Persons not in TWikiAdminGroup can create new webs. This should be locked down by default.

-- PTh

un-commented out set in WebPreferences

-- SD

This needs to be moved to TWiki.TWikiPreferences since anyone could copy the form in ManagingWebs to another web to cirumvent the web-level setting.

Also, better to lock down in Main.TWikiPreferences' FINALPREFERENCES.

On my dev, I still can create webs with ALLOWWEBMANAGE set in TWiki.TWikiPreferences, and me not in the admin group. Using template login. Puzzled.

-- PTh

Lavr mentioned this in IRC:

• Setting ALLOWWEBMANAGE in TWiki.WebPreferences _has effect
• Setting ALLOWWEBMANAGE in TWiki.TWikiPreferences has _no effect

Tested to be true on SVN 8669.

-- SP

Looking at the code, this seems to be intended behaviour, ALLOWWEBMANAGE is only checked pr. web(?).

/lib/TWiki/Access.pm, sub checkAccessPermission, ~line 190.

-- SP

svn:8670

--SD

Other current ACL errors reminded me of this one. Re-opening, normal / new.

Hope it can go into next minor, but setting it n/a as it has not been analyzed.

-- SP

ALLOWROOTMANAGE is used to control access to the root, IIRC. ALLOWWEBMANAGE only applies to the web.

Closing, as I don't believe any further follow-up is required. Please re-open with a testcase if you think otherwise.

CC