The same thing occurred to me when I installed Sling for the first time on a public server, I had to quickly slam down some firewall rules to make sure that I was the only person that could access the application before getting some basic authentication in place. Does not seem like a good way to get people to try things.
I think the first page that displays after install should explain that everything is locked down and how to enable access (normally this should only be possible by having direct access to the server). -Tako On Wed, Aug 11, 2010 at 09:15, Mike Müller <[email protected]> wrote: > Hi > > Wouldn't it be safer if this feature is turned off be default? > > best regards > mike > > > -----Original Message----- > > From: Eric Norman [mailto:[email protected]] > > Sent: Wednesday, August 11, 2010 2:57 AM > > To: [email protected] > > Subject: Re: User managment > > > > > > Hi Tony, > > > > Looks to me like you have discovered a bug. The self-reg > > enabled flag is > > not handled correctly when activating the component. > > > > I filed a new bug report > > (*SLING-1639<https://issues.apache.org/jira/browse/SLING-1639> > > )* to track the defect and I will fix it now. > > > > Regards, > > -Eric > > > > On Tue, Aug 10, 2010 at 11:08 AM, Tony Giaccone > > <[email protected]> wrote: > > > > > > > > I'm reading from the Sling web site: > > > > > > "The jackrabbit-usermanager bundle delivers a REST > > interface to create, > > > update and delete users...." > > > > > > And I have been able to successfully add a user, by > > executing the following > > > curl cmnd. > > > > > > curl -F:name=reader -Fpwd=ourReader -FpwdConfirm=ourReader > > -F"desc=Read > > > only access" > > > http://localhost:8080/sling/system/userManager/user.create.html > > > > > > Except that it seems that anyone at any time can post to > > this URL and > > > create a user. > > > > > > > > > So I looked at the configuration for that bundle and found > > a checkbox > > > labled: > > > > > > Self-Registration Enabled > > > > > > When selected, the anonymous user is allowed to > > register a new user > > > with the system. (self.registration.enabled) > > > > > > > > > And that checkbox was checked. So it seems that I should be > > able to uncheck > > > that box and prevent anonymous user creation. > > > > > > However, it doesn't work. I can still create new users as anonymous. > > > > > > What am I doing wrong? > > > > > > > > > Tony > > >
