Re: [xwiki-users] Crazy-bad security
On Fri, Jul 1, 2011 at 01:15, Paul Harris harris...@gmail.com wrote: On 30 June 2011 17:28, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 11:11, Paul Harris harris...@gmail.com wrote: When the unregistered user looks at the main welcome page, they can see the content, but the black-to-grey styling is broken (I'm using the NightFall colours with Colibri skin). If you want unregistered user to see main page then it should have the right to do so, main page is not in XWiki space so if you removed view right globally it's not going to work unless you give view right on Main space of Main.WebHome page itself. I gave the unregistered user View access to Main.WebHome, AND to the Main space, however the styling is still broken. The frame around the text is just grey instead of the black-grey gradient. thanks, Paul Further to this, the problem is that an unregistered user does not have permission to access the link: http://host.com/xwiki/download/ColorThemes/Nightfall/bg8x540.jpg That's because I actually forgot that color themes are not in the XWiki space, as you can see in the link it's in ColorThemes space so you should give view right on it too. Thanks Thomas, that seems to have done the job! Is this documented anywhere? Should be on http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Access+Rights or http://platform.xwiki.org/xwiki/bin/view/Features/RightsManagement ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On Fri, Jul 1, 2011 at 08:56, Paul Harris harris...@gmail.com wrote: On 1 July 2011 14:52, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Fri, Jul 1, 2011 at 01:15, Paul Harris harris...@gmail.com wrote: On 30 June 2011 17:28, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 11:11, Paul Harris harris...@gmail.com wrote: When the unregistered user looks at the main welcome page, they can see the content, but the black-to-grey styling is broken (I'm using the NightFall colours with Colibri skin). If you want unregistered user to see main page then it should have the right to do so, main page is not in XWiki space so if you removed view right globally it's not going to work unless you give view right on Main space of Main.WebHome page itself. I gave the unregistered user View access to Main.WebHome, AND to the Main space, however the styling is still broken. The frame around the text is just grey instead of the black-grey gradient. thanks, Paul Further to this, the problem is that an unregistered user does not have permission to access the link: http://host.com/xwiki/download/ColorThemes/Nightfall/bg8x540.jpg That's because I actually forgot that color themes are not in the XWiki space, as you can see in the link it's in ColorThemes space so you should give view right on it too. Thanks Thomas, that seems to have done the job! Is this documented anywhere? Should be on http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Access+Rights or http://platform.xwiki.org/xwiki/bin/view/Features/RightsManagement I see no mention of making a wiki proper-private, like I'm trying to do. I've also found that I need to allow write access to the Panels space, for Panels to work too. There seems to be some gaps in the xwiki design here. How can we go about plugging the holes and extending the documentation? It's an open wiki, just register on xwiki.org and edit any page you would like to improve. Everything in this wiki is actually contribution there is noone assigned full time to make sure eveything is always documented. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
[xwiki-users] Crazy-bad security
Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools And found that half the stuff didn't work anyway. Regardless, carrying on, I am hoping the User Rights tool will be helpful, however it can't seem to check the most important user: the Unregistered User And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences Does this give anyone else a heart attack too?? WHY is there no default cannot view unless admin says so mode? This is a problem with all of my spaces. When I create a space, I want to then have to go and ALLOW people to access it. Not open by default, that is much harder to configure. Can someone please look at rights management, it seems to be insecure by default, and makes me scared. thanks. Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 15:15, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools snip And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences further to this, I wanted to try and restrict access to this Admin space. I set DENY access for all rights, for the Unregistered User, and for XWikiAllGroup. (so, two rows of red-crosses) There are no other ticks or crosses in any other rows... Yet, my user PaulHarris still has access to the Admin space! Why? See attached, screenshot from the Rights Check Tool, Clearly you can see that the group is denied access, yet the user has ALLOW access... how can that be, nothing is ticked? How can a missing tick override a big red NO setting? thanks Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
