#foswiki 2013-04-02,Tue

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
***ChanServ sets mode: +o pharvey [01:18]
......... (idle for 43mn)
mail323How can I actually 1) revert a topic 2) view/edit the native source of a topic? [02:01]
gac410the "Edit wiki text" link should let you edit the topic without wysiwyg
Revert is done under "More topic actions" ... well it creates a new revision from the old rev.
[02:02]
mail323I follow the instructions to add a DENYTOPICVIEW = to a topic. This actually shows up as text and if you go back to edit the page it shows all this extra HTML: <p>DENYTOPICVIEW =<span class="WYSIWYG_HIDDENWHITESPACE" style="{encoded: 's2'};">&#160;</span></p> [02:03]
gac410hm... that's strange. With wysiwyg, you should just add a bullet for the Set DENYTOPICVIEW = ... and then save. Something strange happened. [02:04]
mail323Perfect! I was trying to follow the instructions: http://foswiki.org/System/ManagingTopics#Reviewing_and_Reverting which say to copy & paste. [02:05]
gac410Are you an "Admin" user on the site? [02:05]
mail323What is the best way to add it? Does it always need a bullet in front? [02:05]
gac410Yes A "Set" is *always* a bullet, either in wysiwyg, or as wikitext - 3-spaces * Set ...
Well those instructions are old / bogus. More topic actions - restore an old revision ... it's a simple menu option.
[02:06]
mail323It's possible to deny a web but allow a page in that web? [02:07]
gac410Yes, You can deny the web, but grant individual topic exeptions. [02:07]
mail323Then it' s not working
the last line in the non-WYSIWYG editor shows: * DENYTOPICVIEW =
[02:08]
gac410Make sure it's 3 spaces, then the * Set DENYTOPICVIEW = someuser
It's not just * DENY it's * Set DENYTOPICVIEW
[02:09]
mail323I am following the instructions which state " DENYTOPICVIEW = " means to allow anyone to view [02:10]
gac410pharvey: Foswikirev:9202 Those revert a topic instructions seem rather convoluted [02:10]
FoswikiBothttp://trac.foswiki.org/changeset/9202 [ Changeset 9202 – Foswiki ] [02:10]
gac410mail323: I think that should work, but to be safe, you can deny a undefined user, which should be the same. I'm a little more confident of that.
But again, Your example was missing the word "Set" It's:
* Set DENYTOPICVIEW =
[02:11]
mail323I denied non-admin to a certain web then I want to allow all on some pages there [02:12]
gac410Right, so in WebPreferences * Set ALLOWWEBVIEW = AdminUser, and in a topic * Set DENYTOPICVIEW = SomeUser
What version of foswiki are you using?
[02:13]
mail323gac410: The newest version
Here it says http://foswiki.org/System/AccessControl#Controlling_access_to_a_Web denytopicview = (null) to allow access to all users
[02:14]
gac410okay. 1.1.8 then. Yes that should work, let me test it [02:15]
mail323I lookup the actual .txt file on the server and it has 3 spaces,asterisk, space,ALLOWWEBVIEW,space,=,space
... in the last line
[02:17]
gac410Yes that's correct. I'm working on testing this now. Just a moment more [02:18]
mail323gac410: No problems I appreciate it. I'm going to step out for a few minutes [02:19]
gac410Okay... In Privateweb.WebPreferences " * Set ALLOWWEBVIEW = AdminUser
and in Privateweb.OpenTopic * Set DENYTOPICVIEW =
[02:20]
mail323I have the following: Set ALLOWWEBCHANGE = AdminGroup, Set ALLOWWEBRENAME = AdminGroup, & Set ALLOWWEBVIEW = AdminGroup [02:20]
gac410and when not logged in I was able to view Privateweb.OpenTopic I typed 3 spaces,asterisk,space,DENYTOPICVIEW,space,=,space [02:21]
mail323And at least the ALLOWWEBVIEW is taking effect [02:21]
gac410(Trailing space was not needed. Didn't get saved anyway)
AdminGroup works fine for me as well.
[02:22]
mail323DENYTOPICVIEW is not having any effect for me
Is there a group that defines all users?
[02:25]
gac410No, [02:25]
mail323Would it matter that I'm working with the "system web?" [02:26]
gac410It *shouldn't* ... But I can't explain why it's not working for you.
Though it's pretty unusual to lock out the system web.
[02:27]
mail323I don't want the users to be able to see the configurations [02:30]
gac410Most configuration is hidden in the bin/configure interface and LocalSite.cfg.
The primary topic based configuration is in Main.SitePreferences, and *.WebPreferences
System.DefaultPreferences should not be edited.
Plugin configuration in most modern plugins is not read from the plugin topics, so that's generally documentation too, not configuratino.
[02:30]
GithubBot[foswiki] FoswikiBot pushed 1 new commit to master: http://git.io/hW7uHA
foswiki/master 558dcfb ScottHoge: Item8993: fixed unqouted HTML attributes...
