|
Size: 9404
Comment:
|
← Revision 107 as of 2015-05-22 07:48:10 ⇥
Size: 9938
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| (!) If you use moin 1.1 or later, be aware that there are AccessControlList``s, too - making quite some of that stuff even easier. The default security MoinMoin uses is then based on ACLs, if enabled. | (!) If you use moin 1.1 or later, be aware that there are [[AccessControlList]]s, too, which make some of this stuff quite a bit easier. The default security MoinMoin uses is then based on ACLs, if enabled. |
| Line 7: | Line 7: |
| This page contains different usage examples. See also PasswordProtectedEditing and AccessControlList. | This page contains different usage examples. See also AccessControlList. |
| Line 9: | Line 9: |
| '''Content''' [[TableOfContents]] | '''Content''' <<TableOfContents>> |
| Line 16: | Line 16: |
| This prevents anyone who is not logged in from editing pages. | By default the access control list default rights are set to: |
| Line 18: | Line 18: |
| Add this to your `wikiconfig.py`: | acl_rights_default = u'Known:read,write,delete,revert All:read,write' |
| Line 20: | Line 20: |
| {{{ | "Known" = "logged in users, "All = everyone else". If you want to prevent anyone who is not logged in from editing pages add this to your {{{wikiconfig.py}}}: # Only allow logged-in users to edit screens acl_rights_default = u'Known:read,write,delete,revert All:read' === Disable editing over HTTPS === The following makes an intra-net wiki available in read-only form via HTTPS. It's an extra security measure, in addition to password protection, against content changes from the outside. The same scheme can be used to have two different URLs pointing at the same wiki, and have only one of those URLs<<FootNote(An URL that is password-protected, by means of Apache server rules.)>> being able to edit the wiki. The net effect is that you have a read-only wiki editable only by certain people. Add this to your {{{wikiconfig.py}}}: {{{#!highlight python numbers=off |
| Line 23: | Line 33: |
| class Config... class SecurityPolicy(Permissions): def save(self, editor, newtext, rev, **kw): # only known users are allowed to edit return self.request.user.valid }}} Note: If you are using ACLs, you do '''not''' want to use this option. It will prevent the ACLs from working correctly. I've found this ACL configuration accomplishes the same thing, while not breaking ACLs. {{{ class Config... acl_enabled = 1 acl_rights_default = 'Known:read,write,delete,revert All:read' }}} Obviously, remove delete, revert, etc., if you don't want those options. === Disable editing over HTTPS === The following makes an intra-net wiki available in read-only form via HTTPS. It's an extra security measure, in addition to password protection, against content changes from the outside. The same scheme can be used to have two different URLs pointing at the same wiki, and have only one of those URLs[[FootNote(An URL that is password-protected, by means of Apache server rules.)]] being able to edit the wiki. The net effect is that you have a read-only wiki editable only by certain people. Add this to your `wikiconfig.py`: {{{ # permissions from MoinMoin.security import Permissions |
|
| Line 55: | Line 38: |
| Line 60: | Line 42: |
| ''This is curios. I would use it in the opposite direction. https to edit because user and password is sent encrypted and readonly from http. Did I have missed something?'' -- ReimarBauer <<DateTime(2005-11-19T22:21:34Z)>> | |
| Line 61: | Line 44: |
| ''This is curios. I would use it in the opposite direction. https to edit because user and password is sent encrypted and readonly from http. Did I have missed something?'' -- ReimarBauer [[DateTime(2005-11-19T22:21:34Z)]] | . ''I also do it the other way, only allowing editing if HTTPS, but that's easy to do by just removing the {{{not}}} operators. I think the example assumes (without making it clear) that a firewall is in place which only allows HTTPS in from the outside, but on the inside plain HTTP is also allowed and used because it has less overhead and the inside network is assumed to be trusted. So under those assumptions if it's HTTPS then it is assumed to be from outside and thus should be immutable. -- DeronMeranda <<DateTime(2006-01-11T07:01:15Z)>> '' |
| Line 63: | Line 46: |
| ''I also do it the other way, only allowing editing if HTTPS, but that's easy to do by just removing the {{{not}}} operators. I think the example assumes (without making it clear) that a firewall is in place which only allows HTTPS in from the outside, but on the inside plain HTTP is also allowed and used because it has less overhead and the inside network is assumed to be trusted. So under those assumptions if it's HTTPS then it is assumed to be from outside and thus should be immutable. -- DeronMeranda [[DateTime(2006-01-11T07:01:15Z)]] '' | == Examples - MoinMoin 1.3 == <<Anchor(Moin1.3)>> |
| Line 65: | Line 49: |
