joe_mck

Q: Change Permissions on Wiki People page?

I am Using Wiki Server 3 on a Mini Lion Server install.

I find it to be an intolerable security problem that, without logging in, any one can see my Wiki's "People Page"

At best it gives hackers a good starting point at guessing login names.

At worst, if someone uses a photo for their profile pic it gives predators a name & face.

 

I can disable the People Page entirely by editing the proper plist file, but then the whole page, and everyone's personal documents pages are completely inaccessable.

 

Is there a way to re-enable the People page, but make it available ONLY to logged in users? It doesn't treat "People" and personal pages like Wiki pages. I can't seem to find settings for permissions.

 

Thanks,

 

Joe

Mac mini, Mac OS X (10.7.1)

Posted on Sep 14, 2011 5:09 AM

Close

Q: Change Permissions on Wiki People page?

  • All replies
  • Helpful answers

Previous Page 2
  • by joe_mck,

    joe_mck joe_mck Sep 30, 2012 2:02 PM in response to chrisksm
    Level 1 (25 points)
    Sep 30, 2012 2:02 PM in response to chrisksm

    chrisksm wrote:

     

    Still seems to be a problem with Mountail Lion!

     

    Does the fix suggested by attymullins still wrok with Mountain Lion?

    Yes, EXCEPT, the location of people_controller.rb has moved. it is now in:

    /Applications/Server.app/Contents/ServerRoot/usr/share/collabd/coreclient/app/co ntrollers

     

    Be suere to review the file EVERY time apple updates Server.app!

  • by mehrab @ zettachem,

    mehrab @ zettachem mehrab @ zettachem Oct 22, 2012 4:14 AM in response to joe_mck
    Level 1 (0 points)
    Oct 22, 2012 4:14 AM in response to joe_mck

    Hi

     

    Right now in wiki in people page, when I click of eacj user except admin, it can not open profile of that user and says:

     

     

    Routing Error

     

    No route matches "/wiki/people/elvira.tufekcic/Elvira_Tufekcic.html"

     

     

    any idea?

     

    thanks in advance

  • by joe_mck,

    joe_mck joe_mck Dec 8, 2012 9:40 AM in response to joe_mck
    Level 1 (25 points)
    Dec 8, 2012 9:40 AM in response to joe_mck

    WARNING:

    It appears the iPad version of the wiki does not honor the before filter.

    From the iPad I can still access my people page without being asked to log in.

     

    Grrr.

  • by basilmir,

    basilmir basilmir Dec 20, 2012 11:51 AM in response to joe_mck
    Level 1 (76 points)
    Dec 20, 2012 11:51 AM in response to joe_mck

    There is a "master switch" you can use to disable people view everywhere.

     

    It's in the OS X Server: Advanced Administration Guide

     

    http://help.apple.com/advancedserveradmin/mac/10.8/#apd59153f0a-7ed3-4c64-9c74-3 a1fff831475

     

     

    You can change wiki service settings by editing plist files.

    You can change the following settings by editing /Library/Server/Wiki/Config/collabcored.plist

    disable_projects_view

    false

    Set this to true to disable the Wikis page in the wiki. Set this to false to enable the Wikis page in the wiki.

  • by tim_r_66,

    tim_r_66 tim_r_66 May 5, 2013 9:47 AM in response to joe_mck
    Level 1 (50 points)
    May 5, 2013 9:47 AM in response to joe_mck

    This is what I found out too.  In fact, I originally thought the fix didn't work with Mountain Lion until I read this thread.  I guess for now I will set the permissions to my Wiki to be non public.  However, eventually I will likely want to make it public, and then I'll have to decide how to protect the privacy of the users.

     

    I guess one option would be to set up a second server, one for interal and one for external.

     

    Tim

  • by tim_r_66,

    tim_r_66 tim_r_66 May 11, 2013 12:12 PM in response to basilmir
    Level 1 (50 points)
    May 11, 2013 12:12 PM in response to basilmir

    Playing with this some more today and was amazed and how this is designed, not in a good way either.  I set disable_people_view to true and then brought of the Wiki (after restarting the service).  While people pages and my user settings, etc., no longer displayed, if I click on All Activity from the home page, even as an unauthenticated user, I can still see the blogs. 

     

    Editing the people_controller.rb as described above gets the closest to making blogs private but these are still visible to iPad (and I assume other mobile devices). 

     

    Disturbing.  I guess I'll got the route of create a special wiki for my own personal private use, and leave the blog open for information I am comfortable having others read.

  • by tim_r_66,

    tim_r_66 tim_r_66 May 12, 2013 4:28 PM in response to tim_r_66
    Level 1 (50 points)
    May 12, 2013 4:28 PM in response to tim_r_66

    I am going to add another twist to this.  Would be interested in knowing if someone else gets similar behavior.

     

    I created a private wiki for just me so I could move my content I did not want public to even iPad users.  I moved two blog entries to this new wiki.  And, when I went back in to look from the iPad as an unauthenticated user, none of the content was visible except for my main page (People).  

     

    The server doesn't prompt the unauthenticated user to log in, it just doesn't display the content.  This behavior differs from a full up Mac/Safari set up when the user is prompted to log in when trying to access any content.

     

    Things that make you go, "hmmmmmmmm".

     

    Tim

Previous Page 2