddie [mailto:p...@boddie.org.uk] Sent: Wednesday, July 29, 2015 4:29 AM To: moin-user@lists.sourceforge.net Subject: Re: [Moin-user] Permissions for New Account page On Wednesday 29. July 2015 03.37.20 Barry Demchak wrote: > > I have inherited a Moin Moin that has an odd behavior: > > The new account page > (ourdomain.com/cgi-bin/moin.cgi/?action=newaccount) > displays just fine if I'm already logged in. But if I'm not logged in > (as would a new user be), I get a permission violation ("You are not > allowed to use this action."). > > I think the permission setup is missing the point . a new user can't > already be logged in. Or . possibly I'm missing the point. (Could this > be intended to operate this way??) It could be the case that new users would be added manually by superusers: https://moinmo.in/FeatureRequests/DisableUserCreation This is also covered here: https://moinmo.in/HowTo/ManagingAccountCreation > Can you help me get this New Account page configured so that new users > can create accounts? If your authentication mechanism makes use of existing accounts from other systems (the Web server, LDAP, and so on), then new account creation probably isn't required anyway. Otherwise, it might be useful to allow new account creation, but then it is important to introduce additional measures to prevent spam registrations. Off the top of my head, I suggest: Account verification: https://moinmo.in/HowTo/ManagingAccountCreation Textchas for registration and editing: https://moinmo.in/HelpOnSpam A trusted editors group (see the ManagingAccountCreation page above) This is what we used for the Mailman Wiki and it seems to work fairly well. Some more details... Account verification works fairly well, but it doesn't really seem to stop spammers. At most, it just filters out some of them, but it also manages to slow down registrations, too. Textchas are effective, but you have to choose a good question: "what is 2 + 2" or similar things are not effective; you need to choose something that a random spammer would not be able to find out by just looking at the question. Various wikis choose to have the answer to a simple "what is the password" question as a secret that is shared by other means. Having a trusted editors group may mean that you impose access control on the entire wiki insisting that before anyone can edit anything they must be added to the trusted editors group. Thus, "groupless" users may only read things and cannot start editing straight away. This effectively adds another hurdle for spammers: they may get as far as registering an account, but then their account needs to be "approved". Once upon a time, I did make an extension that permitted the review of edits so that people could just start editing, but where their edits were queued and hidden from site users, but it's arguably better to just put obstacles in the path of spammers as early as possible in order to prevent later tidying-up or administration effort. For genuine users, the above measures shouldn't really be much of a burden. [...] > https://sosa.ucsd.edu/confluence/display/~bdemchak/Home And if your department ever wishes to migrate from Confluence... https://moinmo.in/ConfluenceConverter ...we may have the solution for that as well. ;-) Paul ---------------------------------------------------------------------------- -- _______________________________________________ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user ------------------------------------------------------------------------------ _______________________________________________ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