| === Password Protected Editing === See PasswordProtectedEditing for step-by-step instructions on an implementation of a (mostly) Read-Only Wiki: It allows everybody read access but administrators/editors are allowed to post using a different URL. |
=== SSL-only Revert, Write, Delete === {{{#!highlight python numbers=off from MoinMoin.security import Permissions class Config(FarmConfig): class SecurityPolicy(Permissions): def revert(self, pagename, **kw): return self.request.is_ssl and Permissions.__getattr__(self, 'revert')(pagename) def write(self, pagename, **kw): return self.request.is_ssl and Permissions.__getattr__(self, 'write')(pagename) def delete(self, pagename, **kw): return self.request.is_ssl and Permissions.__getattr__(self, 'delete')(pagename) }}} == Examples - MoinMoin 1.5 == === SSL-only Write === If you want for security reasons that users do not edit the wiki without using SSL you should add: {{{#!highlight python numbers=off # permissions from MoinMoin.security import Permissions class Config(DefaultConfig) class SecurityPolicy(Permissions): def write(self, page_name): return self.request.is_ssl and Permissions.__getattr__(self, 'write')(page_name) }}} Don't forget to replace `Config` with `FarmConfig` if you're using Wiki farming. |
| Line 69: | Line 76: |
| Perhaps we can integrate a WikiFeatures:LinkBan list with [http://www.jayallen.org/projects/mt-blacklist/ the MovableType ban list.] -- LionKimbro ([[Date(2004-04-30T21:58:37Z)]]) | Perhaps we can integrate a WikiFeatures:LinkBan list with [[http://www.jayallen.org/projects/mt-blacklist/|the MovableType ban list.]] -- LionKimbro (<<Date(2004-04-30T21:58:37Z)>>) |
| Line 72: | Line 79: |
| Line 75: | Line 81: |
| {{{ | {{{#!highlight python numbers=off |
| Line 77: | Line 83: |
| Line 80: | Line 85: |
| return (Permissions.write(self, pagename, **kw) and | return (Permissions.write(self, pagename, **kw) and |
| Line 83: | Line 88: |
In this example, a user will be able to write only if the user is valid and does not annoy antispam :-) |
In this example, a user will be able to write only if the user is valid and does not annoy antispam :) |
| Line 89: | Line 93: |
| This is how Twiki does it (roughly). The thing I don't like about it is that authentication usernames don't typically match WikiName``s so you now have to maintain a mapping of usernames to WikiName``s. It's not that big a deal but it's kinda confusing until you get used to it. Also I don't believe that Apache's Directory/Location directives will match URL get parameters so all you can do is restrict access entirely. You can't restrict certain fuctions. -- AdamShand | This is how Twiki does it (roughly). The thing I don't like about it is that authentication usernames don't typically match [[WikiName]]s so you now have to maintain a mapping of usernames to [[WikiName]]s. It's not that big a deal but it's kinda confusing until you get used to it. Also I don't believe that Apache's Directory/Location directives will match URL get parameters so all you can do is restrict access entirely. You can't restrict certain fuctions. -- AdamShand |
| Line 95: | Line 99: |
| ACLs let specific pages be protected, but it should be possible make specific features (such as the ability to save a page with [:HelpOnXmlPages:XML content]) available only to users who have asked for the ability (and been recognized as a sensible human). | ACLs let specific pages be protected, but it should be possible make specific features (such as the ability to save a page with [[HelpOnXmlPages|XML content]]) available only to users who have asked for the ability (and been recognized as a sensible human). |
| Line 100: | Line 104: |
| Yes, see Wiki:OrgPatterns which runs in Wiki:FishBowl mode. - This may be exactly what I was looking for... thanks!!!'' '' | . Yes, see Wiki:OrgPatterns which runs in Wiki:FishBowl mode. - This may be exactly what I was looking for... thanks!!!'' '' |
| Line 105: | Line 110: |
| OTOH, few users have ".htaccess" enabled for them, and even fewer have access to the "httpd.conf".'' '' | . OTOH, few users have ".htaccess" enabled for them, and even fewer have access to the "httpd.conf".'' '' |
| Line 109: | Line 115: |
I might have misunderstood the above, but you can do url rewriting on the QUERY_STRING to, eg, force login over ssl -- JayD |
|
| Line 118: | Line 126: |
| Line 122: | Line 129: |
| Line 127: | Line 133: |
| Line 134: | Line 139: |
| A closely related subject, how to maintain browsability while restricting editability (a la the implementation/installation at http://www.binarycloud.com/wiki, which requires a login and password for the edit action), would be valuable. A discussion which is related is in a sample in HelpOnConfiguration/Security. | Edit priveleges can be controlled using [[AccessControlList|access control lists]]. See also HelpOnConfiguration/Security. |
Using the SecurityPolicy option
SecurityPolicy is a config option that allows wiki admins to dynamically enable or disable certain key actions in a MoinMoin wiki, most notably editing and deleting content. For more details, see HelpOnConfiguration/SecurityPolicy.
