Problematic Values for FINALPREFERENCES in Distribution

The 4.1.2 distribution doesn't prevent setting {ALLOW,DENY}ROOTCHANGE in Web- or topic-preferences. Also some FINALPREFERENCES assignments have old and (supposedly unsupported) values.

Namely, the FINALPREFERENCES assignment in Main.TWikiPreferences has ALLOWWEBMANAGE, which, AFAIU, doesn't exist any more. Instead, ALLOWROOTCHANGE and DENYROOTCHANGE should be listed there -- currently there is no FINALPREFERENCES entry for *ROOTCHANGE* anywhere in the distribution. (The missing *ROOTCHANGE entries make the priority of this bug report Normal, IMO; otherwise it would have been Low.)

Similarly, TWiki.WebPreferences has ALLOWWEBMANAGE and DENYWEBMANAGE, which should also be discarded as well. Probably it would be good to add DENYWEBRENAME and ALLOWWEBRENAME instead, as it is done in _default.WebPreferences.

-- TWiki:Main.JoachimSchrod - 28 Apr 2007

Confirmed. Elevating to urgent, as it's something that needs a full and careful audit, and we can't let another release go without one. Users have been bitten many times by FINALPREFERENCES, especially when dealing with subwebs.

I set the list in Main.TWikiPreferences to

• • Set FINALPREFERENCES = ATTACHFILESIZELIMIT, PREVIEWBGIMAGE, WIKITOOLNAME, WIKIHOMEURL, ALLOWROOTCHANGE, DENYROOTCHANGE, TWIKILAYOUTURL, TWIKISTYLEURL, TWIKICOLORSURL, USERSWEB, SYSTEMWEB, DOCWEB

CC