diff --git a/core/data/Main/WebPreferences.txt b/core/data/Main/WebPreferences.txt index dfbe38c1ee..b218e1099a 100644 --- a/core/data/Main/WebPreferences.txt +++ b/core/data/Main/WebPreferences.txt @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="ProjectContributor" date="1402008308" format="1.1" version="1"}% +%META:TOPICINFO{author="ProjectContributor" date="1457197356" format="1.1" version="1"}% %META:TOPICPARENT{name="WebHome"}% ---+!! %WEB% Web Preferences @@ -32,6 +32,14 @@ If you intend to lock down the %USERSWEB% to only allow registration, you need t * Set DENYWEBRENAME = %USERSWEB%.WikiGuest * Set ALLOWWEBRENAME = +If ={FeatureAccess}{AllowRaw}= is set to =acl= in configure, then the following rules can also be used: + * #Set DENYWEBHISTORY = %USERSWEB%.WikiGuest + * #Set ALLOWWEBHISTORY = + +If ={FeatureAccess}{AllowHistory}= is set to =acl= in configure, then the following rules can also be used: + * #Set DENYWEBRAW = %USERSWEB%.WikiGuest + * #Set ALLOWWEBRAW = + Users or groups allowed to change or rename this %TOPIC% topic: (e.g., [[%USERSWEB%.AdminGroup][AdminGroup]]) * Set ALLOWTOPICCHANGE = %USERSWEB%.AdminGroup diff --git a/core/data/Sandbox/WebPreferences.txt b/core/data/Sandbox/WebPreferences.txt index 77163da7ec..4811578256 100644 --- a/core/data/Sandbox/WebPreferences.txt +++ b/core/data/Sandbox/WebPreferences.txt @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="ProjectContributor" date="1402008794" format="1.1" version="1"}% +%META:TOPICINFO{author="ProjectContributor" date="1457197356" format="1.1" version="1"}% ---+!! %WEB% Web Preferences %TOC% @@ -28,6 +28,15 @@ Use ==*== to indicate everyone including the guest users. DENY the WikiGuest u * Set ALLOWWEBCHANGE = * Set DENYWEBRENAME = %USERSWEB%.WikiGuest * Set ALLOWWEBRENAME = + +If ={FeatureAccess}{AllowRaw}= is set to =acl= in configure, then the following rules can also be used: + * #Set DENYWEBHISTORY = %USERSWEB%.WikiGuest + * #Set ALLOWWEBHISTORY = + +If ={FeatureAccess}{AllowHistory}= is set to =acl= in configure, then the following rules can also be used: + * #Set DENYWEBRAW = %USERSWEB%.WikiGuest + * #Set ALLOWWEBRAW = + Users or groups allowed to change or rename this %TOPIC% topic * Set ALLOWTOPICCHANGE = %USERSWEB%.AdminGroup diff --git a/core/data/System/AccessControl.txt b/core/data/System/AccessControl.txt index 81c7b68188..bcd6c2bf23 100644 --- a/core/data/System/AccessControl.txt +++ b/core/data/System/AccessControl.txt @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="ProjectContributor" date="1435796369" format="1.1" version="1"}% +%META:TOPICINFO{author="ProjectContributor" date="1457197356" format="1.1" version="1"}% %META:TOPICPARENT{name="UserDocumentationCategory"}% %STARTINCLUDE% ---+ Access Control @@ -100,7 +100,8 @@ A member of the Super Admin Group has *unrestricted access* throughout the wiki, Access to webs and topics is controlled by: - * the ={AuthScripts}= setting in [[%SCRIPTURLPATH{"configure"}%][configure]] -> Security and Authentication -> Login; and + * The ={AuthScripts}= setting in [[%SCRIPTURLPATH{"configure"}%][configure]] -> Security and Authentication -> Login; + * The ={FeatureAccess}= settings in [[%SCRIPTURLPATH{"configure"}%][configure]] -> Security and Authentication -> Access Control; and * setting the values of certain [[PreferenceSettings][preferences]]. These preferences have the general form: @@ -113,6 +114,9 @@ topics in the current web. (Some extensions add additional modes. Ex. ALLOWTOP * Restricting VIEW blocks viewing and searching of content. When you restrict VIEW to a topic or web, this also restricts [[VarINCLUDE][INCLUDE]] and [[FormattedSearch][Formatted SEARCH]] from showing the content of the topics. * Restricting CHANGE blocks creating new topics, changing topics or attaching files. * Restricting RENAME prevents renaming of topics within a web. +And, when enabled by ={FeatureAccess}= settings: + * Restricting HISTORY blocks access to older revisions of topics by the =rev== URL parameter. + * Restricting RAW blocks access to the =raw== topic text.
%X% *There is an important distinction between CHANGE access and RENAME access.* A user can CHANGE a topic, but thanks to version control their changes cannot be lost (the history of the topic before the change is recorded). However if a topic or web is renamed, that history may be lost. Typically a site will only give RENAME access to administrators and content owners. @@ -137,6 +141,12 @@ You can define restrictions on who is allowed to view a %WIKITOOLNAME% web. * ==Set ALLOWWEBCHANGE = < comma-delimited list of users and groups >== * ==Set DENYWEBRENAME = < comma-delimited list of users and groups >== * ==Set ALLOWWEBRENAME = < comma-delimited list of users and groups >== + * If ={FeatureAccess}{AllowRaw}= is set to ==acl== in configure, then the following rules are also active: + * ==Set ALLOWWEBRAW = < comma-delimited list of users and groups >== + * ==Set DENYWEBRAW = < comma-delimited list of users and groups >== + * If ={FeatureAccess}{AllowHistory}= is set to ==acl== in configure, then the following rules are also active: + * ==Set ALLOWWEBHISTORY = < comma-delimited list of users and groups >== + * ==Set DENYWEBHISTORY = < comma-delimited list of users and groups >== You can also use the asterisk (*) in any of the above settings if you want it to match all possible users. @@ -152,12 +162,22 @@ Creation and renaming of sub-webs is controlled by the WEBCHANGE setting on the * ==Set ALLOWTOPICCHANGE = < comma-delimited list of users and groups >== * ==Set DENYTOPICRENAME = < comma-delimited list of users and groups >== * ==Set ALLOWTOPICRENAME = < comma-delimited list of users and groups >== + * If ={FeatureAccess}{AllowRaw}= is set to ==acl== in configure, then the following rules are also active: + * ==Set ALLOWTOPICRAW = < comma-delimited list of users and groups >== + * ==Set DENYTOPICRAW = < comma-delimited list of users and groups >== + * If ={FeatureAccess}{AllowHistory}= is set to ==acl== in configure, then the following rules are also active: + * ==Set ALLOWTOPICHISTORY = < comma-delimited list of users and groups >== + * ==Set DENYTOPICHISTORY = < comma-delimited list of users and groups >== You can also use an asterisk (*) in any of these settings to match all possible users.
%X% *Caution!* Settings are always taken from the latest (current) revision of a topic. If older revisions of a topic had more restrictive access controls, they will not be used when accessing the older revision. If the topic was restricted because it contained sensitive information, and that information was removed, it still exists in the topic history. Once you remove the access restrictions, the topic history will be viewable.
Remember when opening up access to specific topics within a restricted web that other topics in the web - for example, the !WebLeftBar - may also need to be accessed when viewing the topics. The message you get when you are denied access should tell you what topic you were not permitted to access. +---++++ Access rules in Foswki version 1.x +If your administrator has enabled ={AccessControlACL}{EnableDeprecatedEmptyDeny}= in the Foswiki configuration then the old behaviour will still work and an empty DENY setting means _do not deny anyone the right to access_, in other words __allow all access__. + +Click this link to see more documentation on the prior behaviour. %TWISTY{showlink="Show Foswiki 1.x ACL documentation"}%
%X% If your site started out life using an earlier version of Foswiki, you might have seen that from Foswiki 2.0 onwards, *the empty DENY has been removed*. This rule has been replaced by =*= wildcards in the ALLOW and DENY rules. @@ -173,8 +193,9 @@ As of Foswiki 2.0, the empty DENY setting is now meaningless, _unless explicitly | Allow selected users | Set ALLOW to desired users/groups | Set ALLOW to desired users/groups | | Deny selected users | Set DENY to desired users/groups | Set DENY to desired users/groups | -If your administrator has enabled ={AccessControlACL}{EnableDeprecatedEmptyDeny}= in the Foswiki configuration then the old behaviour will still work and an empty DENY setting means _do not deny anyone the right to access_. If DENYTOPICVIEW is set to an empty value anyone has access even if ALLOWTOPICVIEW or ALLOWWEBVIEW is defined. This allows you to have very restrictive default access rights to an entire web and still allow individual topics to have more open access. +If DENYTOPICVIEW is set to an empty value anyone has access even if ALLOWTOPICVIEW or ALLOWWEBVIEW is defined. This allows you to have very restrictive default access rights to an entire web and still allow individual topics to have more open access.
+%ENDTWISTY% ---++++ Wildcard matching When =*= is set in a rule, it says that any user identity will match that rule. Setting =ALLOW= to =*= says "Allow ALL", setting * to DENY says "Deny ALL". @@ -283,14 +304,14 @@ If needed, you can further restrict access to selected webs with ALLOWWEBVIEW an ---++++ When using Template Login [[UserAuthentication#TemplateLogin][User authentication with TemplateLogin]] is enabled on your site. To require login for *all* scripts: - * Add all scripts in the =foswiki/bin= directory (except for =login=, =logon= and =configure=) to the list of ={AuthScripts}= in [[%SCRIPTURL{"configure"}%][configure]], =Security And Authentication= tab, =Login= sub-tab, For a default Foswiki installation: + * Add all scripts in the =foswiki/bin= directory (except for =login=, =logon=) to the list of ={AuthScripts}= in [[%SCRIPTURL{"configure"}%][configure]], =Security And Authentication= tab, =Login= sub-tab, For a default Foswiki installation: * Default (open) site: -{AuthScripts} = 'attach,compareauth,edit,manage,previewauth,rdiffauth,rename,restauth,save,statistics,upload,viewauth,viewfileauth'; +{AuthScripts} = 'attach,compareauth,configure,edit,manage,previewauth,rdiffauth,rename,restauth,save,statistics,upload,viewauth,viewfileauth'; * Restricted (closed) site: -{AuthScripts} = 'attach,changes,compare,compareauth,edit,manage,oops,preview,previewauth,rdiff,rdiffauth,register,rename,resetpasswd,rest,restauth,save,search,statistics,upload,view,viewauth,viewfile,viewfileauth +{AuthScripts} = 'attach,changes,compare,compareauth,configure,edit,jsonrpc,manage,oops,preview,previewauth,rdiff,rdiffauth,register,rename,resetpasswd,rest,restauth,save,search,statistics,upload,view,viewauth,viewfile,viewfileauth
%X% If you install extensions that add scripts, you must also remember to add the new scripts to this list or the new scripts will not be protected.
@@ -325,6 +346,26 @@ Use the following setup is used to "lock down" the Wiki to logged in users, whil * *Set <nop>ALLOWTOPICVIEW = ** Set this in each topic that needs to be unlocked for unauthenticated users. * *Note:* ALLOWTOPICVIEW is evaluated before DENYWEBVIEW. Access is permitted if the authenticated person (or wildcard) is in the ALLOWTOPICVIEW list. The list of topics that need to be unlocked in the %SYSTEMWEB% web for login, password reset, registration, and guest access when the %SYSTEMWEB% has been locked down is rather extensive. + +---+++ Control access to topic History and Raw text. + +Foswiki 2.0 now restricts the guest user from access to topic history and raw topic text. This is configurable. See: +[[%SCRIPTURLPATH{configure}][configure]] =Security and Authentication > Access Control > {FeatureAccess}{AllowRaw}= and ={FeatureAccess}{AllowHistory}= (They are expert level settings, so the "Show expert options" button in the lower left corner must be pressed.) + +Each of these setting has 3 choices: + * =authenticated= - This is the default. Anyone who is logged in has access + * =acl= - The feature can be controlled per web or topic using ALLOW or DENY ACLs. + * =all= - Open access like on Foswiki 1.x + +When set to =acl=, then standard DENY and ALLOW processing is performed, RAW +and HISTORY are added to the VIEW, CHANGE and RENAME access already described here. + +If you want to use ACL level controls, but also want WikiGuest blocked by default, you need to edit every WebPreferences topic and set the following: + * ==Set DENYWEBRAW = %USERSWEB%.WikiGuest== + * ==Set DENYWEBHISTORY = %USERSWEB%.WikiGuest== + +Note that these ACL controls block access to the =raw== and =rev== url parameters. They are not enforced internaly in the "Store". Wiki applications still can access prior revisions, and anyone with CHANGE authority can edit the raw topic text. + ---+++ Show control settings You can list the access controls affecting a topic using the [[VarSHOWPREFERENCE][%%NOP%SHOWPREFERENCE{}%]] macro in the topic, thus: @@ -345,6 +386,12 @@ Alternatively, place them in HTML comment markers, but this exposes the access s --> +---+++ Controlling access to the %SYSTEMWEB% web. + +Some search engines penalize sites for publishing "duplicate information". The Wiki documentation in the %SYSTEMWEB% web falls into that category. Foswiki now +has "ALLOWTOPICVIEW = *" settings on critical %SYSTEMWEB% topics that require guest access, such as ResetPassword, UserRegistration, and other template topics. +You should be able to restrict guest access to the %SYSTEMWEB% and retain good operation for guests. + %STOPINCLUDE% --- diff --git a/core/data/System/IncludeTopicsAndWebPages.txt b/core/data/System/IncludeTopicsAndWebPages.txt index 1aed1d4a63..be70d7c9fe 100644 --- a/core/data/System/IncludeTopicsAndWebPages.txt +++ b/core/data/System/IncludeTopicsAndWebPages.txt @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="ProjectContributor" date="1446868059" format="1.1" version="1"}% +%META:TOPICINFO{author="ProjectContributor" date="1457197356" format="1.1" version="1"}% %META:TOPICPARENT{name="UserDocumentationCategory"}% ---+!! Include Topics and Web Pages Using =%INCLUDE{...}%= Macro @@ -7,8 +7,9 @@ Embed topics, or subsections of topics, or other web pages. The [[VarINCLUDE][%INCLUDE{...}%]] macro embeds the content of the specified topic at the place where the [[VarINCLUDE][INCLUDE]] is used. The whole content or only parts of of a page can be included.
%H% If permitted in [[%SCRIPTURLPATH{"configure"}%][configure]], content from any arbitrary URL may be included also. This is disabled by default because it may be used for malicious purposes, especially on public installations. +See: _Security and Authentication > Environment >_ ={INCLUDE}{AllowURLs}=. -%H% If your web server connects to the internet via a proxy server, ={PROXY}{HOST}= and ={PROXY}{PORT}= settings should be set in [[%SCRIPTURLPATH{"configure"}%][configure]]. +%H% If your web server connects to the internet via a proxy server, Proxy settings should be set in [[%SCRIPTURLPATH{"configure"}%][configure]]. See: _Security and Authentication > Proxies >_ ={PROXY}{HOST}=
%TOC% diff --git a/core/data/System/WebPreferences.txt b/core/data/System/WebPreferences.txt index 4c3c428da5..a9af1cbbf5 100644 --- a/core/data/System/WebPreferences.txt +++ b/core/data/System/WebPreferences.txt @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="ProjectContributor" date="1434485156" format="1.1" version="1"}% +%META:TOPICINFO{author="ProjectContributor" date="1457197356" format="1.1" version="1"}% %META:TOPICPARENT{name="WebHome"}% ---+!! %WEB% Web Preferences @@ -40,7 +40,7 @@ Users or groups who are allowed to view, change and rename topics in the %W * Set ALLOWWEBCHANGE = %USERSWEB%.AdminGroup * Set ALLOWWEBRENAME = %USERSWEB%.AdminGroup - Users or groups allowed to change or rename this %TOPIC% topic +Users or groups allowed to change or rename this %TOPIC% topic * Set ALLOWTOPICCHANGE = %USERSWEB%.AdminGroup diff --git a/core/data/_default/WebPreferences.txt b/core/data/_default/WebPreferences.txt index 1590343a98..984c1da365 100644 --- a/core/data/_default/WebPreferences.txt +++ b/core/data/_default/WebPreferences.txt @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="ProjectContributor" date="1402008308" format="1.1" version="1"}% +%META:TOPICINFO{author="ProjectContributor" date="1457197356" format="1.1" version="1"}% ---+!! %WEB% Web Preferences %TOC% @@ -37,6 +37,14 @@ Use ==*== to indicate everyone including the guest users. DENY the WikiGuest u * Set DENYWEBRENAME = * Set ALLOWWEBRENAME = %USERSWEB%.AdminGroup +If ={FeatureAccess}{AllowRaw}= is set to =acl= in configure, then the following rules can also be used: + * #Set DENYWEBHISTORY = %USERSWEB%.WikiGuest + * #Set ALLOWWEBHISTORY = + +If ={FeatureAccess}{AllowHistory}= is set to =acl= in configure, then the following rules can also be used: + * #Set DENYWEBRAW = %USERSWEB%.WikiGuest + * #Set ALLOWWEBRAW = + Users or groups allowed to change or rename this %TOPIC% topic: (e.g., [[%USERSWEB%.AdminGroup][AdminGroup]]) * Set ALLOWTOPICCHANGE = %USERSWEB%.AdminGroup diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec index dfec6a93cf..99d90cb1ef 100644 --- a/core/lib/Foswiki.spec +++ b/core/lib/Foswiki.spec @@ -417,7 +417,7 @@ $Foswiki::cfg{Trace}{LoginManager} = 0; # =save= should be removed from this list if the guest user is permitted to # edit topics without authentication. $Foswiki::cfg{AuthScripts} = -'attach,compareauth,edit,manage,previewauth,rdiffauth,rename,restauth,save,statistics,upload,viewauth,viewfileauth'; +'attach,compareauth,configure,edit,manage,previewauth,rdiffauth,rename,restauth,save,statistics,upload,viewauth,viewfileauth'; # **BOOLEAN LABEL="Legacy REST Security" EXPERT** # Foswiki 1.2 has removed the =rest= script from the list of {AuthScripts}.