topic is set to readonly with the intention to make registration fail, and to verify that there's no waste in the password file. However, though the topic is readonly, registration succeeds and the new user is added to
, which is also no longer readonly afterwards but writable.
Root cause: The change came with TWiki:Codev/SaveFileToBeAtomic
: In the implementation, directly writing to
has been replaced by writing to a temporary file and then renaming this file to
. The difference is that on Linux, Perl's rename function is processed for readonly files as long as you are the owner.
Proposed solution: In addition to making the file
readonly, make also the directory where it resides in readonly.
Another lesson from this is that making
readonly does no longer prevent registration. I guess this doesn't hurt since the documented to disable registration is via configure, which works quite fine.