Opened 17 years ago
Closed 17 years ago
#4051 closed enhancement (fixed)
Provide a more secure (from spammers mostly) default trac setup
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.10.5 |
| Component: | general | Version: | 0.10 |
| Severity: | major | Keywords: | permission |
| Cc: | jorge.vargas@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Hello
As far the initial setup is concern a new trac install gives full write access to anyone, this is a good setup if we live in a good world, but in a world where spammers ruin open source it's a big problem.
I know that trac admins should set this right but the sad truth is that not everyone does it, and we end up with sad things like http://deliciouspython.python-hosting.com/report/1 and http://deliciouspython.python-hosting.com/timeline
so how about some more safe default features?
as a more advance setup here is what we want to use at Turbogears trac. please note we are not using the wiki component, for that I suggest create/delete for level 3 and modify for level 2
1- anon 2- user 3- developer 4- administrator 5- root
each group will inherit the permissions of the above.
permissions from http://trac.edgewall.org/wiki/TracPermissions
1- *_VIEW, except REPORT_SQL_VIEW and probably CONFIG_VIEW 2- TICKET_CREATE,TICKET_APPEND 3-
- REPORT_SQL_VIEW
- REPORT_CREATE,REPORT_MODIFY (this may be usefull when your working
on a feature, but should be abused.)
- WIKI_MODIFY (so he/she can delete the page, and put a sign pointing
to docs.turbogears.org) 4-
- TICKET_ADMIN
- REPORT_ADMIN
5-
- MILESTONE_ADMIN
- WIKI_ADMIN
Attachments (0)
Change History (8)
comment:1 by , 17 years ago
comment:2 by , 17 years ago
| Milestone: | → 0.10.1 |
|---|---|
| Severity: | normal → major |
| Type: | task → enhancement |
Well, I just had a look at http://deliciouspython.python-hosting.com, and it really seems that you should take down the site, clean it up, and only restart it with 0.10 and the SpamFilter…
If you can't do that yourself, then you should bug your provider to do that urgently.
As for the default install suggestion, yes, we should probably make the default access rights to be read-only. Too many forgotten "test" or seldom used Trac installations on the Web turned into SPAM reservoirs. We certainly don't want to spread that further in the future.
comment:3 by , 17 years ago
the solution cboos suggests seems ok read only will let everyone notice the powers of trac and yet keep spam off it.
I'm sorry if I gave a bad impression deliciouspython is not mine, it was just some project I google some time ago and went I finally got to the real code it turns out all the comments where on german :) I put it here just as an example.
about the SpamFilter I'll take a look at it for my sites. thanks.
follow-up: 6 comment:4 by , 17 years ago
Would be good to load default permissions from a file so that people who setup lots of tracs for different projects can start with their own set of default permissions each time.
comment:5 by , 17 years ago
Supersedes #3866, there's no need to put the default wiki page in read-only mode if by default anonymous can't write.
comment:6 by , 17 years ago
comment:7 by , 17 years ago
| Keywords: | permission added |
|---|---|
| Milestone: | 0.10.5 → 0.11 |
Implemented in r5243.
comment:8 by , 17 years ago
| Milestone: | 0.11 → 0.10.5 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Ported to 0.10-stable in r5247.
Have you tried the SpamFilter plugin?