11 Aug
2014
11 Aug
'14
1:13 p.m.
Hi There,
I’ve noticed that an XWiki installation has its user directory as well as full user
profiles openly accessible to the public.
Is this not a huge security risk? Or am I missing a configuration setting somewhere?
For example, http://www.xwiki.com has all its users publicly accessible here:
http://www.xwiki.com/lang/en/Main/UserDirectory and each user’s complete personal profile
details is viewable.
Is there a way to secure this information?
Thanks,
Werner
13 Aug
13 Aug
10:37 a.m.
Hi Werner,
By default, the XWiki Enterprise software does not restrict view access to
anything in the wiki. It`s up to the administrator that installs his own
XWiki instance to configure rights based on the requirements of his
installation. In some cases it's ok to expose users (see www.xwiki.org), in
others it may be problematic (like some publicly accessible intranet for
example).
If you are in the latter case where you need pages to not be viewable by
certain users (e.g. guests/unregistered users), have a look at XWiki's
right management
http://platform.xwiki.org/xwiki/bin/view/Features/RightsManagement ( with
more details on
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Access+Rights ) and
properly configure your wiki according to your needs.
Thanks,
Eduard
On Mon, Aug 11, 2014 at 2:13 PM, Werner Kok <werner(a)hti-systems.co.za>
wrote:
Hi There,
I’ve noticed that an XWiki installation has its user directory as well as
full user profiles openly accessible to the public.
Is this not a huge security risk? Or am I missing a configuration setting
somewhere?
For example, http://www.xwiki.com has all its users publicly accessible
here: http://www.xwiki.com/lang/en/Main/UserDirectory and each user’s
complete personal profile details is viewable.
Is there a way to secure this information?
Thanks,
Werner
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
29 Aug
29 Aug
10:37 a.m.
Hi,
Thank you for your reply.
I have indeed gone through the rights setup and have it configured so that the
Main.WebHome page is publicly accessible, but that all other spaces require login.
There is however no way I can see to prevent unregistered user access to the following
spaces in XWiki:
/xwiki/bin/view/Main/UserDirectory
/xwiki/bin/view/XWiki/[username]
Is there any way to secure these two spaces, without locking down the entire XWiki
installation?
Thanks,
Werner
On 13 Aug 2014, at 10:37 AM, Eduard Moraru <enygma2002(a)gmail.com> wrote:
Hi Werner,
By default, the XWiki Enterprise software does not restrict view access to
anything in the wiki. It`s up to the administrator that installs his own
XWiki instance to configure rights based on the requirements of his
installation. In some cases it's ok to expose users (see www.xwiki.org), in
others it may be problematic (like some publicly accessible intranet for
example).
If you are in the latter case where you need pages to not be viewable by
certain users (e.g. guests/unregistered users), have a look at XWiki's
right management
http://platform.xwiki.org/xwiki/bin/view/Features/RightsManagement ( with
more details on
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Access+Rights ) and
properly configure your wiki according to your needs.
Thanks,
Eduard
On Mon, Aug 11, 2014 at 2:13 PM, Werner Kok <werner(a)hti-systems.co.za>
wrote:
Hi There,
I’ve noticed that an XWiki installation has its user directory as well as
full user profiles openly accessible to the public.
Is this not a huge security risk? Or am I missing a configuration setting
somewhere?
For example, http://www.xwiki.com has all its users publicly accessible
here: http://www.xwiki.com/lang/en/Main/UserDirectory and each user’s
complete personal profile details is viewable.
Is there a way to secure this information?
Thanks,
Werner
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
9 Sep
9 Sep
10:33 a.m.
Hi Werner,
In order to achieve what you are asking for (lock everything up except the
homepage), you just need to go to "Administration > Users & Groups >
Rights", click on "Users" and under "Unregistered Users" deny the
"View"
right. This means that unregistered users can not access *any* document
(UserDirectory or user profiles are not special so they too will not be
accessible) on your wiki, however, compared to the "Prevent unregistered
users from viewing pages, regardless of the page or space rights" option,
you are free to set up rights and exceptions for unregistered users (like
the homepage that you want to leave accessible).
To allow unregistered users to view your homepage, just edit the Rights of
the homepage, go to "Users > Unregistered Users" and allow the
"View" right.
The problem you have now is that the homepage will look weird to
unregistered users, because they do not have view access on the skin, on
the dashboard, on panels, etc... so you now need to add one by one the
elements needed for the homepage to display nicely. Once you are happy with
how the homepage looks for guests/unregistered users, you are done.
Hope that helps,
Eduard
On Fri, Aug 29, 2014 at 11:37 AM, Werner Kok <werner(a)hti-systems.co.za>
wrote:
Hi,
Thank you for your reply.
I have indeed gone through the rights setup and have it configured so that
the Main.WebHome page is publicly accessible, but that all other spaces
require login.
There is however no way I can see to prevent unregistered user access to
the following spaces in XWiki:
/xwiki/bin/view/Main/UserDirectory
/xwiki/bin/view/XWiki/[username]
Is there any way to secure these two spaces, without locking down the
entire XWiki installation?
Thanks,
Werner
On 13 Aug 2014, at 10:37 AM, Eduard Moraru <enygma2002(a)gmail.com> wrote:
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Hi Werner,
By default, the XWiki Enterprise software does not restrict view access
to
anything in the wiki. It`s up to the
administrator that installs his own
XWiki instance to configure rights based on the requirements of his
installation. In some cases it's ok to expose users (see www.xwiki.org),
in
others it may be problematic (like some publicly
accessible intranet for
example).
If you are in the latter case where you need pages to not be viewable by
certain users (e.g. guests/unregistered users), have a look at XWiki's
right management
http://platform.xwiki.org/xwiki/bin/view/Features/RightsManagement (
with
more details on
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Access+Rights ) and
properly configure your wiki according to your needs.
Thanks,
Eduard
On Mon, Aug 11, 2014 at 2:13 PM, Werner Kok <werner(a)hti-systems.co.za>
wrote:
> Hi There,
>
> I’ve noticed that an XWiki installation has its user directory as well
as
> full user profiles openly accessible to the
public.
>
> Is this not a huge security risk? Or am I missing a configuration
setting
somewhere?
For example, http://www.xwiki.com has all its users publicly accessible
here: http://www.xwiki.com/lang/en/Main/UserDirectory and each user’s
complete personal profile details is viewable.
Is there a way to secure this information?
Thanks,
Werner
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
3660
days inactive
3689
days old
3 comments
2 participants
participants (2)
-
Eduard Moraru -
Werner Kok