[02:32]
***GithubBot has left [02:32]
FoswikiBothttp://foswiki.org/Tasks/Item8993 [ Item8993: LatexModePlugin uses unquoted XHTML attributes ] [02:32]
gac410The challenge you'll face is many web topics (WebSearch, WebIndex, ... lots of topics) %INCLUDE their working parts from System web. [02:36]
.... (idle for 15mn)
mail323Yes I understand that. I'm currently working with System/WebTopBarExample and I can not view it even when I set DENYTOPICVIEW = in that topic [02:51]
gac410That's a tough one because of all the HTML. On that topic I'd suggest using the MoreTopicActions -> Edit Settings
That will move the Set statement from a visible bullet into hidden topic Metadata.
I just tried it and it works here
If you look at the raw topic file (or use ?raw=debug on the url) You will see at the end:
%META:PREFERENCE{name="DENYTOPICVIEW" title="DENYTOPICVIEW" type="Set" value=""}%
So in the Edit Settings editor, you use the syntax: 3-spaces * Set DENYTOPICVIEW =
[02:55]
mail323gac410: Yes that is working! Thanks! [03:06]
gac410mail323: glad to help.
Don't forget that when we release Foswiki upgrade packages, the system topics are all replaced. So this will all get reverted when you upgrade.
[03:12]
........ (idle for 37mn)
***gac410 has left [03:50]
................... (idle for 1h33mn)
jerichodotm1Ive checked w/ 10 or so web hosting companies and none offer Foswiki as a scripted install. Is there a company that offers it in a cPanel type of way? [05:23]
SvenDowideitnot that I know - i've never used cpanel etc to do it :/
mind you - you only need to get the initial bootstrap done, as foswiki has its own admin UI
[05:28]
jerichodotm1Im trying to get it installed on hostmonster and they dont ofer all the perl mods, etc.. [05:30]
SvenDowideiti don't recal needing any extra for dreamhost
but as DH gives you shell access, its easy to install then when you need
[05:30]
jerichodotm1dependency_installer cant find the dir its looking for. i navigated to that dir and its not there. jut stuff like that. ill research more tomororw.
i have shell access and its not. ;)
[05:32]
SvenDowideitcan you run cpanminus? [05:32]
jerichodotm1of hostmonter doesnt offer some of the required perl mods im kinda stuck.. [05:33]
SvenDowideitno, you're not
if hostmonster offers shell access
as in, full shell, with compiler (as DH does)
then you can install local perl modules
even so, though, i thought foswiki shipped with its core deps
[05:33]
jerichodotm1i have shell access but everything is localized.. its odd [05:34]
SvenDowideitso it might be you need to set the things in bin/LocalLib.cfg
i should be localised
but i don't know about their specific odd :)
[05:34]
jerichodotm1well, i ran the installdependencies perl script and it cant find the dir its looking for.. [05:34]
SvenDowideiti don't even know what that script is :) [05:35]
jerichodotm1its one of the prereq steps in the install htlm file [05:36]
SvenDowideitok, i can't find an installdependencies script in the foswiki tgz, so i have no idea [05:36]
jerichodotm1in the tools dir. [05:37]
SvenDowideitoh - ./tools/dependencies_installer.pl ? [05:37]
jerichodotm1dependencies_installer.pl
ya. sorry.
[05:37]
SvenDowideitwow, i wonder what that is [05:37]
jerichodotm1hehe [05:37]
SvenDowideitif you're around at the opposite end of the day
you might get gac410 - he might know more
[05:38]
jerichodotm1or more detailed dependency information, try the script dependencies_installer.pl located in the tools directory, which makes perl module installation easier. Run it with option -h to understand basics. This script requires confirmation before it actually does something. [05:38]
SvenDowideitas i've never run it :/ [05:38]
jerichodotm1thats form the intall html doc.
ok.. ill start again tomorrow
[05:38]
SvenDowideiti'm not that sure you need it tho [05:39]
jerichodotm1my brain is dead now but i will check back tomorow.. i thank you for your time [05:39]
SvenDowideit:) luck :) [05:39]
jerichodotm1danke [05:39]
***jerichodotm1 has left "looking for wiki"
ChanServ sets mode: +o pharvey
[05:39]
.... (idle for 17mn)
ChanServ sets mode: +o MichaelDaum [05:58]
.......... (idle for 46mn)
ChanServ sets mode: +o CDot
ChanServ sets mode: +o CDot
[06:44]
...................................................................... (idle for 5h48mn)
ChanServ sets mode: +o gac410 [12:34]
.............. (idle for 1h6mn)
ChanServ sets mode: +o pharvey [13:40]
.... (idle for 18mn)
ChanServ sets mode: +o Lynnwood [13:58]
............. (idle for 1h1mn)
TBoxHello! What are the limits, if any, on using URL parameters to override system preferences? It seems rather open... [14:59]
..... (idle for 22mn)
LynnwoodTBox: at the least, it's restricted by FinalPreference settings
i suspect there are other limitations. i doubt anything related to security could be so easily bypassed
actually... come to think of it, i'm not sure URL defined parameters can over-ride preference settings...
[15:21]
TBoxHrm. Then maybe I have the wrong. The documentation's full of examples where you click a link with a url parameter and it changes the way the page behaves, like moving the sidebar to the right instead of left.