If you use moin 1.1 or later, be aware that there are AccessControlLists, too, which make some of this stuff quite a bit easier. The default security MoinMoin uses is then based on ACLs, if enabled.
This page contains different usage examples. See also AccessControlList.
Content
Contents
1. Anti Spam
Here used to be an example of how to use SecurityPolicy against spammers. This is superceded by AntiSpamGlobalSolution.
2. Examples - MoinMoin 1.1
2.1. Only allow editing for known users
By default the access control list default rights are set to:
acl_rights_default = u'Known:read,write,delete,revert All:read,write'
"Known" = "logged in users, "All = everyone else". If you want to prevent anyone who is not logged in from editing pages add this to your wikiconfig.py:
- # Only allow logged-in users to edit screens
acl_rights_default = u'Known:read,write,delete,revert All:read'
2.2. Disable editing over HTTPS
The following makes an intra-net wiki available in read-only form via HTTPS. It's an extra security measure, in addition to password protection, against content changes from the outside. The same scheme can be used to have two different URLs pointing at the same wiki, and have only one of those URLs1 being able to edit the wiki. The net effect is that you have a read-only wiki editable only by certain people.
Add this to your wikiconfig.py:
# permissions
from MoinMoin.security import Permissions
class Config...
class SecurityPolicy(Permissions):
def edit(self, pagename, **kw):
from MoinMoin import webapi
return not webapi.isSSL() and Permissions.edit(self, pagename, **kw)
def delete(self, pagename, **kw):
from MoinMoin import webapi
return not webapi.isSSL() and Permissions.delete(self, pagename, **kw)
This is curios. I would use it in the opposite direction. https to edit because user and password is sent encrypted and readonly from http. Did I have missed something? -- ReimarBauer 2005-11-19 22:21:34
I also do it the other way, only allowing editing if HTTPS, but that's easy to do by just removing the not operators. I think the example assumes (without making it clear) that a firewall is in place which only allows HTTPS in from the outside, but on the inside plain HTTP is also allowed and used because it has less overhead and the inside network is assumed to be trusted. So under those assumptions if it's HTTPS then it is assumed to be from outside and thus should be immutable. -- DeronMeranda 2006-01-11 07:01:15
3. Examples - MoinMoin 1.3
3.1. SSL-only Revert, Write, Delete
from MoinMoin.security import Permissions
class Config(FarmConfig):
class SecurityPolicy(Permissions):
def revert(self, pagename, **kw):
return self.request.is_ssl and Permissions.__getattr__(self, 'revert')(pagename)
def write(self, pagename, **kw):
return self.request.is_ssl and Permissions.__getattr__(self, 'write')(pagename)
def delete(self, pagename, **kw):
return self.request.is_ssl and Permissions.__getattr__(self, 'delete')(pagename)
4. Examples - MoinMoin 1.5
4.1. SSL-only Write
If you want for security reasons that users do not edit the wiki without using SSL you should add:
# permissions
from MoinMoin.security import Permissions
class Config(DefaultConfig)
class SecurityPolicy(Permissions):
def write(self, page_name):
return self.request.is_ssl and Permissions.__getattr__(self, 'write')(page_name)
Don't forget to replace Config with FarmConfig if you're using Wiki farming.
