• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

The new user template at NewUserTemplate has the line

        * Optionally write protect your home page: (set it to your %TWIKIWEB%.WikiName)
                * Set ALLOWTOPICCHANGE =
This leaves the user's newly created ome topic open to editing by anyone. In particular to unauthorized users.

While this may eb acceptable in highly collegiate corporate intra-net it is unacceptable for a publicly accessible site.

At the very elast, there should also be a

                * Set DENYTOPICCHANGE = TWikiGuest

What would be preferable is to have the default set to the user's Wikiname.

However while

                * Set ALLOWTOPICCHANGE = %TOPIC%
displays what is expected the access control parser does not see that as a Wikiname!

More to the point, if the %TOPIC% is in the template it is not expanded and sibstituted when the user home page is created.

The peculiarities of the registration process, being differnt from the normal


When a user topic is created, it is done so in the context of a save, isn't it? Aren't there any %URLPARAMs that might help? If not, we could add something I'd been thinking about for a while viz.
%EXPAND{"%TOPIC%"}%
while would force expansion of the contents of the EXPAND tag when a topic based on the template was instantiated. To make it syntactically consistent with %NOP we could allow newlines in the tag:
%EXPAND{
   * Set ALLOWTOPICCHANGE = %TOPIC%
}%
would that solve your problem? CC
  1. I experimented with URLPARAM. It doens't seem to work.
    As I said, the peculiarities of the registration process, being differnt from the normal creation of the topic, don't recognise URLPARAM.

    It might be interesting to rewrite that aprt of the process so that th creation of an account is more like the creation of any other topic. This would invovle create_topic+action.
    While this might be interesting in other ways, and might allow for such thigs as automatic addition to groups on registration, simplify immediate noticiction of new topics and so forth, its not a Dakar issue.
  2. The %EXPAND sounds cool.
    Am I correcting in thinking it would also deal with:

---++ Topics I've been involved in recently

---+++ TWiki
%SEARCH{ "Main.%TOPIC%" web="TWiki" scope="text" nosearch="on" nosummary="on" noheader="on" nototal="on" regex="off" order="modified" reverse="on" limit="20"}%

-- AA

If you mean, would it expand a search placed in an expand bracket, then yes, it would. Hey, that's kinda neat. Can't think of a good way to use it, but it would work.

CC


Just in case I'm not making myself clear.

The %TOPIC is expanded when the topic is created, not when it is accessed. So that if, after creation, you look at the raw form of my home topic, it will read

                * Set ALLOWTOPICCHANGE = AntonAylward

It makes me wonder. This problem is local to the creation of the home topic at registration/confirmation. It deons't seem a general issue to me.

Surely it would make more sense ot have the home topic creation work like anyting else, and so we could use the %URLPARAM mechanism.

That would offer an opportunit to deal with the the SMELL in line 804 of /lib/TWiki/UI/Register.pm.

--AA

It's not specific to home topics; it could have applications elsewhere. An interesting one might be a snapshot of project pages, for example - expand a SEARCH for project pages at topic create time to create a snapshot of the project.

You could use the URLPARAM mechanism, sure, but you'd have to provide a value to the script then, which is way more complicated and clunky than %EXPAND.

-- CC

The home page MUST be secured as it holds the person's email address and a reset password will send the authentication details to that address.

I will check my notes. I think the version I submitted did implement this.

-- MC


OK, I think it was an over-optimisation on my part that broke it. it should expand %USERNAME etc to the created user now, instead of the user doing the creating, so you can use * Set ALLOWTOPICCHANGE = guest and it should expand.

SVN 5894

CC

ItemTemplate
Summary New user's home pages are editable by anyone
ReportedBy TWiki:Main/AntonAylward
Codebase

AppliesTo

Priority Urgent
CurrentState Closed
WaitingFor

Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r10 - 2005-07-24 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback