Item14343: Protect additional topics

These allow override starting in 2.2.  Also protect the NatSkin
User Registration templates.

UnitTestContrib/test/unit/AccessControlTests.pm

@@ -179,8 +179,40 @@ THIS
 # Test Restricted Topic - Item14629
 sub test_restricted_Item14629 {
     my $this = shift;
-    my ($topicObject) =
-      Foswiki::Func::readTopic( $this->{test_web}, 'UserRegistration' );
+
+# These topics either allow override by creating a missing topic in the Users web,
+# or they are particularly sensitive. They are protected by {AccessControlACL}{RestrictedEdit}
+    foreach my $tname (
+        qw(ChangeEmailAddress
+        ChangePassword
+        GroupTemplate
+        GroupViewTemplate
+        ResetPassword
+        SimpleUserRegistrationViewTemplate
+        UserRegistration
+        UserRegistrationViewTemplate
+        WikiGroupsComponents
+        )
+      )
+    {
+        $this->_check_Protected($tname);
+    }
+    $this->_check_Protected("Default$Foswiki::cfg{Stats}{TopicName}");
+    return;
+}
+
+sub _check_Protected {
+    my $this  = shift;
+    my $tname = shift;
+
+    # Change not allowed even on non-existing topic
+    $this->assert( !Foswiki::Func::topicExists( $this->{test_web}, $tname ) );
+    $this->DENIED( "CHANGE", $MrGreen, $this->{test_web}, $tname );
+    $this->PERMITTED( "CHANGE", 'BaseUserMapping_333', $this->{test_web},
+        $tname );
+
+    # Create the topic
+    my ($topicObject) = Foswiki::Func::readTopic( $this->{test_web}, $tname );
     $topicObject->text(<<'THIS');
 Anyone can change
    * Set ALLOWTOPICCHANGE = *
@@ -193,32 +225,18 @@ THIS
 
     # baseline
     $this->assert(
-        !Foswiki::Func::topicExists( $this->{test_web}, 'UserRegistrationx' ) );
-    $this->PERMITTED( "CHANGE", $MrGreen, $this->{test_web},
-        'UserRegistrationx' );
-    $this->PERMITTED(
-        "CHANGE",          'BaseUserMapping_333',
-        $this->{test_web}, 'UserRegistrationx'
-    );
+        !Foswiki::Func::topicExists( $this->{test_web}, $tname . 'x' ) );
+    $this->PERMITTED( "CHANGE", $MrGreen, $this->{test_web}, $tname . 'x' );
+    $this->PERMITTED( "CHANGE", 'BaseUserMapping_333',
+        $this->{test_web}, $tname . 'x' );
 
     # Change not permitted on restricted topic names
-    $this->assert(
-        Foswiki::Func::topicExists( $this->{test_web}, 'UserRegistration' ) );
-    $this->PERMITTED( "VIEW", $MrGreen, $this->{test_web}, 'UserRegistration' );
-    $this->DENIED( "CHANGE", $MrGreen, $this->{test_web}, 'UserRegistration' );
-    $this->PERMITTED(
-        "CHANGE",          'BaseUserMapping_333',
-        $this->{test_web}, 'UserRegistration'
-    );
+    $this->assert( Foswiki::Func::topicExists( $this->{test_web}, $tname ) );
+    $this->PERMITTED( "VIEW", $MrGreen, $this->{test_web}, $tname );
+    $this->DENIED( "CHANGE", $MrGreen, $this->{test_web}, $tname );
+    $this->PERMITTED( "CHANGE", 'BaseUserMapping_333',
+        $this->{test_web}, '$tname' );
 
-    # Change not allowed even on non-existing topic
-    $this->assert(
-        !Foswiki::Func::topicExists( $this->{test_web}, 'ChangePassword' ) );
-    $this->DENIED( "CHANGE", $MrGreen, $this->{test_web}, 'ChangePassword' );
-    $this->PERMITTED( "CHANGE", 'BaseUserMapping_333', $this->{test_web},
-        'ChangePassword' );
-
-    return;
 }
 
 # Test that an empty DENYTOPIC doesn't deny anyone

core/lib/Foswiki.spec

@@ -584,7 +584,7 @@ $Foswiki::cfg{AccessControlACL}{EnableAdditiveRules} = $FALSE;
 # **STRING LABEL="Sensitive Topic Names" **
 # A list of topic names that should never be created or edited by a non-admin
 # user. These topics will always be denied.
-$Foswiki::cfg{AccessControlACL}{RestrictedEdit} = 'UserRegistration,ChangePassword,ResetPassword,ChangeEmailAddress,GroupViewTemplate,Default$Foswiki::cfg{Stats}{TopicName}';
+$Foswiki::cfg{AccessControlACL}{RestrictedEdit} = 'ChangeEmailAddress,ChangePassword,Default$Foswiki::cfg{Stats}{TopicName},GroupTemplate,GroupViewTemplate,ResetPassword,SimpleUserRegistrationViewTemplate,UserRegistration,UserRegistrationViewTemplate,WikiGroupsComponents';
 
 # **BOOLEAN LABEL="Enable Deprecated Empty Deny" EXPERT **
 # Optionally restore the deprecated empty =DENY= ACL behavior.