Hi, On Thu, Jun 30, 2011 at 8:15 AM, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools And found that half the stuff didn't work anyway. Regardless, carrying on, I am hoping the User Rights tool will be helpful, however it can't seem to check the most important user: the Unregistered User And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences Does this give anyone else a heart attack too?? I don't think this extension is part of the standard XE/XEM release. You should be careful when installing extensions. WHY is there no default cannot view unless admin says so mode? This is a problem with all of my spaces. When I create a space, I want to then have to go and ALLOW people to access it. Not open by default, that is much harder to configure. It's a wiki, and wikis are supposed to be open by default. If the the default behaviour is closed, it would be hard for a normal user to create a space and allow other users to contribute content (he'll have to wait for the admin to open that space). This is only my personal understanding and I'm not a professional XWiki user, so let's wait for some other views as well. Thanks. - Asiri Can someone please look at rights management, it seems to be insecure by default, and makes me scared. thanks. Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On Thu, Jun 30, 2011 at 09:39, Asiri Rathnayake asiri.rathnay...@gmail.com wrote: Hi, On Thu, Jun 30, 2011 at 8:15 AM, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools And found that half the stuff didn't work anyway. Regardless, carrying on, I am hoping the User Rights tool will be helpful, however it can't seem to check the most important user: the Unregistered User And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences Does this give anyone else a heart attack too?? I don't think this extension is part of the standard XE/XEM release. You should be careful when installing extensions. Yes this extension is a contribution and is not written or supported by the XWiki Core team. WHY is there no default cannot view unless admin says so mode? This is a problem with all of my spaces. When I create a space, I want to then have to go and ALLOW people to access it. Not open by default, that is much harder to configure. It's a wiki, and wikis are supposed to be open by default. If the the default behaviour is closed, it would be hard for a normal user to create a space and allow other users to contribute content (he'll have to wait for the admin to open that space). This is only my personal understanding and I'm not a professional XWiki user, so let's wait for some other views as well. Yes it's exactly that, wiki that only an admin can contribute to is not a wiki... maybe a CMS. Also making default XE distribution private is very easy you just have to setup global rights and you are done for the whole wiki. Thanks. - Asiri Can someone please look at rights management, it seems to be insecure by default, and makes me scared. thanks. Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On Thu, Jun 30, 2011 at 09:22, Paul Harris harris...@gmail.com wrote: On 30 June 2011 15:15, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools snip And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences further to this, I wanted to try and restrict access to this Admin space. I set DENY access for all rights, for the Unregistered User, and for XWikiAllGroup. (so, two rows of red-crosses) There are no other ticks or crosses in any other rows... Yet, my user PaulHarris still has access to the Admin space! Why? See attached, screenshot from the Rights Check Tool, Clearly you can see that the group is denied access, yet the user has ALLOW access... how can that be, nothing is ticked? How can a missing tick override a big red NO setting? This mailing list does not allow attachment files. If you found a bug create an issue on http://jira.xwiki.org with all details to reproduce it. thanks Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 15:49, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:39, Asiri Rathnayake asiri.rathnay...@gmail.com wrote: Hi, On Thu, Jun 30, 2011 at 8:15 AM, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools And found that half the stuff didn't work anyway. Regardless, carrying on, I am hoping the User Rights tool will be helpful, however it can't seem to check the most important user: the Unregistered User And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences Does this give anyone else a heart attack too?? I don't think this extension is part of the standard XE/XEM release. You should be careful when installing extensions. Yes this extension is a contribution and is not written or supported by the XWiki Core team. It was suggested in the official XWiki Upgrade documentation, see bottom of page here: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Installation I assumed the core team would only mention quality extensions in documentation like that. WHY is there no default cannot view unless admin says so mode? This is a problem with all of my spaces. When I create a space, I want to then have to go and ALLOW people to access it. Not open by default, that is much harder to