Skip navigation

Change Permissions on Wiki People page?

3198 Views 21 Replies Latest reply: May 12, 2013 4:28 PM by tim_r_66 RSS
1 2 Previous Next
joe_mck Calculating status...
Currently Being Moderated
Sep 14, 2011 5:09 AM

I am Using Wiki Server 3 on a Mini Lion Server install.

I find it to be an intolerable security problem that, without logging in, any one can see my Wiki's "People Page"

At best it gives hackers a good starting point at guessing login names.

At worst, if someone uses a photo for their profile pic it gives predators a name & face.

 

I can disable the People Page entirely by editing the proper plist file, but then the whole page, and everyone's personal documents pages are completely inaccessable.

 

Is there a way to re-enable the People page, but make it available ONLY to logged in users? It doesn't treat "People" and personal pages like Wiki pages. I can't seem to find settings for permissions.

 

Thanks,

 

Joe

Mac mini, Mac OS X (10.7.1)
  • Colin Cannell Level 1 Level 1 (95 points)
    Currently Being Moderated
    Sep 30, 2011 12:41 AM (in response to joe_mck)

    The only way I can think to do what you want requires that everyone whom you wish to permit to see the People pages be located in a pre-defined block of IP addresses. For example, you could make it so that the People pages were only visible to people coming in from your company's internal addresses or VPN address pool.

     

    I don't have time to work out all the details, but what you'd do is use Apache's RewriteCond rules to tell Apache that "all requests for pages meeting these criteria that do not come from this set of IP addresses should be redirected to the root page."

     

    Something like:

    RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0$

    RewriteCond %{REQUEST_URI} ^/people_page\.html$ [NC]

    RewriteRule ^(.*) /root_page.html [R]

     

    But don't take my syntax as necessarily correct - you'll have to root around Apache's website to work out the proper commands.

  • attymullins Calculating status...
    Currently Being Moderated
    Oct 18, 2011 8:57 AM (in response to joe_mck)

    I've encountered the same problem. We're running 10.7.2 and the only solution I've found is to edit the actual code to require that the user be authenticated in order to view the people page. This probably isn't a good long term solution, but just in case you're interested here's what I did.

     

    1) Edit the file /usr/share/collabd/coreclient/app/controllers/people_controller.rb to include 'before_filter :ensure_user_is_authenticated' at the top of the PeopleController class definition.

     

    2) Stop and restart the wiki server (serveradmin stop wiki;serveradmin start wiki).

     

    This will prevent unauthenticated users from seeing the people pages. Note that this change will likely be overwritten when you upgrade.

     

    Hope this helps.

  • Colin Cannell Level 1 Level 1 (95 points)
    Currently Being Moderated
    Oct 18, 2011 9:03 AM (in response to attymullins)

    These are neat little config files. It looks like you could make other changes as well, such as restricting People access to only users with Owner privileges. I wish I knew more about what options I could use in these files.

  • carstenlevin Calculating status...
    Currently Being Moderated
    Dec 21, 2011 6:13 AM (in response to joe_mck)

    I must admit that I am a little bit confused. Is it the build in Wiki in Mac OS X 10.7?

    If this is the case you should just set your wiki not to be public.

    wikiaccess.jpg

    wikiaccess2.jpg

    And then set the access for each wiki when you create it

    wikiaccess3.jpg

     

    Did I miss the point, or are the solutions proposed here a little bit to complicated when the needed controll is already build in by Apple?

  • Colin Cannell Level 1 Level 1 (95 points)
    Currently Being Moderated
    Dec 21, 2011 6:20 AM (in response to carstenlevin)

    I think you did miss the point. The OP wants to have a public wiki, so he can share information with anyone, but private People pages, so only logged-in users can see personal details of contributors.

  • Gregory Homyak Calculating status...
    Currently Being Moderated
    Jan 23, 2012 4:02 PM (in response to attymullins)

    Thanks for the info, it worked like a charm!  Now I have another question for the Wiki gurus.  Let's say I have two People, Amy and John.  Technically Amy owns Amy's People page and John owns his own, I'm assuming.  The problem I have is Amy can change John's People page and Vice Versa with John and Amy.  Is there a way to drill the permissions down any further to only allow Amy to change her People page and no one else's?  Thanks for any info on this topic!

  • Colin Cannell Level 1 Level 1 (95 points)
    Currently Being Moderated
    Jan 23, 2012 4:17 PM (in response to Gregory Homyak)

    My initial guess is no, because the Wiki server isn't designed to work like this. It thinks of people as members of collaborative workgroups, so there's no need to prohibit authorized users from making changes.

     

    Maybe a workaround would be to use the Blogs feature. You could create a blog for each user and put their personal info there. Then only that user could edit that info.

  • stephen.willis.smith Level 1 Level 1 (65 points)
    Currently Being Moderated
    Jan 23, 2012 4:54 PM (in response to Gregory Homyak)

    What I ended up doing is removing people pages (no one has a people page or blog) and making a wiki for each person (giving them owner rights on that wiki) they can then allow all logged in users to view but not edit and they can allow certain users read/write access.....  This seems much easier to control for my needs

  • Gregory Homyak Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jan 23, 2012 5:05 PM (in response to Colin Cannell)

    Thanks for the info Colin, I cracked the nut, so to speak.  It seems I had marked Amy and John and admins to the server so no matter what the permissions for the People and Blog pages, both could do whatever they wanted to to each other.  Once I create a user account, Frank, as a standard user then Frank could only edit Frank's pages and not Amy's.  But Amy could edit anything Frank did.  It all makes sense now.  I just won't give Admin rights to the users on the Wiki to make it all easier.  Thanks again everyone! 

  • Gregory Homyak Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 6, 2012 7:11 PM (in response to joe_mck)

    Just an update for everyone.  It seems Apple did not fix the People permissions in 10.7.3 Server.  Boo!  Oh well, just be sure to backup the people_controller.rb file before you update to 10.7.3.  The edited file still works in 10.7.3, just turn off Wiki Server, move the file back in, and turn on Wiki Server.  Maybe in 10.7.4???

  • ITmonkey Calculating status...
    Currently Being Moderated
    May 29, 2012 5:04 AM (in response to Gregory Homyak)

    Gregory, sorry to say 10.7.4 has not fixed the problem.

     

    I had installed the latest update to 10.7.4 prior to seeing this thread to fix problem of publicly viewable people pages. So sad to say Apple still haven't seen the importance of securing our personal information in their wikis.

     

    I have now ran the fix suggested by attymullins and can confirm the fix is still valid and works for 10.7.4 (11E53)

     

    Do we have to wait for Mountain Lion for this feature to be a default?

  • chrisksm Calculating status...
    Currently Being Moderated
    Jul 27, 2012 7:02 PM (in response to ITmonkey)

    Still seems to be a problem with Mountail Lion!

     

    Does the fix suggested by attymullins still wrok with Mountain Lion?

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.