Persons not in TWikiAdminGroup
can create new webs. This should be locked down by default.
un-commented out set in WebPreferences
This needs to be moved to TWiki.TWikiPreferences
since anyone could copy the form in ManagingWebs
to another web to cirumvent the web-level setting.
Also, better to lock down in Main.TWikiPreferences
On my dev, I still can create webs with ALLOWWEBMANAGE set in TWiki.TWikiPreferences
, and me not in the admin group. Using template login. Puzzled.
Lavr mentioned this in IRC:
- Setting ALLOWWEBMANAGE in TWiki.WebPreferences _has effect
- Setting ALLOWWEBMANAGE in TWiki.TWikiPreferences has _no effect
Tested to be true on SVN 8669.
Looking at the code, this seems to be intended behaviour, ALLOWWEBMANAGE is only checked pr. web(?).
/lib/TWiki/Access.pm, sub checkAccessPermission, ~line 190.
Other current ACL errors reminded me of this one. Re-opening, normal / new.
Hope it can go into next minor, but setting it n/a as it has not been analyzed.
ALLOWROOTMANAGE is used to control access to the root, IIRC. ALLOWWEBMANAGE only applies to the web.
Closing, as I don't believe any further follow-up is required. Please re-open with a testcase if you think otherwise.