configure. It's a wiki, and wikis are supposed to be open by default. If the the default behaviour is closed, it would be hard for a normal user to create a space and allow other users to contribute content (he'll have to wait for the admin to open that space). This is only my personal understanding and I'm not a professional XWiki user, so let's wait for some other views as well. Yes it's exactly that, wiki that only an admin can contribute to is not a wiki... maybe a CMS. That is not my point. The wiki is open for editing, but only to registered users, and some spaces are only available to a subset of those users. Its mostly to prevent vandalism, plus some pages people want to only share with their particular group of users. There may be many many users, and if its open by default then it becomes more difficult to figure out who could have access to what. Also making default XE distribution private is very easy you just have to setup global rights and you are done for the whole wiki. How do I do that ? ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 15:50, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:22, Paul Harris harris...@gmail.com wrote: On 30 June 2011 15:15, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools snip And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences further to this, I wanted to try and restrict access to this Admin space. I set DENY access for all rights, for the Unregistered User, and for XWikiAllGroup. (so, two rows of red-crosses) There are no other ticks or crosses in any other rows... Yet, my user PaulHarris still has access to the Admin space! Why? See attached, screenshot from the Rights Check Tool, Clearly you can see that the group is denied access, yet the user has ALLOW access... how can that be, nothing is ticked? How can a missing tick override a big red NO setting? This mailing list does not allow attachment files. If you found a bug create an issue on http://jira.xwiki.org with all details to reproduce it. The attachment was of a table... Space Admin Right Allow Users Groups view,comment,edit,delete,admin DenyXWiki.XWikiGuest view,comment,edit,delete,admin Deny XWiki.XWikiAllGroup Group or User VIEW COMMENT EDIT ADMIN *User XWiki.PaulHarris* true truetruetrue can you see the html table? thanks, Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On Thu, Jun 30, 2011 at 09:57, Paul Harris harris...@gmail.com wrote: On 30 June 2011 15:49, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:39, Asiri Rathnayake asiri.rathnay...@gmail.com wrote: Hi, On Thu, Jun 30, 2011 at 8:15 AM, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools And found that half the stuff didn't work anyway. Regardless, carrying on, I am hoping the User Rights tool will be helpful, however it can't seem to check the most important user: the Unregistered User And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences Does this give anyone else a heart attack too?? I don't think this extension is part of the standard XE/XEM release. You should be careful when installing extensions. Yes this extension is a contribution and is not written or supported by the XWiki Core team. It was suggested in the official XWiki Upgrade documentation, see bottom of page here: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Installation I assumed the core team would only mention quality extensions in documentation like that. WHY is there no default cannot view unless admin says so mode? This is a problem with all of my spaces. When I create a space, I want to then have to go and ALLOW people to access it. Not open by default, that is much harder to configure. It's a wiki, and wikis are supposed to be open by default. If the the default behaviour is closed, it would be hard for a normal user to create a space and allow other users to contribute content (he'll have to wait for the admin to open that space). This is only my personal understanding and I'm not a professional XWiki user, so let's wait for some other views as well. Yes it's exactly that, wiki that only an admin can contribute to is not a wiki... maybe a CMS. That is not my point. The wiki is open for editing, but only to registered users, and some spaces are only available to a subset of those users. Its mostly to prevent vandalism, plus some pages people want to only share with their particular group of users. There may be many many users, and if its open by default then it becomes more difficult to figure out who could have access to what. Also making default XE distribution private is very easy you just have to setup global rights and you are done for the whole wiki. How do I do that ? Go to the general right management UI and only give rights to admin group (no need to use deny, just set blank), that will implicitly remove theses right for any other user. That's why users don't have admin right for example in a default XE even if guest have it when you did not yet imported XE and its default right configuration. Then you can give specific rights space by space. Don't forget to give view right on XWiki space for users since a lot of default applications actually have there code there so user need to be able to view/execute it. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
Paul, actually XWiki offers quite some fine grained rights administration. Go to the XWiki administration page and then to 'rights' administration. There you should see a couple of 'Prevent unregistered users from ...' options. Prevent unregistered users from viewing pages, regardless of the page or space rightsno Prevent unregistered users from editing pages, regardless of the page or space rightsyes Require unregistered users to solve a captcha when posting a comment on a page yes (this is from XE 2.6. but I guess that hasn't changed since then ...) Actually I'd recommend not to overuse the 'rights' stuff and keep it as simple as possible. When you have pages that include other documents hunting for missing rights can get tricky ... Andreas ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 16:26, Andreas Hahn ah...@gmx.net wrote: Paul, actually XWiki offers quite some fine grained rights administration. Go to the XWiki administration page and then to 'rights' administration. There you should see a couple of 'Prevent unregistered users from ...' options. Prevent unregistered users from viewing pages, regardless of the page or space rightsno Prevent unregistered users from editing pages, regardless of the page or space rightsyes Require unregistered users to solve a captcha when posting a comment on a page yes I'm a bit confused by this... I don't see how you could call this particular option fine grained I still want unregistered users to be able to see the front page, and maybe a page or two more - describing who we are and how to join up. If I tick those options, surely they would not be able to see any Welcome page that I wanted them to see? (this is from XE 2.6. but I guess that hasn't changed since then ...) Actually I'd recommend not to overuse the 'rights' stuff and keep it as simple as possible. When you have pages that include other documents hunting for missing rights can get tricky ... I thought my requirements were simple enough... stop people from seeing stuff I don't want them to see. But unfortunately its harder than I thought. cheers Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 16:20, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:57, Paul Harris harris...@gmail.com wrote: On 30 June 2011 15:49, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:39, Asiri Rathnayake asiri.rathnay...@gmail.com wrote: Hi, On Thu, Jun 30, 2011 at 8:15 AM, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools And found that half the stuff didn't work anyway. Regardless, carrying on, I am hoping the User Rights tool will be helpful, however it can't seem to check the most important user: the Unregistered User And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences Does this give anyone else a heart attack too?? I don't think this extension is part of the standard XE/XEM release. You should be careful when installing extensions. Yes this extension is a contribution and is not written or supported by the XWiki Core team. It was suggested in the official XWiki Upgrade documentation, see bottom of page here: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Installation I assumed the core team would only mention quality extensions in documentation like that. WHY is there no default cannot view unless admin says so mode? This is a problem with all of my spaces. When I create a space, I want to then have to go and ALLOW people to access it. Not open by default, that is much harder to configure. It's a wiki, and wikis are supposed to be open by default. If the the default behaviour is closed, it would be hard for a normal user to create a space and allow other users to contribute content (he'll have to wait for the admin to open that space). This is only my personal understanding and I'm not a professional XWiki user, so let's wait for some other views as well. Yes it's exactly that, wiki that only an admin can contribute to is not a wiki... maybe a CMS. That is not my point. The wiki is open for editing, but only to registered users, and some spaces are only available to a subset of those users. Its mostly to prevent vandalism, plus some pages people want to only share with their particular group of users. There may be many many users, and if its open by default then it becomes more difficult to figure out who could have access to what. Also making default XE distribution private is very easy you just have to setup global rights and you are done for the whole wiki. How do I do that ? Go to the general right management UI and only give rights to admin group (no need to use deny, just set blank), that will implicitly remove theses right for any other user. That's why users don't have admin right for example in a default XE even if guest have it when you did not yet imported XE and its default right configuration. Then you can give specific rights space by space. Don't forget to give view right on XWiki space for users since a lot of default applications actually have there code there so user need to be able to view/execute it. Have you tested this? It doesn't work for me... I want the registered users to be able to see the Main/Welcome page, but nothing else. I did what you said, I have ticked View for XWikiAllGroup (not just admin), and left everyone else's View right as Unticked. Then I added a green tick in the View right in the XWiki space for the Unregistered User. When the unregistered user looks at the main welcome page, they can see the content, but the black-to-grey styling is broken (I'm using the NightFall colours with Colibri skin). ideas? thanks Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
