Item14639: Operational topics in Main, Sandbox webs should be protected from editing non-admins.
Priority: Security
Current State: Closed
Released In: 2.1.6
Target Release: patch
On sites with open registration, newly registered users are free to deface any of these topics. It is probably a reasonable change to add an ACL to all of these topics ALLOWTOPICCHANGE =
AdminGroup. We've had a few of these defaced on Foswiki.org at times.
$ grep -L ALLOWTOPICCHANGE *
AdminUserLeftBar.txt
GroupViewTemplate.txt
PatternSkinUserViewTemplate.txt
UserHomepageHeader.txt
UserListByDateJoined.txt
UserListByLocation.txt
UserListHeader.txt
UserList.txt
WebAtom.txt
WebChanges.txt
WebCreateNewTopic.txt
WebHome.txt
WebIndex.txt
WebLeftBarExample.txt
WebRss.txt
WebSearchAdvanced.txt
WebSearch.txt
WebTopicList.txt
WikiGroups.txt
--
GeorgeClark - 26 Feb 2018
Also, in the Sandbox web, these should also be protected from defacement: (Maybe not the Comment* topics.)
CommentPluginExampleComments.txt
CommentPluginExamples.txt
CommentPluginTemplateExample.txt
WebAtom.txt
WebChanges.txt
WebCreateNewTopic.txt
WebIndex.txt
WebLeftBarExample.txt
WebRss.txt
WebSearchAdvanced.txt
WebSearch.txt
WebTopicList.txt
--
GeorgeClark - 26 Feb 2018
Web* topics in Main, Sandbox and System should all be write protected. Those User* topics in Main should probably be deleted as they are of questionable value. Any *LeftBar should be write protected, only editable by the person it is used by.
PatternSkinUserViewTemplate should be relocated to System.
WikiGroups obviously needs to be write protected only editable by
AdminGroup and
RegistrationAgent.
--
MichaelDaum - 01 Mar 2018