Ticket #4051 (closed enhancement: fixed)
Opened 5 years ago
Last modified 5 years ago
Provide a more secure (from spammers mostly) default trac setup
| Reported by: | Jorge <jorge.vargas@…> | Owned by: | jonas |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.10.5 |
| Component: | general | Version: | 0.10 |
| Severity: | major | Keywords: | permission |
| Cc: | jorge.vargas@… | ||
| Release Notes: | |||
| API Changes: | |||
Description
Hello
As far the initial setup is concern a new trac install gives full write access to anyone, this is a good setup if we live in a good world, but in a world where spammers ruin open source it's a big problem.
I know that trac admins should set this right but the sad truth is that not everyone does it, and we end up with sad things like http://deliciouspython.python-hosting.com/report/1 and http://deliciouspython.python-hosting.com/timeline
so how about some more safe default features?
as a more advance setup here is what we want to use at Turbogears trac. please note we are not using the wiki component, for that I suggest create/delete for level 3 and modify for level 2
1- anon
2- user
3- developer
4- administrator
5- root
each group will inherit the permissions of the above.
permissions from http://trac.edgewall.org/wiki/TracPermissions
1-
*_VIEW, except REPORT_SQL_VIEW and probably CONFIG_VIEW
2-
TICKET_CREATE,TICKET_APPEND
3-
- REPORT_SQL_VIEW
- REPORT_CREATE,REPORT_MODIFY (this may be usefull when your working
on a feature, but should be abused.)
- WIKI_MODIFY (so he/she can delete the page, and put a sign pointing
to docs.turbogears.org)
4-
- TICKET_ADMIN
- REPORT_ADMIN
5-
- MILESTONE_ADMIN
- WIKI_ADMIN
Attachments
Change History
comment:1 Changed 5 years ago by Noah Kantrowitz (coderanger) <coderanger@…>
comment:2 Changed 5 years ago by cboos
- Milestone set to 0.10.1
- Severity changed from normal to major
- Type changed from task to enhancement
Well, I just had a look at http://deliciouspython.python-hosting.com, and it really seems that you should take down the site, clean it up, and only restart it with 0.10 and the SpamFilter...
If you can't do that yourself, then you should bug your provider to do that urgently.
As for the default install suggestion, yes, we should probably make the default access rights to be read-only. Too many forgotten "test" or seldom used Trac installations on the Web turned into SPAM reservoirs. We certainly don't want to spread that further in the future.
comment:3 Changed 5 years ago by jorge.vargas@…
the solution cboos suggests seems ok read only will let everyone notice the powers of trac and yet keep spam off it.
I'm sorry if I gave a bad impression deliciouspython is not mine, it was just some project I google some time ago and went I finally got to the real code it turns out all the comments where on german :) I put it here just as an example.
about the SpamFilter I'll take a look at it for my sites. thanks.
comment:4 follow-up: ↓ 6 Changed 5 years ago by simon
Would be good to load default permissions from a file so that people who setup lots of tracs for different projects can start with their own set of default permissions each time.
comment:5 Changed 5 years ago by cboos
Supersedes #3866, there's no need to put the default wiki page in read-only mode if by default anonymous can't write.
comment:6 in reply to: ↑ 4 Changed 5 years ago by Noah Kantrowitz (coderanger) <coderanger@…>
Replying to simon:
Would be good to load default permissions from a file so that people who setup lots of tracs for different projects can start with their own set of default permissions each time.
This is on the docket for TracForge? as part of the project creation system.
comment:7 Changed 5 years ago by cboos
- Keywords permission added
- Milestone changed from 0.10.5 to 0.11
Implemented in r5243.
comment:8 Changed 5 years ago by cboos
- Milestone changed from 0.11 to 0.10.5
- Resolution set to fixed
- Status changed from new to closed
Ported to 0.10-stable in r5247.
Have you tried the SpamFilter plugin?