• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Using the ChangeEmailAddress page, anyone can change the email address for guest by entering "guest" for the username, no password, and any email address.
"guest"'s email address should be immutable, and either invalid, or point to the site's administrator email address.
-- TWiki:Main.JoanTouzet
TWikiGuest should not have an email address and should not be allowed to change password. ResetPasswords should refuce the TWikiGuest as argument and ChangePasswords should refuse TWikiGuest´to run it. Or rather the user defined by {DefaultUserWikiName} or {DefaultUserLogin} should not be allowed to change password or email address. KJL Sorry about that, temporary glitch. Well spotted. Please check that the problem has gone (SVN 8444) CC
Tested a bit. If there is no TWikiGuest or guest defined in .htaccess - there is no problem If you want TWikiGuest to be able to edit topics - and add a password (e.g. "guest") to .htpasswd for TWikiGuest but not guest you cannot ResetPassword for neither TWikiGuest nor guest. Somehow the ChangeEmailAddress function uses the TWikiUsers linking from WikiName to login name (even when login name is disabled) and then fails to let the TWikiGuest authenticate to change password. I have not tried to enable login name. And I have not tried to make an additional 'guest' entry in the .htaccess file. I have the feeling that if I do that we still have the problem that TWikiGuest can change his email address. A public TWiki will normally not have special login names so it is not a very big problem as it is now but it may not be very well controlled and predictable either. KJL
OK, I'll investigate - thanks for testing. I'd like to get the guest user working smoothly and without surprises, as it's the first place a footpad will look. CC I just tried it, and the behaviour is exactly what I'd expect. It is modelled on the password change interface, and has the same constraints and limitations. AFAICT, it is not possible to change the guest email unless you know the guest password (the one stored in htpasswd). If you need something else, then we will need to make the default password manager smarter; able to store emails in home topics. Discarded (though the points were well made and are still being thought about) CC
TWikiGuest should not have an email address and should not be allowed to change password. ResetPasswords should refuce the TWikiGuest as argument and ChangePasswords should refuse TWikiGuest´to run it. Or rather the user defined by {DefaultUserWikiName} or {DefaultUserLogin} should not be allowed to change password or email address. KJL Sorry about that, temporary glitch. Well spotted. Please check that the problem has gone (SVN 8444) CC
Tested a bit. If there is no TWikiGuest or guest defined in .htaccess - there is no problem If you want TWikiGuest to be able to edit topics - and add a password (e.g. "guest") to .htpasswd for TWikiGuest but not guest you cannot ResetPassword for neither TWikiGuest nor guest. Somehow the ChangeEmailAddress function uses the TWikiUsers linking from WikiName to login name (even when login name is disabled) and then fails to let the TWikiGuest authenticate to change password. I have not tried to enable login name. And I have not tried to make an additional 'guest' entry in the .htaccess file. I have the feeling that if I do that we still have the problem that TWikiGuest can change his email address. A public TWiki will normally not have special login names so it is not a very big problem as it is now but it may not be very well controlled and predictable either. KJL
OK, I'll investigate - thanks for testing. I'd like to get the guest user working smoothly and without surprises, as it's the first place a footpad will look. CC I just tried it, and the behaviour is exactly what I'd expect. It is modelled on the password change interface, and has the same constraints and limitations. AFAICT, it is not possible to change the guest email unless you know the guest password (the one stored in htpasswd). If you need something else, then we will need to make the default password manager smarter; able to store emails in home topics. Discarded (though the points were well made and are still being thought about) CC
| ItemTemplate | |
|---|---|
| Summary | Anyone can change guest email address |
| ReportedBy |
TWiki:Main.JoanTouzet
|
| Codebase | |
| SVN Range | Sun, 22 Jan 2006 build 8439 |
| AppliesTo | Engine |
| Component | |
| Priority | Urgent |
| CurrentState | No Action Required |
| WaitingFor | |
Topic revision: r8 - 2006-01-23 - CrawfordCurrie
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback