On Thu, Jun 30, 2011 at 09:39, Asiri Rathnayake <asiri.rathnay...@gmail.com> wrote: > Hi, > > On Thu, Jun 30, 2011 at 8:15 AM, Paul Harris <harris...@gmail.com> wrote: > >> Hi guys, >> >> I installed the "Admin Tools" plugin >> http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools >> >> And found that half the stuff didn't work anyway. >> >> Regardless, carrying on, I am hoping the User Rights tool will be helpful, >> however it can't seem to check the most important user: >> the Unregistered User >> >> And what is worse, I discovered by accident that the Unregistered User can >> access the space! >> For example, an unregistered user can access the /xwiki/Admin/RunQuery >> page, >> which could be used to run queries directly on the database, for example >> select * from xwikipreferences >> >> Does this give anyone else a heart attack too?? >> > > I don't think this "extension" is part of the standard XE/XEM release. You > should be careful when installing extensions.
Yes this extension is a contribution and is not written or supported by the XWiki Core team. > > >> >> WHY is there no default "cannot view unless admin says so" mode? >> This is a problem with all of my spaces. When I create a space, I want to >> then have to go and ALLOW people to access it. Not open by default, that >> is >> much harder to configure. >> > > It's a wiki, and wikis are supposed to be open by default. If the the > default behaviour is "closed", it would be hard for a normal user to create > a space and allow other users to contribute content (he'll have to wait for > the admin to open that space). > > This is only my personal understanding and I'm not a professional XWiki > user, so let's wait for some other views as well. Yes it's exactly that, wiki that only an admin can contribute to is not a wiki... maybe a CMS. Also making default XE distribution private is very easy you just have to setup global rights and you are done for the whole wiki. > > Thanks. > > - Asiri > > >> >> Can someone please look at rights management, it seems to be insecure by >> default, and makes me scared. >> >> thanks. >> Paul >> _______________________________________________ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users >> > _______________________________________________ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users