I have the wrong word*
[15:29]
Lynnwoodi'm looking into it myself cause i'm not really sure
it's certainly possible to define a macro that _can_ be over-ridden by a url parameter, but i don't think that's the default behavior
although come to think of it, i can also think of examples where url params do over-ride settings, such as skin setting
but maybe that's a special case...
[15:29]
TBoxThere's another example in the documentation of enabling a disabled plugin by URL param.
That freaked me out.
http://foswiki.org/System/PatternSkin?webheaderart=/pub/System/PatternSkin/header5.gif fails on foswiki.org but works on my wiki. I think you're right, it must be final preferences kicking in.
ah it may just be because the directory is wrong.
hack and paste.
no, it's working. It's just subtle.
the images are similar
[15:33]
LynnwoodI also just successfully over-rode a basic macro (HOMETOPIC) by defining it in an INCLUDE and that worked.
So i guess to prevent that, one must use final proference settings.
although....
[15:36]
TBoxI guess the second question is if there's an easy way to manage final preferences, or a list of macros to inspect for security issues. [15:37]
Lynnwoodan additional thought on this.
While urlparams may affect the _rendering_ of a macro, it will not actually set a preference.
let me see if i can think of an example...
[15:37]
TBoxI've got a competing userbase. On one side are clients sharing confidential information. They are extremely security conscious, to the point of poking around just to make sure all the doors are locked. On the other I have a pool of thirty or so editors who need to be able to collaborate on maintaining this information in a presentable format.
In the middle are several hundred users who need to be able to access this information, but they're not quite trustworthy enough for full access. Or at least they need to go through a probationary period before change access is granted.
[15:39]
Lynnwoodright.
So to that point, i can not see how a url param could over-ride an access control setting.
if we came up with an example of that, it might be serious.
[15:40]
TBoxWell I was concerned yesterday about the LdapNgPlugin. Having read access to our ldap directory could be considerd harmful.
So enabling that by url param is a potential hole. And rather than force-disabling it on every web, I'm probably just going to uninstall it once testing is done.
[15:42]
Lynnwoodright. [15:43]
TBoxBut it gets my hackles up, what else is out there? [15:43]
Lynnwoodfor what its worth, a lot of folks use foswiki in secure environments so many such issues have been widely addressed and tested. [15:44]
TBoxYes, that's why we went with it. I'm just exploring all the details.
Ah and just for giggles, we had one of those untrustworthy users check every single page for sql injections, because he wanted to "help out." Wanted a promotion.
[15:44]
Lynnwoodhow could he do sql injections?
i can see your concerns with LdapNgPlugin in that there are no restrictions on use of it's macro built in.
[15:46]
TBoxnot on foswiki. Other parts of the system, coded by us. "We can fire you" is a big part of our security policy sometimes. [15:48]
Lynnwoodlol [15:48]
TBoxJust listing him off as a kind of user I have to deal with. [15:48]
Lynnwoodi hear you [15:48]
BabarTBox: I guess your answer was: ok, next time inform us in advance. And there won't be a next time or you're out. [15:50]
TBoxI don't know what they did with the agent, actually. I just know we did a sweep to close them all. And tha tthe agent is not getting a promotion. [15:52]
LynnwoodTBox: Regarding your concern about enabling/disabling LdapNgPlugin, i think the approach you'd want to consider would be to set DISABLEDPLUGINS to include LdapNgPlugin in SitePreferences and then enable it on specific webs where you would need it. [15:54]
TBoxWhere do I set the final preferences?
If I want some webs to have it and others not
[15:55]
Lynnwoodjust a sec, brb [15:55]
TBoxand the webs that don' thave it can't turn it on. [15:55]
Lynnwoodhow restricted do you have on editing WebPreferences
assuming you have WebPreference sufficiently restricted, i guess you could disable the plugin in SitePreferences,
then enable it in certain webs in WebPreferences, and included DISABLEDPLUGINS in all WebPreference topics, so it could not be over-rode on topic level.
although... since you'd have to touch all the WebPreference topics anyway to implement this, you could just disable that plugin in each web at same time.
[16:00]
MichaelDaumTBox, the security problem probably exists in your LDAP directory no matter whether you installed an easy to use LDAP reading tool.
when the proxy user for that operation has got read access to the sensitive information, then that's a configuration problem of your directory.
which basically means: you need to restrict read access for the proxy user to those branches that carry sensitive information.
otherwise anybody could read the very same information on a command line using standard ldap tools already.
[16:06]
TBoxI've brought something like that up actually.
We got a complaint from a client once that they could see the page names of other clients. They couldn't see what was on the pages, just that they existed, and they had to do some shenanigans with the search tool to do it. They threw a fit because they felt it compromised their security. One of the things that led us to decide to switch to foswiki. That's why I worry about read access to the ldap.
What if they can see that we employ people who aren't actually working on their project?
It feels like a damn stupid question to have to worry about.
I'll talk to our it guy, maybe we can do something.
[16:12]
Probably tell me I'm crazy, which is fine. [16:19]
........................................................... (idle for 4h50mn)
***ChanServ sets mode: +o pharvey [21:09]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)