28 Mar
2014
28 Mar
'14
4:52 p.m.
I'm concerned some may be using the MyDashboard feature of their profile
page to post inappropriate content. What access rights do admins have on
pages that are located off the MyDashboard or where permissions are set
so that only some registered users may see them?
Let's say a user was using our site to post/distribute/develop child
pornography or malware?
Patrick
--
|| | | |||| || || | |||| ||| | |||
Patrick Masson
General Manager, Director & Secretary to the Board
Open Source Initiative
855 El Camino Real, Ste 13A, #270
Palo Alto, CA 94301
United States
Skype: massonpj
sip: masson(a)getonsip.com
<https://www.getonsip.com/call?a=masson@getonsip.com>
Ph: (970) 4MASSON
Em: masson(a)opensource.org <mailto:masson@opensource.org>
Ws: www.opensource.org <http://www.opensource.org>
1 Apr
1 Apr
2:59 p.m.
New subject: [xwiki-users] Posting again: Can admins see MyDashboards?
Asking again with more detail...
I'm concerned some may be using the MyDashboard feature of their profile
page to post inappropriate content. For example, a spam user could
register for an account, and then make pages private to a group and the
organization and admin may not know. Let's say a user was using our site
to post/distribute/develop child pornography or malware?
What access rights do admins have on pages that are located off the
MyDashboard or where permissions are set so that only some registered
users may see them? I tested this my creating a private page on my
profile's MyDashboard, then logged in as Admin. When, as Admin, I
searched the Document Index in a space by my user id, I did see the
private pages. However, with 100's of users this might not be practical.
I guess I am really trying to understand best practices that others may
use in managing the wiki to avoid nefarious use.
Thanks
Patrick
--
|| | | |||| || || | |||| ||| | |||
Patrick Masson
General Manager, Director & Secretary to the Board
Open Source Initiative
855 El Camino Real, Ste 13A, #270
Palo Alto, CA 94301
United States
Skype: massonpj
sip: masson(a)getonsip.com
<https://www.getonsip.com/call?a=masson@getonsip.com>
Ph: (970) 4MASSON
Em: masson(a)opensource.org <mailto:masson@opensource.org>
Ws: www.opensource.org <http://www.opensource.org>
2 Apr
2 Apr
8:40 a.m.
Admin right is not deniable and it implies at the other rights except
programming. See
http://extensions.xwiki.org/xwiki/bin/view/Extension/Security+Module#HDefau…
. So admins should be able to view/edit/delete any page from the wiki
they administer, independent of the rights set on those pages.
A bad user could write though something like this:
{{velocity}}
#if ($hasAdmin)
Nice content
#else
Bad content
#end
{{/velocity}}
To prevent this you can use the watch list to get a mail with the
changes produced in the wiki and review those changes regularly (i.e.
look at the raw content not just at the rendered content) .
Hope this helps,
Marius.
On Fri, Mar 28, 2014 at 6:52 PM, Patrick Masson <masson(a)opensource.org> wrote:
I'm concerned some may be using the MyDashboard
feature of their profile
page to post inappropriate content. What access rights do admins have on
pages that are located off the MyDashboard or where permissions are set so
that only some registered users may see them?
Let's say a user was using our site to post/distribute/develop child
pornography or malware?
Patrick
--
|| | | |||| || || | |||| ||| | |||
Patrick Masson
General Manager, Director & Secretary to the Board
Open Source Initiative
855 El Camino Real, Ste 13A, #270
Palo Alto, CA 94301
United States
Skype: massonpj
sip: masson(a)getonsip.com
<https://www.getonsip.com/call?a=masson@getonsip.com>
Ph: (970) 4MASSON
Em: masson(a)opensource.org <mailto:masson@opensource.org>
Ws: www.opensource.org <http://www.opensource.org>
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
8:42 a.m.
New subject: [xwiki-users] Posting again: Can admins see MyDashboards?
I replied on the first thread.
On Tue, Apr 1, 2014 at 5:59 PM, Patrick Masson <masson(a)opensource.org> wrote:
Asking again with more detail...
I'm concerned some may be using the MyDashboard feature of their profile
page to post inappropriate content. For example, a spam user could register
for an account, and then make pages private to a group and the organization
and admin may not know. Let's say a user was using our site to
post/distribute/develop child pornography or malware?
What access rights do admins have on pages that are located off the
MyDashboard or where permissions are set so that only some registered users
may see them? I tested this my creating a private page on my profile's
MyDashboard, then logged in as Admin. When, as Admin, I searched the
Document Index in a space by my user id, I did see the private pages.
However, with 100's of users this might not be practical.
I guess I am really trying to understand best practices that others may use
in managing the wiki to avoid nefarious use.
Thanks
Patrick
--
|| | | |||| || || | |||| ||| | |||
Patrick Masson
General Manager, Director & Secretary to the Board
Open Source Initiative
855 El Camino Real, Ste 13A, #270
Palo Alto, CA 94301
United States
Skype: massonpj
sip: masson(a)getonsip.com
<https://www.getonsip.com/call?a=masson@getonsip.com>
Ph: (970) 4MASSON
Em: masson(a)opensource.org <mailto:masson@opensource.org>
Ws: www.opensource.org <http://www.opensource.org>
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
3740
days inactive
3745
days old
3 comments
2 participants
participants (2)
-
Marius Dumitru Florea -
Patrick Masson