5. Discussion
Perhaps we can integrate a WikiFeatures:LinkBan list with the MovableType ban list. -- LionKimbro (2004-04-30)
5.1. How to have multiple SecurityPolicies
You can't have more then one SecurityPolicy in your config, but you can add policies by sub-classing. For example, to use both AntiSpam and your own policy, create your class like this:
from MoinMoin.util.antispam import SecurityPolicy as Permissions
class SecurityPolicy(Permissions):
def write(self, pagename, **kw):
return (Permissions.write(self, pagename, **kw) and
self.request.user.valid)
In this example, a user will be able to write only if the user is valid and does not annoy antispam 
5.2. Use Server Authentication
It would be nice if the wiki would automatically determine if a user has been authenticated through a web server and use that for the User. If I happened to be using IIS, I could set it up to authenticate and then use os.environ['REMOTE_USER'] to find out who they are. If I were using Apache, I could do the same. If I were using Orion, etc, etc.
This is how Twiki does it (roughly). The thing I don't like about it is that authentication usernames don't typically match WikiNames so you now have to maintain a mapping of usernames to WikiNames. It's not that big a deal but it's kinda confusing until you get used to it. Also I don't believe that Apache's Directory/Location directives will match URL get parameters so all you can do is restrict access entirely. You can't restrict certain fuctions. -- AdamShand
I've done a few patches to my MoinMoin 0.8 distribution to handle this case. Since it's an intranet site, I require authentication on my Wiki, and I use the login name (rather than the randomly generated cookie) as the Wiki user, so there's no mapping problem. I did it in a kind of slipshod way, and I've never gotten the energy to do it right. I'll submit my hacky patch when I get the chance. -- RobLa
5.3. Extension & Ideas
5.3.1. Groups of Users
ACLs let specific pages be protected, but it should be possible make specific features (such as the ability to save a page with XML content) available only to users who have asked for the ability (and been recognized as a sensible human).
6. OLD CONTENT, needs refactoring
I actually have a rather different security problem. I would like to set up a non-firewalled wiki but only a certain group should have access. This may be for legal reasons, but has been imposed as a requirment that I cannot get around. Anyone know of a wiki that restricts access in such a way?
Yes, see OrgPatterns which runs in FishBowl mode. - This may be exactly what I was looking for... thanks!!!
Why not use webserver passwords to restrict access? Or do you wish to restrict editing by a restricted group? -- AnonymousCoward ;)
Even restricting the editing could be done easily using the security the webserver provides.
OTOH, few users have ".htaccess" enabled for them, and even fewer have access to the "httpd.conf".
I played with trying to get Apache's htaccess stuff to work to restrict editing privledges with MoinMoin and couldn't get it to work. I believe that this is because the Directory/Location/File directives will not match get parameters in the URL. I think this is why TWiki uses different scripts for the different functions rather than parameters passed to the main script. If I'm wrong and someone has made this work I'd love to hear about it. From an intranet point of view another feature that would be nice is the ability to restrict access/edits based on category. -- AdamShand
It's in there. See MoinMoin/security.py (I use this in a wiki to disable editing via HTTPS). --jh
I might have misunderstood the above, but you can do url rewriting on the QUERY_STRING to, eg, force login over ssl -- JayD
It isn't included in 0.9 but I see it in the current CVS repository. However I only see the option for requiring users to log in, I don't see anything which allows restriction of permissions (is that still coming or am I missing something?). -- AdamShand
In case you have the ability to modify your .htaccess file, here's the .htaccess file I'm using to allow wiki reading-only by userone and wiki reading-and-writing by usertwo, while denying access to everyone else:
AuthUserFile /path/to/.htpasswd Authname "My Group" AuthType Basic <limit GET> require user userone usertwo </limit> <limit POST PUT DELETE> require user usertwo </limit>
7. Help on Security
There are two types of security issues.
7.1. Malicious use of Editability
This is more of a design or philosophical issue, and is discussed elsewhere. See in particular, Section 1.6 of HelpMiscellaneous/FrequentlyAskedQuestions.
Edit priveleges can be controlled using access control lists. See also HelpOnConfiguration/Security.
7.2. Exploits
The second type of security issue is exploits of particular implementations/installations of a wiki. This would be of interest to any system administrator considering installing a wiki, whether or not the wiki is expected to have valuable content. A reference assessing the current risk of exploitability, and a way of staying current as exploits and patches are found, would be valuable. Even a general discussion of issues with enabling python cgi scripts that can read and write files would be valuable.
An URL that is password-protected, by means of Apache server rules. (1)