/
Foswiki.spec
2628 lines (2341 loc) · 135 KB
/
Foswiki.spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Foswiki - The Free and Open Source Wiki, https://foswiki.org/
# See bottom of file for license and copyright information.
#
# This file contains a specification of the parts of Foswiki that can be
# configured using =configure=. It is combined with =Config.spec= files
# shipped with extensions to generate the interface seen when you run
# =configure=.
#
# When you run configure from your browser, it will work out required
# settings and write a new LocalSite.cfg. It should never be necessary to
# modify this file directly.
#
# If for some strange reason you want to brew your own LocalSite.cfg by
# copying this file (NOT recommended), then you must un-comment and complete
# settings that are commented out, and remove everything from __END__ onwards.
#
# See 'setlib.cfg' in the 'bin' directory for how to configure a non-standard
# include path for Perl modules.
#
#############################################################################
#
# NOTE FOR DEVELOPERS:
# The comments in this file are formatted so that the =configure= script
# can extract documentation from here. See
# https://foswiki.org/System/DevelopingPlugins#Integrating_with_configure
# for details of the syntax used.
#
# You can use $Foswiki::cfg variables in other settings,
# but you must be sure they are only evaluated under program control and
# NOT when this file is loaded. For example:
## $Foswiki::cfg{Blah} = "$Foswiki::cfg{DataDir}/blah.dat"; # BAD
## $Foswiki::cfg{Blah} = '$Foswiki::cfg{DataDir}/blah.dat'; # GOOD
#
# Note that the general path settings are deliberately commented out.
# This is because they *must* be defined in LocalSite.cfg, and *not* here.
#############################################################################
#---+ General settings
#---++ Web URLs and Paths
# *Security Note:* Only the URL paths listed below should
# be browseable from the web - if you expose any other directories (such as
# lib or templates) you are opening up routes for possible hacking attempts.
# **URL LABEL="Default Url Host" CHECK="noemptyok \
# parts:scheme,authority \
# partsreq:scheme,authority \
# schemes:http,https \
# authtype:hostip" **
# This is the root of all Foswiki URLs.
# For example, =http://myhost.com:123=
# (do not include the trailing slash.)
# $Foswiki::cfg{DefaultUrlHost} = 'http://your.domain.com';
# **BOOLEAN EXPERT LABEL="Force Default Url Host"**
# Enable this parameter to force foswiki to ignore the hostname in the
# URL entered by the user. Foswiki will generate all links using the
# {DefaultUrlHost}.
#
# By default, foswiki will use whatever URL that was entered by the
# user to generate links. The only exception is the special =localhost=
# name, which will be automatically replaced by the {DefaultUrlHost}.
# In most installations this is the preferred behavior, however when
# using SSL Accelerators, Reverse Proxys, and load balancers, the URL
# entered by the user may have been altered, and foswiki should be forced
# to return the {DefaultUrlHost}.
$Foswiki::cfg{ForceDefaultUrlHost} = $FALSE;
# **URILIST LABEL="Permitted Redirect Host Urls" EXPERT CHECK='emptyok \
# parts:scheme,authority \
# authtype:hostip' **
# If your host has aliases (such as both =www.mywiki.net= and =mywiki.net=
# and some IP addresses) you need to tell Foswiki that redirecting to them
# is OK. Foswiki uses redirection as part of its normal mode of operation
# when it changes between editing and viewing.
#
# To prevent Foswiki from being used in phishing attacks and to protect it
# from middleman exploits, the security setting {AllowRedirectUrl} is by
# default disabled, restricting redirection to other domains. If a redirection
# to a different host is attempted, the target URL is compared against this
# list of additional trusted sites, and only if it matches is the redirect
# permitted.
#
# Enter as a comma separated list of URLs (protocol, hostname and (optional)
# port), for example =http://your.domain.com:8080,https://other.domain.com=.
# (Omit the trailing slash.)
$Foswiki::cfg{PermittedRedirectHostUrls} = '';
# **URLPATH LABEL="Script Url Path" CHECK="emptyok notrail"**
# This is the 'cgi-bin' part of URLs used to access the Foswiki bin
# directory. For example =/foswiki/bin=.
# See [[https://foswiki.org/Support/ShorterUrlCookbook][ShorterUrlCookbook]]
# for more information on setting up Foswiki to use shorter script URLs.
# $Foswiki::cfg{ScriptUrlPath} = '/foswiki/bin';
# **STRING 10 LABEL="Script Suffix" CHECK="emptyok"**
# Suffix of Foswiki CGI scripts. For example, .cgi or .pl.
# You may need to set this if your webserver requires an extension.
#$Foswiki::cfg{ScriptSuffix} = '';
# **URLPATH LABEL="Script Url Path for View" CHECK='undefok emptyok notrail' FEEDBACK="icon='ui-icon-check';label='Verify';wizard='ScriptHash';method='verify';auth=1" **
#! n.b. options should match Pluggables/SCRIPTHASH.pm for dynamic path items
# This is the complete path used to access the Foswiki view script,
# including any suffix.
# You should leave this as it is, unless your web server is configured
# for short URLs (for example using Foswiki's
# [[https://foswiki.org/Support/ApacheConfigGenerator][Apache Config Generator]]
# ). If it is, replace this with the base path of your wiki (the value of
# {ScriptUrlPath} with the =/bin= suffix removed, so you'll have to leave
# this field empty if your wiki lives at the top level).
#
# More information:
# [[https://foswiki.org/Support/ShorterUrlCookbook][Shorter URL Cookbook]]
# $Foswiki::cfg{ScriptUrlPaths}{view} = '$Foswiki::cfg{ScriptUrlPath}/view$Foswiki::cfg{ScriptSuffix}';
# **URLPATH LABEL="Pub Url Path" CHECK='noemptyok notrail' **
# This is the URL path used to link to attachments. For stores where
# attachments are stored as files (such as PlainFile and RCSLite) then this
# will normally be the URL path to the =pub= directory.
# For example =/foswiki/pub=
#
# *Security Note:* files in the pub directory are *not*
# protected by Foswiki access controls. If you require access controls, you
# will have to use webserver controls (for example =.htaccess= on Apache).
# See the
# [[https://foswiki.org/Support/ApacheConfigGenerator][Apache Config Generator]]
# for more information.
# $Foswiki::cfg{PubUrlPath} = '/foswiki/pub';
#! The following plugin must follow all other {ScriptUrlPaths} items
# *SCRIPTHASH*
# ---++ File System Paths
# Configure the file system locations of key Foswiki directories here. These are usually guessed
# correctly during bootstrap. Other file locations are configured within their related sections.
# **PATH LABEL="Script Directory" FEEDBACK="icon='ui-icon-check';label='Validate Permissions'; method='validate_permissions';title='Validate file permissions.'" CHECK="noemptyok perms:Dx,'(.txt|.cfg)$'" **
# This is the file system path used to access the Foswiki bin directory.
# $Foswiki::cfg{ScriptDir} = '/home/httpd/foswiki/bin';
# **PATH LABEL="Pub Directory" FEEDBACK="icon='ui-icon-check';label='Validate Permissions'; method='validate_permissions';title='Validate file permissions. WARNING: this may take a long time on a large system'" CHECK="noemptyok perms:r,'*',wDn,'(,v|,pfv)$'" **
# Attachments store (file path, not URL), must match the attachments URL
# path =/foswiki/pub= - for example =/usr/local/foswiki/pub= This directory is
# normally accessible from the web.
# $Foswiki::cfg{PubDir} = '/home/httpd/foswiki/pub';
# **PATH LABEL="Data Directory" FEEDBACK="icon='ui-icon-check';label='Validate Permissions'; method='validate_permissions';title='Validate file permissions. WARNING: this may take a long time on a large system'" CHECK="noemptyok perms:rwDnpd,'(,v|,pfv)$',r" **
# Topic files store (file path, not URL). For example =/usr/local/foswiki/data=.
# This directory must not be web accessible.
# $Foswiki::cfg{DataDir} = '/home/httpd/foswiki/data';
# **PATH LABEL="Tools Directory" FEEDBACK="icon='ui-icon-check';label='Validate Permissions'; method='validate_permissions'" CHECK="noemptyok perms:rD" **
# File path to tools directory. For example =/usr/local/foswiki/tools=.
# This directory must not be web accessible.
# $Foswiki::cfg{ToolsDir} = '/home/httpd/foswiki/tools';
# **PATH LABEL="Template Directory" FEEDBACK="icon='ui-icon-check';label='Validate Permissions'; method='validate_permissions'" CHECK="noemptyok perms:rD" **
# File path to templates directory. For example =/usr/local/foswiki/templates=.
# This directory must not be web accessible.
# $Foswiki::cfg{TemplateDir} = '/home/httpd/foswiki/templates';
# **PATH LABEL="Locales Directory" FEEDBACK="icon='ui-icon-check';label='Validate Permissions'; method='validate_permissions'" CHECK="noemptyok perms:rD" **
# File path to locale directory.
# For example =/usr/local/foswiki/locale=.
# This directory must not be web accessible.
# $Foswiki::cfg{LocalesDir} = '/home/httpd/foswiki/locale';
# **PATH LABEL="Working Directory" ONSAVE FEEDBACK="icon='ui-icon-check';label='Validate Permissions'; method='validate_permissions'" CHECK="noemptyok perms:rw,'[\//]README$',r" **
# Directory where Foswiki stores files that are required for the management
# of Foswiki, but are not required to be accessed from the web.
# A number of subdirectories will be created automatically under this
# directory:
# * ={WorkingDir}/tmp= - used for security-related temporary files
# (these files can be deleted at any time without permanent damage).
# _Passthrough files_ are used by Foswiki to work around the limitations
# of HTTP when redirecting URLs.
# _Session files_ are used to record information about active
# users - for example, whether they are logged in or not.
# For obvious reasons, these files must *not* be browseable from the web!
# You are recommended to restrict filesystem permissions on this
# directory so only the web server user can acess it.
# * ={WorkingDir}/requestTmp= - used as an alternate location for the
# system =/tmp= directory. This is only used if {TempfileDir}
# is configured.
# * ={WorkingDir}/work_areas= - these are work areas used by
# extensions that need to store persistent data across sessions.
# * ={WorkingDir}/registration_approvals= - this is used by the
# default Foswiki registration process to store registrations that
# are pending verification.
# $Foswiki::cfg{WorkingDir} = '/home/httpd/foswiki/working';
# **PATH LABEL="Safe PATH" CHECK='undefok'**
# You can override the default PATH setting to control
# where Foswiki looks for external programs, such as grep.
# By restricting this path to just a few key
# directories, you increase the security of your installation.
# * Unix or Linux - Path separator is ':'. Make sure diff
# and shell (Bourne or bash type) are found on path. Typical
# path is =/bin:/usr/bin=
# * Windows ActiveState Perl, using DOS shell. Path separator is ';'.
# The Windows system directory is required on the path. Use '\' not
# '/' in pathnames. Typical setting is =C:\windows\system32=
# * Windows Cygwin Perl - Path separator is ':'. The Windows system
# directory is required on the path. Use '/' not '\' in pathnames.
# Typical setting is =/cygdrive/c/windows/system32=
# $Foswiki::cfg{SafeEnvPath} = undef;
# **PATH LABEL="Tempfile Directory" CHECK="undefok" EXPERT**
# This is used to override the default system temporary file location.
# Set this if you wish to have control over where working tmp files are
# created. It is normally set automatically in the code.
# $Foswiki::cfg{TempfileDir} = '';
#############################################################################
#---+ Security and Authentication
# Control most aspects of how Foswiki handles security related activities.
#---++ Sessions
# Sessions are how Foswiki tracks a user across multiple requests.
# **BOOLEAN LABEL="Use Client Sessions"**
# Control whether Foswiki will use persistent sessions.
# A user's session id is stored in a cookie, and this is used to identify
# the user for each request they make to the server.
# You can use sessions even if you are not using login.
# This allows you to have persistent session variables - for example, skins.
# Client sessions are not required for logins to work, but Foswiki will not
# be able to remember logged-in users consistently.
# See [[https://foswiki.org/System/UserAuthentication][User
# Authentication]] for a full discussion of the pros and
# cons of using persistent sessions.
$Foswiki::cfg{UseClientSessions} = 1;
# **NUMBER 20 LABEL="Session Expiry" DISPLAY_IF="{UseClientSessions}" CHECK="iff:'{UseClientSessions}'"**
# Set the session timeout, in seconds. The session will be cleared after this
# amount of time without the session being accessed. The default is 6 hours
# (21600 seconds).
#
# *Note* By default, session expiry is done "on the fly" by the same
# processes used to serve Foswiki requests. As such it imposes a load
# on the server. When there are very large numbers of session files,
# this load can become significant. For best performance, you can set
# {Sessions}{ExpireAfter} to a negative number, which will mean that
# Foswiki won't try to clean up expired sessions using CGI processes.
# Instead you should use a cron job to clean up expired sessions. The
# standard maintenance cron script =tools/tick_foswiki.pl= includes this
# function. Session files are stored in the ={WorkingDir}/tmp= directory.
#
# This setting is also used to set a lifetime for passthru redirect requests.
$Foswiki::cfg{Sessions}{ExpireAfter} = 21600;
# **NUMBER LABEL="Cookie Expiry" EXPERT DISPLAY_IF="{UseClientSessions} && {LoginManager}=='Foswiki::LoginManager::TemplateLogin'" CHECK="iff:'{UseClientSessions} && {LoginManager}=~/TemplateLogin$/'"**
# TemplateLogin only.
# Normally the cookie that remembers a user session is set to expire
# when the browser exits, but using this value you can make the cookie
# expire after a set number of seconds instead. If you set it then
# users will be able to tick a 'Remember me' box when logging in, and
# their session cookie will be remembered even if the browser exits.
#
# This should always be the same as, or longer than, {Sessions}{ExpireAfter},
# otherwise Foswiki may delete the session from its memory even though the
# cookie is still active.
#
# A value of 0 will cause the cookie to expire when the browser exits.
# One month is roughly equal to 2600000 seconds.
$Foswiki::cfg{Sessions}{ExpireCookiesAfter} = 0;
# **BOOLEAN LABEL="IDs in Urls" EXPERT DISPLAY_IF="{UseClientSessions}" CHECK="iff:'{UseClientSessions}'"**
# Foswiki will normally use a cookie in
# the browser to store the session ID. If the client has cookies disabled,
# then Foswiki will not be able to record the session. As a fallback, Foswiki
# can rewrite local URLs to pass the session ID as a parameter to the URL.
# This is a potential security risk, because it increases the chance of a
# session ID being stolen (accidentally or intentionally) by another user.
# If this is turned off, users with cookies disabled will have to
# re-authenticate for every secure page access (unless you are using
# {Sessions}{MapIP2SID}).
$Foswiki::cfg{Sessions}{IDsInURLs} = 0;
# **STRING 20 LABEL="Cookie Realm" EXPERT DISPLAY_IF="{UseClientSessions}" CHECK="undefok emptyok iff:'{UseClientSessions}'"**
# By default the Foswiki session cookie is only accessible by the host which
# sets it. To change the scope of this cookie you can set this to any other
# value (ie. company.com). Make sure that Foswiki can access its own cookie.
#
# If empty, this defaults to the current host.
$Foswiki::cfg{Sessions}{CookieRealm} = '';
# **STRING 20 LABEL="Cookie Path" EXPERT DISPLAY_IF="{UseClientSessions}" CHECK="undefok emptyok iff:'{UseClientSessions}'"**
# By default, the foswiki cookies live at the root of the path. If foswiki shares
# with other applications on the web server, it may be useful to set this to =/foswiki=
# or another path appropriate for your site.
#
# If empty, the cookie will be at the '/' root.
$Foswiki::cfg{Sessions}{CookiePath} = '/';
# **STRING 20 LABEL="Cookie Name Prefix" EXPERT DISPLAY_IF="{UseClientSessions}" CHECK="undefok emptyok iff:'{UseClientSessions}'"**
# With multiple Foswiki installations on the same host, it may be necessary to use unique names
# for the cookies to avoid collisions. This is especially true if the CookieRealm has been
# configured as a wildcard domain.
#
# If empty, no prefix is added.
$Foswiki::cfg{Sessions}{CookieNamePrefix} = '';
# **BOOLEAN LABEL="Use IP Matching" DISPLAY_IF="{UseClientSessions}" CHECK="iff:'{UseClientSessions}'" **
# Enable this option to prevent a session from being accessed by
# more than one IP Address. This gives some protection against session
# hijack attacks.
#
# This option may or may not be helpful, Public web sites can easily be
# accessed by different users from the same IP address when they access
# through the same proxy gateway, meaning that the protection is limited.
# Additionally, people get more and more mobile using a mix of LAN, WLAN,
# and 3G modems and they will often change IP address several times per day.
# For these users IP matching causes the need to re-authenticate whenever
# their IP Address changes and is quite inconvenient..
#
# Note that the =CGI::Session= tutorial strongly recommends use of
# IP Matching for security purposes, so it is now enabled by default.
$Foswiki::cfg{Sessions}{UseIPMatching} = 1;
# **BOOLEAN LABEL="Enable Guest Sessions" DISPLAY_IF="{UseClientSessions}" CHECK="iff:'{UseClientSessions}'" **
# On prior versions of Foswiki, every user is given their own CGI Session.
# Disable this setting to block creation of session for guest users.
#
# Note: Some parts of Foswiki will not function without a
# CGI Session. This includes scripts that update, and any wiki applications
# that make use of session variables.
$Foswiki::cfg{Sessions}{EnableGuestSessions} = 1;
# **REGEX LABEL="Topics requiring sessions" EXPERT**
# If this regular expression matches the Topic in the request, a guest session
# will be created. Sessions are required for UserRegistration and ResetPassword
# Pages. As Foswiki supports custom User Registration topics, the expression is
# anchored at the end, so that it matches any topic name ending in "Registration".
$Foswiki::cfg{Sessions}{TopicsRequireGuestSessions} = '(Registration|ResetPassword)$';
# **OCTAL LABEL="Session-File Permission" CHECK="min:000 max:777" EXPERT**
# File security for new session objects created by the login manager.
# You may have to adjust these permissions to allow (or deny) users other
# than the webserver user access session objects that Foswiki creates in
# the filesystem. This is an *octal* number representing the standard
# UNIX permissions
# (for example 0640 == rw-r-----)
$Foswiki::cfg{Session}{filePermission} = 0600;
#---++ Validation
# Validation is the process by which Foswiki validates that a request is
# allowed by the site, and is not part of an attack on the site.
# **SELECT strikeone,embedded,none LABEL="Validation Method" **
# By default Foswiki uses Javascript to perform "double submission" validation
# of browser requests. This technique, called "strikeone", is highly
# recommended for the prevention of cross-site request forgery (CSRF). See also
# [[https://foswiki.org/Support/WhyYouAreAskedToConfirm][Why am I being asked to confirm?]].
#
# If Javascript is known not to be available in browsers that use the site,
# or cookies are disabled, but you still want validation of submissions,
# then you can fall back on a embedded-key validation technique that
# is less secure, but still offers some protection against CSRF. Both
# validation techniques rely on user verification of "suspicious"
# transactions.
#
# This option allows you to select which validation technique will be
# used.
# * If it is set to "strikeone", or is undefined, 0, or the empty string,
# then double-submission using Javascript will be used.
# * If it is set to "embedded", then embedded validation keys will be used.
# * If it is set to "none", then no validation of posted requests will
# be performed.
$Foswiki::cfg{Validation}{Method} = 'strikeone';
# **NUMBER LABEL="Validation Expiry" EXPERT DISPLAY_IF="{Validation}{Method}!='none'" CHECK="min:1 iff:'{Validation}{Method} ne q<none>'"**
# Validation keys are stored for a maximum of this amount of time before
# they are invalidated. Time in seconds. A shorter time reduces the risk
# of a hacker finding and re-using one of the keys, at the cost of more
# frequent confirmation prompts for users.
$Foswiki::cfg{Validation}{ValidForTime} = 3600;
# **NUMBER LABEL="Maximum Keys per Session" EXPERT DISPLAY_IF="{Validation}{Method}!='none'" CHECK="min:10 iff:'{Validation}{Method} ne q<none>'"**
# The maximum number of validation keys to store in a session. There is one
# key stored for each page rendered. If the number of keys exceeds this
# number, the oldest keys will be force-expired to bring the number down.
# This is a simple tradeoff between space on the server, and the number of
# keys a single user might use (usually dictated by the number of wiki pages
# they have open simultaneously)
$Foswiki::cfg{Validation}{MaxKeysPerSession} = 1000;
# **BOOLEAN LABEL="Expire Validation Key on Use" EXPERT DISPLAY_IF="{Validation}{Method}!='none'" CHECK="iff:'{Validation}{Method} ne q<none>'"**
# Expire a validation key immediately when it is used to validate the saving
# of a page (N/A for =rest= requests). This protects against an attacker eavesdropping the communication
# between browser and server and exploiting the keys sent from browser to
# server. If this is enabled and a user edits and saves a page, and then goes
# back to the edit screen using the browser back button and saves again, they
# will be met by a warning screen against "Suspicious request from
# browser". The same warning will be displayed if you build an application with
# pages containing multiple forms and users try to submit from these
# forms more than once. If this warning screen is a problem for your users, you
# can disable this setting which enables reuse of validation keys.
# However this will lower the level of security against cross-site request
# forgery. Note however that =rest= requests, for example, the CommentPlugin =comment= action,
# do not expire the key.
$Foswiki::cfg{Validation}{ExpireKeyOnUse} = 1;
#---++ Login
# Foswiki supports different ways of handling how a user asks, or is asked,
# to log in.
# **SELECTCLASS none,Foswiki::LoginManager::*Login* CHECK="also:{AuthScripts}" LABEL="Login Manager"**
# Select the login manager to use.
# * none - Don't support logging in, all users have access to everything.
# * Foswiki::LoginManager::TemplateLogin - Redirect to the login template,
# which asks for a username and password in a form. Does not cache the
# ID in the browser, so requires client sessions to work.
# * Foswiki::LoginManager::ApacheLogin - Redirect to an '...auth' script
# for which Apache can be configured to ask for authorization information.
# Does not require client sessions, but works best with them enabled.
# It is important to ensure that the chosen LoginManager is consistent with
# the Web Server configuration.
$Foswiki::cfg{LoginManager} = 'Foswiki::LoginManager::TemplateLogin';
# **NUMBER LABEL="Login Token Lifetime"**
# Specifiy the time in minutes the Login token should be usable, for example: password reset.
# Recommend setting this to allow for email delays, including grey listing
# at least 15 minutes.
$Foswiki::cfg{Login}{TokenLifetime} = 15;
# **BOOLEAN LABEL="Debug Login Manager" EXPERT**
# Write debugging output to the webserver error log.
$Foswiki::cfg{Trace}{LoginManager} = 0;
# **STRING 100 LABEL="Authenticated Scripts" CHECK_ON_CHANGE="{LoginManager}" **
# Comma-separated list of scripts in the bin directory that require the user to
# authenticate. This setting is used with TemplateLogin; any time an
# unauthenticated user attempts to access one of these scripts, they will be
# required to authenticate. With ApacheLogin, the web server must be configured
# to require a valid user for access to these scripts. =edit= and
# =save= should be removed from this list if the guest user is permitted to
# edit topics without authentication.
$Foswiki::cfg{AuthScripts} =
'attach,compareauth,configure,edit,manage,previewauth,rdiffauth,rename,restauth,save,statistics,upload,viewauth,viewfileauth';
# **BOOLEAN LABEL="Legacy REST Security" EXPERT**
# Foswiki 1.2 has removed the =rest= script from the list of {AuthScripts}.
# Instead of providing blanket security for =rest=, each handler is now
# responsible to set its individual requirements for 3 options:
# _authentication_, _validation_ and _http_allow_ methods (POST vs. GET).
# The defaults for these 3 options have been changed to default to be secure,
# and handlers can exempt these checks based upon their specific requirements.
# Enable this setting to restore the original insecure defaults.
$Foswiki::cfg{LegacyRESTSecurity} = $FALSE;
# **REGEX LABEL="Scripts accepting user/pass params" EXPERT**
# Regular expression matching the scripts that should be allowed to accept the
# =username= and =password= parameters other than the login script. Older
# versions of Foswiki would accept the username and password parameter on any
# script. The =login= and =logon= script will always accept the username and
# password, but only from POST requests. In order to add support for the
# =rest= and =restauth>> scripts, specify =/^(view|rest)(auth)?$/=. See also the
# Miscellaneous -> Compatibilty expert settings if you want to accept user/pass
# parameters on GET requests.
$Foswiki::cfg{Session}{AcceptUserPwParam} = '^view(auth)?$';
# **BOOLEAN LABEL="Prevent from Remembering the User Password" EXPERT DISPLAY_IF="{LoginManager}=='Foswiki::LoginManager::TemplateLogin'" CHECK="iff:'{LoginManager} =~ /TemplateLogin$/'"**
# Browsers typically remember your login and passwords to make authentication
# more convenient for users. If your Foswiki is used on public terminals,
# you can prevent this, forcing the user to enter the login and password
# every time.
$Foswiki::cfg{TemplateLogin}{PreventBrowserRememberingPassword} = 0;
# **BOOLEAN LABEL="Allow Login 'Using Email Address" EXPERT DISPLAY_IF="{LoginManager}=='Foswiki::LoginManager::TemplateLogin'" CHECK="iff:'{LoginManager} =~ /TemplateLogin$/'"**
# Allow a user to log in to foswiki using the email addresses known to the
# password system (in addition to their username).
$Foswiki::cfg{TemplateLogin}{AllowLoginUsingEmailAddress} = 0;
# **REGEX LABEL="Login Name Filter" EXPERT**
# The perl regular expression used to constrain user login names. Some
# environments may require funny characters in login names, such as \.
# This is a filter *in* expression, so a login name must match this
# expression or an error will be thrown and the login denied.
$Foswiki::cfg{LoginNameFilterIn} = '^[^\\s\\*?~^\\$@%`"\'&;|<>\x00-\x1f]+$';
# **STRING 20 LABEL="Default User Login" EXPERT**
# Guest user's login name. You are recommended not to change this.
$Foswiki::cfg{DefaultUserLogin} = 'guest';
# **STRING 20 LABEL="Default User WikiName" EXPERT**
# Guest user's wiki name. You are recommended not to change this.
$Foswiki::cfg{DefaultUserWikiName} = 'WikiGuest';
# **STRING 20 LABEL="Admin User Login" EXPERT**
# An internal admin user login name (matched with the configure password,
# if set) which can be used as a temporary Admin login (see: Main.AdminUser).
# This login name is additionally required by the install script for some addons
# and plugins, usually to gain write access to the Foswiki web.
# If you change this you risk making topics uneditable.
$Foswiki::cfg{AdminUserLogin} = 'admin';
# **STRING 20 LABEL="Admin User WikiName" EXPERT**
# The internal admin user WikiName that is displayed for actions done by the
# {AdminUserLogin}.
# This is a special WikiName and should never be directly authenticated.
# It is accessed by logging in using the AdminUserLogin either directly
# or with the sudo login.
# You should normally not need to change this (if you do,
# you will need to move the %USERSWEB%.AdminUser topic to match. Do not
# register a user with this name!)
$Foswiki::cfg{AdminUserWikiName} = 'AdminUser';
# **STRING 20 LABEL="Admin Group" EXPERT**
# Group of users that can use special =?action=repRev= and =?action=delRev=
# on =save= and ALWAYS have edit powers. See %SYSTEMWEB%.CompleteDocumentation
# for an explanation of wiki groups. The default value "AdminGroup" is used
# everywhere in Foswiki to protect important settings so you would need
# a really special reason to change this setting.
$Foswiki::cfg{SuperAdminGroup} = 'AdminGroup';
# **STRING 20 LABEL="Users TopicName" EXPERT**
# Name of topic in the {UsersWebName} web where registered users are listed.
# Automatically maintained by the standard registration scripts.
# *If you change this setting you will have to use Foswiki to*
# *manually rename the existing topic*
$Foswiki::cfg{UsersTopicName} = 'WikiUsers';
#---++ User mapping
# The user mapping is used to map login names used with external
# authentication systems to Foswiki user identities.
# **SELECTCLASS Foswiki::Users::*UserMapping LABEL="User Mapping Manager" **
# By default only two mappings are available, though other mappings *may*
# be installed to support other authentication providers. The following mappers
# are shipped by default:
# * =Foswiki::Users::TopicUserMapping= - uses Foswiki user and group topics to
# determine user information, and group memberships.
# * =Foswiki::Users::BaseUserMapping= - has only pseudo users such as
# ={AdminUser}= and ={DefaultUserWikiName}=, with the Admins login and
# password being set from configure.
# *Does not support User registration*, and only works with TemplateLogin.
$Foswiki::cfg{UserMappingManager} = 'Foswiki::Users::TopicUserMapping';
# **BOOLEAN LABEL="Force Manage Emails" EXPERT DISPLAY_IF="{UserMappingManager}=='Foswiki::Users::TopicUserMapping'" CHECK="iff:'{UserMappingManager} =~ /:TopicUserMapping$/'"**
# Enable this parameter to force the TopicUserMapping manager to directly
# manage email addresses, and not pass management over to the PasswordManager.
# When enabled, TopicUserMapping will store addresses in the user topics.
#
# Default is disabled. The PasswordManager will determine what is
# responsible for storing email addresses.
#
# *Note:* Foswiki provides a utility to migrate emails from user topic to the
# password file, but does not provide any way to migrate emails from the
# password file back to user topics.
$Foswiki::cfg{TopicUserMapping}{ForceManageEmails} = $FALSE;
#---++ Access Control
# Control some features of how Foswiki handles access control settings.
# **SELECTCLASS Foswiki::Access::*Access LABEL="Access Control Implementation" **
# Choose who can access the wiki.
# * =TopicACLAccess= is the normal foswiki ACL system, as documented
# in the setup guides.
# * =AdminOnlyAccess= denies all non-admins (not in the AdminGroup)
# any access to the wiki - useful for site maintenance.
# * =TopicACLReadOnlyAccess= denies all non-admins any update access
# to the wiki, and falls back to =TopicACLAccess= for VIEW access
# checks - also useful for site maintenance.
# Note: The AdminOnly and ReadOnly access controls do not necessarily
# provide absolute control. Some extensions (non-default) have been
# written to allow anonymous updates. If an operation does not check
# for access permission, then it will not get blocked by these controls.
$Foswiki::cfg{AccessControl} = 'Foswiki::Access::TopicACLAccess';
# **BOOLEAN LABEL="Enable Additive Topic ACLs" EXPERT **
# Optionally support Addititive Topic ACLs. Normally ACLs specified at the
# Topic level override Web level access control. If this feature is enabled,
# the "+" plus sign can be used at the Topic level to add to the Web ACLs.
#
# If the Web ACL specifies _"ALLOWWEBVIEW = JoeUser"_, then a Topic ACL of
# _"ALLOWTOPICVIEW = + FredUser"_ will allow both JoeUser and FredUser
# to view the topic.
$Foswiki::cfg{AccessControlACL}{EnableAdditiveRules} = $FALSE;
# **BOOLEAN LABEL="Enable Deprecated Empty Deny" EXPERT **
# Optionally restore the deprecated empty =DENY= ACL behavior.
# If this setting is enabled, the "Empty" =DENY= ACL is interpreted as
# "Deny nobody", which is equivalent to "Allow all".
# It is recommended that this setting remain disabled, and that
# these rules be replaced with the * wildcard on the =ALLOW= setting:
# <verbatim>
# * Set DENYTOPICVIEW = Should be replaced with:
# * Set ALLOWTOPICVIEW = *
# </verbatim>
# See =tools/convertTopicSettings.pl= for a utility to migrate to the
# new ACL format.
$Foswiki::cfg{AccessControlACL}{EnableDeprecatedEmptyDeny} = $FALSE;
# **SELECT authenticated,acl,all LABEL="Access to RAW" EXPERT**
# Choose which users will have access to the "raw" topic views.
# Default is "authenticated", so that guest users can not view the raw
# topic contents. This avoids indexing of raw topic context by bots and
# crawlers.
# If set to =acl=, then access is controlled by setting =ALLOW= or =DENY=
# =WEB= or =TOPIC RAW=, for example:
# <verbatim>
# * Set ALLOWTOPICRAW = DevelopersGroup
# </verbatim>
$Foswiki::cfg{FeatureAccess}{AllowRaw} = 'authenticated';
# **SELECT authenticated,acl,all LABEL="Access to History" EXPERT**
# Choose which users will have access to the topic history.
# Default is "authenticated", so that guest users can not view the topic
# history. This can also reduce bot workload by denying web crawlers access
# to topic history. If set to =acl=, then access is controlled on a topic
# or web basis by setting =ALLOW= or =DENY= =WEB= or =TOPIC HISTORY=.
# For example:
# <verbatim>
# * Set DENYTOPICHISTORY = WikiGuest
# </verbatim>
# Note that this setting also controls access to the =rdiff= and =compare=
# scripts.
$Foswiki::cfg{FeatureAccess}{AllowHistory} = 'authenticated';
# **STRING 80 LABEL="Access to Configure"**
# A list of users permitted to use the =bin/configure= configuration tool
# If this is configured, then users attempting to access
# configure are validated against this list. (The user must still first
# login using the normal Foswiki authentication). If configured, it is
# applied as a replacement for testing the isAdmin status of the user.
# This can be used to:
# * Allow configure to be used only by a subset of Admins
# * Allow configure to be used by non-admin users.
# * Allow configure to run by anyone
# Because users with access to configure can install software on the server
# and make changes that are potentially difficult to recover from, it is
# strongly recommended that configure access be limited. Examples:
# * Restrict configure to "JoeAdmin" and "BobAdmin": =JoeAdmin BobAdmin=
# The super admin user can always use configure. provided you set the expert
# Password setting under the Passwords tab.
$Foswiki::cfg{FeatureAccess}{Configure} = '';
#---++ Passwords
# Control how passwords are handled.
# **SELECTCLASS none,Foswiki::Users::*User LABEL="Password Manager"**
# The password manager handles the passwords database, and provides
# password lookup, and optionally password change, services to the rest of
# Foswiki.
# Foswiki ships with one password manager implementation:
# * =Foswiki::Users::HtPasswdUser= - handles 'htpasswd' format files, with
# passwords encoded as per the HtpasswdEncoding
# You can provide your own alternative by implementing a new subclass of
# Foswiki::Users::Password, and pointing {PasswordManager} at it in
# lib/LocalSite.cfg.
#
# If 'none' is selected, users will not be able to change passwords
# and TemplateLogin manager then will always succeed, regardless of
# what username or password they enter. This may be useful when you want to
# enable logins so Foswiki can identify contributors, but you don't care about
# passwords. Using ApacheLogin and PassordManager set to 'none' (and
# AllowLoginName = true) is a common Enterprise SSO configuration, in which
# any logged in user can then register to create their Foswiki Based identity.
$Foswiki::cfg{PasswordManager} = 'Foswiki::Users::HtPasswdUser';
# **NUMBER LABEL="Minimum Password Length"**
# Minimum length for a password, for new registrations and password changes.
# If you want to allow null passwords, set this to 0.
$Foswiki::cfg{MinPasswordLength} = 7;
# **PATH LABEL="Password Filename" DISPLAY_IF="/htpasswd/i.test({PasswordManager})" CHECK="iff:'{PasswordManager}=~/htpasswd/i'"**
# Path to the file that stores passwords, for the Foswiki::Users::HtPasswdUser
# password manager. You can use the =htpasswd= Apache program to create a new
# password file with the right encoding, however use caution, as it will remove
# email addresses from an existing file.
$Foswiki::cfg{Htpasswd}{FileName} = '$Foswiki::cfg{DataDir}/.htpasswd';
# **STRING LABEL="Password File Character Encoding" EXPERT DISPLAY_IF="/htpasswd/i.test({PasswordManager})" CHECK="undefok iff:'{PasswordManager}=~/htpasswd/i'"**
# Character encoding used in the password file. This will default to utf-8, which allows any unicode
# character to be used in usernames, passwords and email addresses. The only time you should change it
# is if you have an existing password file that uses a different encoding (and even then only if there
# is at least one character in that file that has a codepoint that would conflict with utf-8).
# $Foswiki::cfg{Htpasswd}{CharacterEncoding} = 'utf-8';
# **PATH LABEL="Password Lock-Filename" EXPERT DISPLAY_IF="/htpasswd/i.test({PasswordManager})" CHECK="iff:'{PasswordManager}=~/htpasswd/i'"**
# Path to the lockfile for the password file. This normally does not need
# to be changed; however if two Foswiki installations share and update a
# common password file it is critical that both use the same lockfile.
# For example, change it to the location of the password file,
# =$Foswiki::cfg{DataDir}/htpasswd.lock=. Foswiki must have rights to
# create the lock file in this location. Only applicable to =HtPasswdUser=.
$Foswiki::cfg{Htpasswd}{LockFileName} =
'$Foswiki::cfg{WorkingDir}/htpasswd.lock';
# **BOOLEAN LABEL="Cache Passwords" EXPERT DISPLAY_IF="{PasswordManager}=='Foswiki::Users::HtPasswdUser'" CHECK="iff:'{PasswordManager} =~ /:HtPasswdUser/' also:{DetectModification}"**
# Enable this option on systems using =FastCGI, FCGID, or Mod_Perl= in
# order to avoid reading the password file for every transaction.
# It will cause the =HtPasswdUser= module to globally cache the password
# file, reading it only once on initialization.
$Foswiki::cfg{Htpasswd}{GlobalCache} = $FALSE;
# **BOOLEAN LABEL="Detect Modification of Password File" EXPERT DISPLAY_IF="{PasswordManager}=='Foswiki::Users::HtPasswdUser'" CHECK="iff:'{PasswordManager} =~ /:HtPasswdUser$/' also:{GlobalCache}"**
# Enable this option if the .htpasswd file can be updated either external to Foswiki
# or by another Foswiki instance, and =GlobalCache= is enabled. When enabled, Foswiki will verify the timestamp of
# the file and will invalidate the cache if the file has been changed. This is only useful
# if Foswiki is running in a =mod_perl= or =fcgi= environment.
$Foswiki::cfg{Htpasswd}{DetectModification} = $FALSE;
# **SELECT argon2,bcrypt,'htdigest-md5','apache-md5',sha1,'crypt-md5',crypt,plain LABEL="Password Encoding" DISPLAY_IF="/htpasswd/i.test({PasswordManager})" CHECK="iff:'{PasswordManager}=~/htpasswd/i'"**
# Password hashing, for the =Foswiki::Users::HtPasswdUser= password
# manager. This specifies the type of password hash to generate when
# writing entries to =.htpasswd=. It is also used when reading password
# entries unless {Htpasswd}{AutoDetect} is enabled.
#
# *No password is secure unless https: is in use*
#
# The choices in order of strongest to lowest strength:
# * =bcrypt= - Hash based upon blowfish algorithm, strength of hash
# controlled by a cost parameter. *Caution:* bcrypt has a maximum
# password length of 72 bytes. Passwords longer than 72 will be
# truncated and will generate identical hashes.
# See [[System.ReleaseNotes02x02]] for details on Apache compatibility.
# * =argon2i= - Hash based upon the Argon2, the 2015 Password hash competition winner.
# Argon2 is tunable by specifying the cpu cost, memory cost and parallelism (threads).
# Argon2 would be considered stronger than bcrypt, but it is relatively new and not
# yet completely proven.
# *Not compatible with Apache Authentication*
# * =htdigest-md5= - Recommended only when combined with the
# =Foswiki::LoginManager::ApacheLogin=, or required for portability.
# Digest authentication provides some basic protection for non-SSL
# (http://) sites. The password is protected with
# simple encryption during browser authentication. The {AuthRealm}
# value is used with the username and password to generate the
# hashed form of the password, thus: =user:{AuthRealm}:hash=.
# This encoding is generated by the Apache =htdigest= command.
# * =apache-md5= - Enable an Apache-specific algorithm using an iterated
# (1,000 times) MD5 digest of various combinations of a random
# 32-bit salt and the password (=userid:$apr1$salt$hash=).
# This is the default, and is the encoding generated by the
# =htpasswd -m= command.
# * =sha1= does not use a salt
# and is therefore highly vulnerable to dictionary attacks. This
# is the encoding generated by the =htpasswd -s= command
# (=userid:{SHA}hash=).
# * =crypt-md5= - Enable use of standard libc (/etc/shadow)
# crypt-md5 password (like =user:$1$salt$hash:email=). Unlike
# =crypt= encoding, it does not suffer from password truncation.
# Passwords are salted, and the salt is stored in the hashed
# password string as in normal crypt passwords. This encoding is
# understood by Apache but cannot be generated by the =htpasswd=
# command.
# * =crypt= - encoding uses the first 8 characters of the password.
# This is the default generated by the Apache =htpasswd= command
# (=user:hash:email=). *Not Recommended.*
# * =plain= - stores passwords as plain text (no hashing). Useful
# for testing
# If you need to create entries in =.htpasswd= before Foswiki is operational,
# you can use the =htpasswd= or =htdigest= Apache programs to create a new
# password file with the correct encoding. Use caution however as these
# programs do not support the email addresses stored by Foswiki in
# the =.htpasswd= file.
$Foswiki::cfg{Htpasswd}{Encoding} = 'apache-md5';
# **STRING 80 LABEL="Authentication Realm" DISPLAY_IF="/htpasswd/i.test({PasswordManager}) && /md5$/.test({Htpasswd}{Encoding})"**
# Authentication realm. You may need to change it
# if you are sharing a password file with another application.
$Foswiki::cfg{AuthRealm} =
'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.';
# **BOOLEAN LABEL="Auto-detect Password Encoding" DISPLAY_IF="{PasswordManager}=='Foswiki::Users::HtPasswdUser' && {Htpasswd}{Encoding}!='plain'" CHECK="iff:'{PasswordManager} =~ /:HtPasswdUser$/ && {Htpasswd}{Encoding} ne q<plain>'"**
# Auto-detect the stored password encoding type. Enable
# this to allow migration from one encoding format to another format.
# Note that this does add a small overhead to the parsing of the =.htpasswd=
# file. Tests show approximately 1ms per 1000 entries. It should be used
# with caution unless you are using CGI acceleration such as FastCGI or
# mod_perl. This option is not compatible with =plain= text passwords.
$Foswiki::cfg{Htpasswd}{AutoDetect} = $TRUE;
# **BOOLEAN LABEL="Force change if Stale Encoding" DISPLAY_IF="{PasswordManager}=='Foswiki::Users::HtPasswdUser' && {Htpasswd}{Encoding}!='plain' && {Htpasswd}{AutoDetect}==1" CHECK="iff:'{PasswordManager} =~ /:HtPasswdUser$/ && {Htpasswd}{Encoding} ne q<plain>'"**
# If the Htpasswd encoding has been changed, force users to change their password upon login to get the latest encoding.
$Foswiki::cfg{Htpasswd}{ForceChangeEncoding} = $FALSE;
# **NUMBER LABEL="BCrypt Cost" DISPLAY_IF="{PasswordManager}=='Foswiki::Users::HtPasswdUser' && {Htpasswd}{Encoding}=='bcrypt'" CHECK="min:0 max:99 iff:'{PasswordManager}=~/:HtPasswdUser/ && {Htpasswd}{Encoding} eq q<bcrypt>'"**
# Specify the cost that should be incurred when computing the hash of a
# password. This number should be increased as CPU speeds increase.
# The iterations of the hash is roughly 2^cost - default is 8, or 256
# iterations. *CAUTION* Larger values than 10 or 12 (1024 and 4096 iterations)
# can require extreme amounts of CPU time.
$Foswiki::cfg{Htpasswd}{BCryptCost} = 8;
# **NUMBER LABEL="Argon2 Time Cost" DISPLAY_IF="{PasswordManager}=='Foswiki::Users::HtPasswdUser' && {Htpasswd}{Encoding}=='argon2'" CHECK="min:0 max:99 iff:'{PasswordManager}=~/:HtPasswdUser/ && {Htpasswd}{Encoding} eq q<bcrypt>'"**
# Specify the cost (iterations) that should be incurred when computing the hash of a
# password. This number should be increased as CPU speeds increase.
$Foswiki::cfg{Htpasswd}{Argon2Timecost} = 32;
# **STRING LABEL="Argon2 Memory Cost" DISPLAY_IF="{PasswordManager}=='Foswiki::Users::HtPasswdUser' && {Htpasswd}{Encoding}=='argon2'" CHECK="iff:'{PasswordManager}=~/:HtPasswdUser/ && {Htpasswd}{Encoding} eq q<argon2>'"**
# Specify the cost in memory that should be incurred when computing the hash of a
# password. Minimum is 64k (or 65536). Can be specified as "k", "M" or "G" for killobytes, Megabytes and Gigabytes respectively.
# (k is lower case, M and G must be uppercase.
$Foswiki::cfg{Htpasswd}{Argon2Memcost} = '16M';
# **NUMBER LABEL="Argon2 Parallelism" DISPLAY_IF="{PasswordManager}=='Foswiki::Users::HtPasswdUser' && {Htpasswd}{Encoding}=='argon2'" CHECK="min:1 max:16 iff:'{PasswordManager}=~/:HtPasswdUser/ && {Htpasswd}{Encoding} eq q<bcrypt>'"**
# Specify the number of threads that will be required for executing the
# algorithm.
$Foswiki::cfg{Htpasswd}{Argon2Threads} = 4;
# **PASSWORD LABEL="Internal Admin Password" CHECK_ON_CHANGE="{FeatureAccess}{Configure}" CHECK="also:{FeatureAccess}{Configure}" ONSAVE**
# If set, this password permits use of the _internal admin_ login, and the
# sudo facility. *As it is a "shared password", this is no longer
# recommended per good security practices. Clear this field to disable use
# of the internal admin login.
# NOTE: this field is hashed, and the value can only be set using the
# =configure= interface.
$Foswiki::cfg{Password} = '';
#---++ Registration
# Registration is the process by which new users register themselves with
# Foswiki.
# **BOOLEAN LABEL="Allow Login Names"**
# If you want users to be able to use a login ID other than their
# wikiname, you need to turn this on. It controls whether the 'LoginName'
# box appears during the user registration process, and is used to tell
# the User Mapping module whether to map login names to wikinames or not
# (if it supports mappings, that is).
#
# Note: TopicUserMapping stores the login name in the WikiUsers topic.
# Changing this value on a system with established users can cause login
# issues.
$Foswiki::cfg{Register}{AllowLoginName} = $FALSE;
# **BOOLEAN LABEL="Enable User Registration"**
# Controls whether new user registration is available.
# It will have no effect on existing users.
$Foswiki::cfg{Register}{EnableNewUserRegistration} = $TRUE;
# **BOOLEAN LABEL="Verify User Registration"**
# Whether registrations must be verified by the user, by following
# a link sent in an email to the user's registered email address
$Foswiki::cfg{Register}{NeedVerification} = $FALSE;