Am 30.06.2011 10:33, schrieb Paul Harris: I'm a bit confused by this... I don't see how you could call this particular option fine grained I still want unregistered users to be able to see the front page, and maybe a page or two more - describing who we are and how to join up. If I tick those options, surely they would not be able to see any Welcome page that I wanted them to see? Well, I can't speak for releases newer than 2.6 - but for that it was really simple. Maybe you haven't found the 'uregistered users' settings on the users rights form ? have a look at http://shept.org - it's xwiki powered does pretty much what you describe. I don't remember any particular problems with the rights setup Andreas (this is from XE 2.6. but I guess that hasn't changed since then ...) Actually I'd recommend not to overuse the 'rights' stuff and keep it as simple as possible. When you have pages that include other documents hunting for missing rights can get tricky ... I thought my requirements were simple enough... stop people from seeing stuff I don't want them to see. But unfortunately its harder than I thought. cheers Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On Thu, Jun 30, 2011 at 10:39, Paul Harris harris...@gmail.com wrote: On 30 June 2011 16:20, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:57, Paul Harris harris...@gmail.com wrote: On 30 June 2011 15:49, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:39, Asiri Rathnayake asiri.rathnay...@gmail.com wrote: Hi, On Thu, Jun 30, 2011 at 8:15 AM, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools And found that half the stuff didn't work anyway. Regardless, carrying on, I am hoping the User Rights tool will be helpful, however it can't seem to check the most important user: the Unregistered User And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences Does this give anyone else a heart attack too?? I don't think this extension is part of the standard XE/XEM release. You should be careful when installing extensions. Yes this extension is a contribution and is not written or supported by the XWiki Core team. It was suggested in the official XWiki Upgrade documentation, see bottom of page here: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Installation I assumed the core team would only mention quality extensions in documentation like that. WHY is there no default cannot view unless admin says so mode? This is a problem with all of my spaces. When I create a space, I want to then have to go and ALLOW people to access it. Not open by default, that is much harder to configure. It's a wiki, and wikis are supposed to be open by default. If the the default behaviour is closed, it would be hard for a normal user to create a space and allow other users to contribute content (he'll have to wait for the admin to open that space). This is only my personal understanding and I'm not a professional XWiki user, so let's wait for some other views as well. Yes it's exactly that, wiki that only an admin can contribute to is not a wiki... maybe a CMS. That is not my point. The wiki is open for editing, but only to registered users, and some spaces are only available to a subset of those users. Its mostly to prevent vandalism, plus some pages people want to only share with their particular group of users. There may be many many users, and if its open by default then it becomes more difficult to figure out who could have access to what. Also making default XE distribution private is very easy you just have to setup global rights and you are done for the whole wiki. How do I do that ? Go to the general right management UI and only give rights to admin group (no need to use deny, just set blank), that will implicitly remove theses right for any other user. That's why users don't have admin right for example in a default XE even if guest have it when you did not yet imported XE and its default right configuration. Then you can give specific rights space by space. Don't forget to give view right on XWiki space for users since a lot of default applications actually have there code there so user need to be able to view/execute it. Have you tested this? It doesn't work for me... I want the registered users to be able to see the Main/Welcome page, but nothing else. I did what you said, I have ticked View for XWikiAllGroup (not just admin), and left everyone else's View right as Unticked. You are describing me the default view right configuration here which is the opposite of what I told you to do, I you want users to only access spaces you decided them to access you should not give them view right. Or are do you want that only for unregistered users ? Your first mail is not very clear about that. Then I added a green tick in the View right in the XWiki space for the Unregistered User. Be careful with that, as I explained you if you give view right only to unregistered users then everyone else won't have it (except admins of course). When the unregistered user looks at the main welcome page, they can see the content, but the black-to-grey styling is broken (I'm using the NightFall colours with Colibri skin). If you want unregistered user to see main page then it should have the right to do so, main page is not in XWiki space so if you removed view right globally it's not going to work unless you give view right on Main space of Main.WebHome page itself. ideas? thanks Paul ___ users mailing list users@xwiki.org
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 16:58, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 10:39, Paul Harris harris...@gmail.com wrote: On 30 June 2011 16:20, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:57, Paul Harris harris...@gmail.com wrote: On 30 June 2011 15:49, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 09:39, Asiri Rathnayake asiri.rathnay...@gmail.com wrote: Hi, On Thu, Jun 30, 2011 at 8:15 AM, Paul Harris harris...@gmail.com wrote: Hi guys, I installed the Admin Tools plugin http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools And found that half the stuff didn't work anyway. Regardless, carrying on, I am hoping the User Rights tool will be helpful, however it can't seem to check the most important user: the Unregistered User And what is worse, I discovered by accident that the Unregistered User can access the space! For example, an unregistered user can access the /xwiki/Admin/RunQuery page, which could be used to run queries directly on the database, for example select * from xwikipreferences Does this give anyone else a heart attack too?? I don't think this extension is part of the standard XE/XEM release. You should be careful when installing extensions. Yes this extension is a contribution and is not written or supported by the XWiki Core team. It was suggested in the official XWiki Upgrade documentation, see bottom of page here: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Installation I assumed the core team would only mention quality extensions in documentation like that. WHY is there no default cannot view unless admin says so mode? This is a problem with all of my spaces. When I create a space, I want to then have to go and ALLOW people to access it. Not open by default, that is much harder to configure. It's a wiki, and wikis are supposed to be open by default. If the the default behaviour is closed, it would be hard for a normal user to create a space and allow other users to contribute content (he'll have to wait for the admin to open that space). This is only my personal understanding and I'm not a professional XWiki user, so let's wait for some other views as well. Yes it's exactly that, wiki that only an admin can contribute to is not a wiki... maybe a CMS. That is not my point. The wiki is open for editing, but only to registered users, and some spaces are only available to a subset of those users. Its mostly to prevent vandalism, plus some pages people want to only share with their particular group of users. There may be many many users, and if its open by default then it becomes more difficult to figure out who could have access to what. Also making default XE distribution private is very easy you just have to setup global rights and you are done for the whole wiki. How do I do that ? Go to the general right management UI and only give rights to admin group (no need to use deny, just set blank), that will implicitly remove theses right for any other user. That's why users don't have admin right for example in a default XE even if guest have it when you did not yet imported XE and its default right configuration. Then you can give specific rights space by space. Don't forget to give view right on XWiki space for users since a lot of default applications actually have there code there so user need to be able to view/execute it. Have you tested this? It doesn't work for me... I want the registered users to be able to see the Main/Welcome page, but nothing else. I did what you said, I have ticked View for XWikiAllGroup (not just admin), and left everyone else's View right as Unticked. You are describing me the default view right configuration here which is the opposite of what I told you to do, I you want users to only access spaces you decided them to access you should not give them view right. Or are do you want that only for unregistered users ? Your first mail is not very clear about that. I want: * unregistered users to see Main/WebHome and thats it. * ALL users to only see Main/WebHome and thats it * users in Group ABC to be able to see spaces X and Y * users in Group DEF to be able to see spaces X and Z How do I do that? Then I added a green tick in the View right in the XWiki space for the Unregistered User. Be careful with that, as I explained you if you give view right only to unregistered users then everyone else won't have it (except admins of course). When the unregistered user looks at the main welcome page, they can see the content, but the black-to-grey
