I just noticed that the TWiki.TWikiPreferences is not locked down explicitely. The whole TWiki web is locked down for editing to the admin group with a ALLOWWEBCHANGE WebPreferences setting. That is, the site preferences are write protected as well. So far so good.

BUT: What happens if an admin decides to remove the write restriction for the TWiki web? He/she does not realize that the TWikiPreferences is open. Same issue when upgrading from an earlier TWiki where the TWiki web is already open. This leaves the TWikiPreferences open for anyone to edit. What was the reason to remove ALLOWTOPICCHANGE and ALLOWTOPICRENAME? Any reason not to play safe and put it back?

-- PTh

Imho, the overall default policy should be reversed. Right now, a default install is world writeable as soon as it switched on. Given you don't want to have a world-writeable public wiki you have to go around and lock down everything which is a daunting and error prone task. And there is a time window where your site is not protected.

The solution is so simple: ship twiki with everything locked only allowing the TWikiAdminGroup any modifications, which is the first and only user in the beginning anyway. If you need more access then do so step by step...

-- MD

This is a good idea, and needs to be discussed elsewhere. Locking down everything by default brings up a chicken and egg problem at installation time.

-- PTh

Done:

• TWiki 4: 10224
• DEVELOP: 10225

-- PTh