# **BOOLEAN LABEL="Approve User Registration"**
# Whether registrations must be verified by a referee. The referees are
# listed in the {Register}{Approvers} setting, by wikiname. Note that
# the AntiWikiSpamPlugin supports automatic checking of registration
# sources against black- and white-lists, and may be a good alternative
# to an approval system.
$Foswiki::cfg{Register}{NeedApproval} = $FALSE;
# **STRING 40 LABEL="User Registration Approvers" CHECK="undefok emptyok"**
# Comma-separated list of WikiNames of users who are able to approve
# new registrations. These referees will be sent an email when a new
# user verifies their registration. The referee must click a link in
# the email to approve (or deny) the registration.
# If the approver list is empty, the email will be sent to the wiki
# administrator.
$Foswiki::cfg{Register}{Approvers} = '';
# **NUMBER 20 LABEL="Registration Expiry" DISPLAY_IF="{Register}{NeedVerification} || {Register}{NeedApproval}"**
# Set the pending registration timeout, in seconds. The pending registration
# will be cleared after this amount of time. The default is 6 hours
# (21600 seconds).
#
# *Note:* By default, registration expiry is done "on the fly"
# during the registration process. For best performance, you can
# set {Register}{ExpireAfter} to a negative number, which will mean
# that Foswiki won't try to clean up expired registrations during
# registration. Instead you should use a cron job to clean up expired
# sessions. The standard maintenance cron script =tools/tick_foswiki.pl=
# includes this function.
#
# *Note:* that if you are using registration approval by 3rd party reviewers,
# this timer should most likely be significantly increased.
# 24 hours = 86400, 3 days = 259200.
#
# Pending registration requests are stored in the
# ={WorkingDir}/registration_approvals= directory.
$Foswiki::cfg{Register}{ExpireAfter} = 21600;
# **BOOLEAN LABEL="Disable Password Confirmation" EXPERT**
# Controls whether the user password has to be entered twice on the
# registration page or not. The default is to require confirmation, in which
# case the same password must be provided in the confirmation input.
$Foswiki::cfg{Register}{DisablePasswordConfirmation} = $FALSE;
# **BOOLEAN LABEL="Hide Password" EXPERT**
# Hide password in registration email to the _user_.
# Note that Foswiki sends administrators a separate confirmation.
$Foswiki::cfg{Register}{HidePasswd} = $TRUE;
# **STRING 20 LABEL="Registration Agent WikiName" EXPERT**
# The internal user that creates user topics on new registrations.
# You are recommended not to change this. Note that if the default
# protection of the users web (Main) is changed, this user must have
# write access to that web.
$Foswiki::cfg{Register}{RegistrationAgentWikiName} = 'RegistrationAgent';
# **BOOLEAN LABEL="Require Unique Email"**
# Normally users can register multiple WikiNames using the same email address.
# Enable this parameter to prevent multiple registrations using the same
# email address.
$Foswiki::cfg{Register}{UniqueEmail} = $FALSE;
# **REGEX 80 LABEL="Email Filter" CHECK="emptyok" EXPERT**
# This regular expression can be used to block certain email addresses
# from being used for registering users. It can be used to block some
# of the more common wikispam bots. If this regex matches the entered
# address, the registration is rejected. For example:
# =^.*@(lease-a-seo\.com|paydayloans).*$=
#
# To block all domains and list only the permitted domains, use an
# expression of the format:
# =@(?!(example\.com|example\.net)$)=
$Foswiki::cfg{Register}{EmailFilter} = '';
#---++ Environment
# Control some aspects of the environment Foswiki runs within.
# **PERL LABEL="Accessible Configuration"**
# Array of the names of configuration items that are available when using
# %IF, %SEARCH and %QUERY{}%. Extensions can push into this array to extend
# the set. This is done as a filter in because while the bulk of configuration
# items are quite innocent, it's better to be a bit paranoid.
$Foswiki::cfg{AccessibleCFG} = [
'{AccessControlACL}{EnableDeprecatedEmptyDeny}',
'{AccessControlACL}{EnableAdditiveRules}',
'{AccessibleCFG}',
'{AdminUserLogin}',
'{AdminUserWikiName}',
'{AntiSpam}{EmailPadding}',
'{AntiSpam}{EntityEncode}',
'{AntiSpam}{HideUserDetails}',
'{AntiSpam}{RobotsAreWelcome}',
'{AttachmentNameFilter}',
'{AuthRealm}',
'{AuthScripts}',
'{Cache}{Enabled}',
'{DefaultDateFormat}',
'{DefaultUrlHost}',
'{DenyDotDotInclude}',
'{DisplayTimeValues}',
'{EnableEmail}',
'{EnableHierarchicalWebs}',
'{FormTypes}',
'{HomeTopicName}',
'{LeaseLength}',
'{LeaseLengthLessForceful}',
'{LinkProtocolPattern}',
'{LocalSitePreferences}',
'{Login}{TokenLifetime}',
'{LoginNameFilterIn}',
'{MaxRevisionsInADiff}',
'{MinPasswordLength}',
'{NameFilter}',
'{NotifyTopicName}',
'{NumberOfRevisions}',
'{PluginsOrder}',
'{Plugins}{WebSearchPath}',
'{PluralToSingular}',
'{Register}{AllowLoginName}',
'{Register}{Approvers}',
'{Register}{DisablePasswordConfirmation}',
'{Register}{EnableNewUserRegistration}',
'{Register}{NeedApproval}',
'{Register}{NeedVerification}',
'{Register}{RegistrationAgentWikiName}',
'{ReplaceIfEditedAgainWithin}',
'{SandboxWebName}',
'{ScriptSuffix}',
'{ScriptUrlPath}',
'{Site}{Locale}',
'{SitePrefsTopicName}',
'{Stats}{TopContrib}',
'{Stats}{TopicName}',
'{Stats}{TopViews}',
'{SuperAdminGroup}',
'{SystemWebName}',
'{TemplateLogin}{AllowLoginUsingEmailAddress}',
'{TemplatePath}',
'{TrashWebName}',
'{UploadFilter}',
'{UseLocale}',
'{UserInterfaceInternationalisation}',
'{UsersTopicName}',
'{UsersWebName}',
'{Validation}{Method}',
'{WebMasterEmail}',
'{WebMasterName}',
'{WebPrefsTopicName}',
];
# **BOOLEAN LABEL="Allow URLs in INCLUDE"**
# Allow %INCLUDE of URLs. This is disabled by default, because it is possible
# to mount a denial-of-service (DoS) attack on a Foswiki site using INCLUDE and
# URLs. Only enable it if you are in an environment where a DoS attack is not
# a high risk.
#
# You may also need to configure the proxy setting ({PROXY}{HOST})
# if your server is behind a firewall and you allow %INCLUDE of
# external webpages (see Proxies).
$Foswiki::cfg{INCLUDE}{AllowURLs} = $FALSE;
# **BOOLEAN LABEL="Display logged in unknown Users" EXPERT**
# If a login name (or an internal user id) cannot be mapped to a wikiname,
# then the user is unknown. By default the user will be displayed using
# whatever identity is stored for them. For security reasons you may want