Codev Web>RegistrationDoesNotCompleteIfTWikiWebProtected (12 Aug 2008, RafaelAlvarez)EditAttach

Bug: Registration is not complete if the web twiki protected

Hello,

I have this configuration . In the Web TWiki/WebPreferences

Set DENYWEBVIEW =
Set ALLOWWEBVIEW = TWikiAdminGroup
Set DENYWEBCHANGE =
Set ALLOWWEBCHANGE = TWikiAdminGroup
Set DENYWEBRENAME =
Set ALLOWWEBRENAME = TWikiAdminGroup

When I try to add the user, i have a problem during the registration .

The log in a normal way is like this :

Main.AdmT | view | TWiki.TWikiRegistration 
Main.NewU | save | Main.NewU
Main.NewU | save | Main.TWikiUsers
Main.NewU | register | Main.NewU | New@user.org

The problem is in line 3 because the new user can not modify TWikiUsers

Test case

Environment

TWiki version:	TWikiBetaRelease2004x07x30
TWiki plugins:	DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS:	Debian
Web server:
Perl version:
Client OS:
Web Browser:

-- ErwanMAS - 18 Aug 2004

Follow up

A note for others who might have this problem: I fixed this in my own twiki install by commenting out line 211 of .../cgi-bin/twiki/register, the line which adds the new user to the TWikiUsers? topic. Unfortunate side effect: you must manually add users to TWikiUsers? when they register.

-- EdwardPiou - 29 Jun 2005

Version Wed, 08 Feb 2006 build 8740: code has changed from EdwardPiou's note.

lib/TWiki/UI/Register.pm is used
sub finish() calls $session->{users}->createUser(...)

This should be classified as a Security Problem. The TWiki Web should be protected against update by TWikiGuest? .

Or better still, registration should not be in the TWiki Web.

Fix record

Not sure that this is the case if the TWiki web is protected... I've seen this condition for the Main web, as that is where the Main.TWikiUsers file is kept.

I agree that having the Main web viewable by only registered users is desirable... on one of my sites I had people give telephone numbers etc that I didn't want to expose to low-lifes.

From DakarRelease the RegisterCgiScriptRewrite entailed a change to make TWikiUsers? changeable by only the TWikiRegistrationAgent - registration is now executed by this slightly privileged user. This means that the Main web can be denied to TWikiGuest? .

I don't remember whether I tested it but I wouldn't be surprised if the orginal problem has been solved. Certainly it would not take much effort to solve now.

-- MartinCleaver - 12 Mar 2006

Version Wed, 08 Feb 2006 build 8740: Uses the TWikiRegistrationAgent to make changes. If TWikiRegistrationAgent does not have change permission for Main, then the confirmation step will fail when the new-user page can not be made. -- AlanGrover - 15 Mar 2006

Solution

Add Main.TWikiRegistrationAgent to ALLOWWEBCHANGE on Main.WebPreferences.

Can Main.TWikiRegistrationAgent be added by default to ALLOWWEBCHANGE on Main.WebPreferences?

-- AlanGrover - 15 Mar 2006

Is this behavior documented? I could not find it in ManagingUsers, TWikiInstallationGuide or TWikiUserAuthentication

-- RafaelAlvarez - 12 Aug 2008

WebForm
TopicClassification	BugReport
TopicSummary	Security Problem :- In order to allow registration, the TWiki web and key files have to be writable by TWikiGuest?
InterestedParties	AntonAylward AlanGrover
AssignedTo
AssignedToCore
ScheduledFor
RelatedTopics
SpecProgress
ImplProgress
DocProgress

Topic revision: r8 - 12 Aug 2008 - 17:12:54 - RafaelAlvarez

Codev.RegistrationDoesNotCompleteIfTWikiWebProtected moved from Codev.RegistrationIsNotComplete on 06 Jul 2005 - 12:38 by MartinCleaver - put it back

Codev

Create New Topic

edit left bar

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback