I just noticed that the TWiki.TWikiPreferences
is not locked down explicitely. The whole TWiki web is locked down for editing to the admin group with a ALLOWWEBCHANGE WebPreferences
setting. That is, the site preferences are write protected as well. So far so good.
BUT: What happens if an admin decides to remove the write restriction for the TWiki web? He/she does not realize that the TWikiPreferences is open. Same issue when upgrading from an earlier TWiki where the TWiki web is already open. This leaves the TWikiPreferences open for anyone to edit. What was the reason to remove ALLOWTOPICCHANGE and ALLOWTOPICRENAME? Any reason not to play safe and put it back?
Imho, the overall default policy should be reversed. Right now,
a default install is world writeable as soon as it switched on.
Given you don't want to have a world-writeable public wiki
you have to go around and lock down everything which is
a daunting and error prone task. And there is a time window where
your site is not protected.
The solution is so simple: ship twiki with everything locked only
allowing the TWikiAdminGroup
any modifications, which is the first
and only user in the beginning anyway. If you need more access then
do so step by step...
This is a good idea, and needs to be discussed elsewhere. Locking down everything by default brings up a chicken and egg problem at installation time.
- TWiki 4: 10224
- DEVELOP: 10225