Re: [xwiki-users] Crazy-bad security
When the unregistered user looks at the main welcome page, they can see the content, but the black-to-grey styling is broken (I'm using the NightFall colours with Colibri skin). If you want unregistered user to see main page then it should have the right to do so, main page is not in XWiki space so if you removed view right globally it's not going to work unless you give view right on Main space of Main.WebHome page itself. I gave the unregistered user View access to Main.WebHome, AND to the Main space, however the styling is still broken. The frame around the text is just grey instead of the black-grey gradient. thanks, Paul Further to this, the problem is that an unregistered user does not have permission to access the link: http://host.com/xwiki/download/ColorThemes/Nightfall/bg8x540.jpg ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 16:53, Andreas Hahn ah...@gmx.net wrote: Am 30.06.2011 10:33, schrieb Paul Harris: I'm a bit confused by this... I don't see how you could call this particular option fine grained I still want unregistered users to be able to see the front page, and maybe a page or two more - describing who we are and how to join up. If I tick those options, surely they would not be able to see any Welcome page that I wanted them to see? Well, I can't speak for releases newer than 2.6 - but for that it was really simple. Maybe you haven't found the 'uregistered users' settings on the users rights form ? have a look at http://shept.org - it's xwiki powered does pretty much what you describe. I don't remember any particular problems with the rights setup Andreas Hi Andreas, Your site is perfect for illustrating my concerns about the open by default configuration of xwiki. I was able to register an account (I used my real email, but it could've been a fake one), and was able to make a comment on your page here: http://shept.org/docs/Shept/Features Did you really intend to leave that page open for comments? I would guess not, since you turned off comments on your WebHome page. I find it very scary how easy it is to leave doors and windows open. I can shut the doors I find open, but I have no way of confirming that I have closed all the doors, especially the back doors that I do not know about (eg whatever is in the XWiki space) cheers Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On Thu, Jun 30, 2011 at 11:11, Paul Harris harris...@gmail.com wrote: When the unregistered user looks at the main welcome page, they can see the content, but the black-to-grey styling is broken (I'm using the NightFall colours with Colibri skin). If you want unregistered user to see main page then it should have the right to do so, main page is not in XWiki space so if you removed view right globally it's not going to work unless you give view right on Main space of Main.WebHome page itself. I gave the unregistered user View access to Main.WebHome, AND to the Main space, however the styling is still broken. The frame around the text is just grey instead of the black-grey gradient. thanks, Paul Further to this, the problem is that an unregistered user does not have permission to access the link: http://host.com/xwiki/download/ColorThemes/Nightfall/bg8x540.jpg That's because I actually forgot that color themes are not in the XWiki space, as you can see in the link it's in ColorThemes space so you should give view right on it too. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On Thu, Jun 30, 2011 at 11:18, Paul Harris harris...@gmail.com wrote: On 30 June 2011 16:53, Andreas Hahn ah...@gmx.net wrote: Am 30.06.2011 10:33, schrieb Paul Harris: I'm a bit confused by this... I don't see how you could call this particular option fine grained I still want unregistered users to be able to see the front page, and maybe a page or two more - describing who we are and how to join up. If I tick those options, surely they would not be able to see any Welcome page that I wanted them to see? Well, I can't speak for releases newer than 2.6 - but for that it was really simple. Maybe you haven't found the 'uregistered users' settings on the users rights form ? have a look at http://shept.org - it's xwiki powered does pretty much what you describe. I don't remember any particular problems with the rights setup Andreas Hi Andreas, Your site is perfect for illustrating my concerns about the open by default configuration of xwiki. I was able to register an account (I used my real email, but it could've been a fake one), and was able to make a comment on your page here: http://shept.org/docs/Shept/Features Did you really intend to leave that page open for comments? I would guess not, since you turned off comments on your WebHome page. I find it very scary how easy it is to leave doors and windows open. I can shut the doors I find open, but I have no way of confirming that I have closed all the doors, especially the back doors that I do not know about (eg whatever is in the XWiki space) There is only one main places (global wiki) with right setup by default then you have several technical spaces with restricted edit access to admin group like XWiki and ColorThemes (and that's the same space that should have view right enabled in a closed wiki since there where are located resources shared everywhere) and that's it. If you find anything else, it's a bug. If you remove comment right globally then you don't have it anywhere else, same for any other right. cheers Paul ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
Hi Andreas, Your site is perfect for illustrating my concerns about the open by default configuration of xwiki. I was able to register an account (I used my real email, but it could've been a fake one), and was able to make a comment on your page here: http://shept.org/docs/Shept/Features Did you really intend to leave that page open for comments? I would guess not, since you turned off comments on your WebHome page. I find it very scary how easy it is to leave doors and windows open. I can shut the doors I find open, but I have no way of confirming that I have closed all the doors, especially the back doors that I do not know about (eg whatever is in the XWiki space) cheers Paul Hi Paul, well you can make a philosophy out of what information should be allowed and restricted ... As for shept.org as an open source project I'm pretty fine with the current setup. I get regular notifications about what's beeing changed and should there be some offending stuff there's always the option to delete it. I'm running other XWiki sites with more restricted rights. My approach for getting more confidence about security settings was studying the server logs and understanding what the robots find out. Of course you can also do the same before going public with some site-copy tool ... ciao Andreas ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 17:28, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Thu, Jun 30, 2011 at 11:11, Paul Harris harris...@gmail.com wrote: When the unregistered user looks at the main welcome page, they can see the content, but the black-to-grey styling is broken (I'm using the NightFall colours with Colibri skin). If you want unregistered user to see main page then it should have the right to do so, main page is not in XWiki space so if you removed view right globally it's not going to work unless you give view right on Main space of Main.WebHome page itself. I gave the unregistered user View access to Main.WebHome, AND to the Main space, however the styling is still broken. The frame around the text is just grey instead of the black-grey gradient. thanks, Paul Further to this, the problem is that an unregistered user does not have permission to access the link: http://host.com/xwiki/download/ColorThemes/Nightfall/bg8x540.jpg That's because I actually forgot that color themes are not in the XWiki space, as you can see in the link it's in ColorThemes space so you should give view right on it too. Thanks Thomas, that seems to have done the job! Is this documented anywhere? ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Crazy-bad security
On 30 June 2011 18:09, Andreas Hahn ah...@gmx.net wrote: Hi Andreas, Your site is perfect for illustrating my concerns about the open by default configuration of xwiki. I was able to register an account (I used my real email, but it could've been a fake one), and was able to make a comment on your page here: http://shept.org/docs/Shept/Features Did you really intend to leave that page open for comments? I would guess not, since you turned off comments on your WebHome page. I find it very scary how easy it is to leave doors and windows open. I can shut the doors I find open, but I have no way of confirming that I have closed all the doors, especially the back doors that I do not know about (eg whatever is in the XWiki space) cheers Paul Hi Paul, well you can make a philosophy out of what information should be allowed and restricted ... As for shept.org as an open source project I'm pretty fine with the current setup. I get regular notifications about what's beeing changed and should there be some offending stuff there's always the option to delete it. I'm running other XWiki sites with more restricted rights. My approach for getting more confidence about security settings was studying the server logs and understanding what the robots find out. Of course you can also do the same before going public with some site-copy tool ... ciao Andreas In your secure wikis, did you check this page: http://shept.org/docs/XWiki/Import#Attachments An Unregistered, un-logged on user can download any .xar that you have uploaded and imported... which means if you have imported content from eg another wiki, then the user could download the .xar and load all of your content onto his own xwiki instance, and see all of your secured content. I'm not happy about allowing View access on the entire XWiki space, there are a lot of things in there that probably shouldn't be accessible ... but its hard to tell ! ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
