Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: joe_mck
joe_mck Author
User level: Level 1
26 points

Change Permissions on Wiki People page?

I am Using Wiki Server 3 on a Mini Lion Server install.

I find it to be an intolerable security problem that, without logging in, any one can see my Wiki's "People Page"

At best it gives hackers a good starting point at guessing login names.

At worst, if someone uses a photo for their profile pic it gives predators a name & face.


I can disable the People Page entirely by editing the proper plist file, but then the whole page, and everyone's personal documents pages are completely inaccessable.


Is there a way to re-enable the People page, but make it available ONLY to logged in users? It doesn't treat "People" and personal pages like Wiki pages. I can't seem to find settings for permissions.


Thanks,


Joe

Mac mini, Mac OS X (10.7.1)

Posted on Sep 14, 2011 5:09 AM

Reply
21 replies
User profile for user: basilmir
basilmir
User level: Level 1
80 points

Dec 20, 2012 11:51 AM in response to joe_mck

There is a "master switch" you can use to disable people view everywhere.


It's in the OS X Server: Advanced Administration Guide


http://help.apple.com/advancedserveradmin/mac/10.8/#apd59153f0a-7ed3-4c64-9c74-3 a1fff831475



You can change wiki service settings by editing plist files.

You can change the following settings by editing /Library/Server/Wiki/Config/collabcored.plist

disable_projects_view

false

Set this to true to disable the Wikis page in the wiki. Set this to false to enable the Wikis page in the wiki.

Reply
User profile for user: tim_r_66
tim_r_66
User level: Level 1
51 points

May 5, 2013 9:47 AM in response to joe_mck

This is what I found out too. In fact, I originally thought the fix didn't work with Mountain Lion until I read this thread. I guess for now I will set the permissions to my Wiki to be non public. However, eventually I will likely want to make it public, and then I'll have to decide how to protect the privacy of the users.


I guess one option would be to set up a second server, one for interal and one for external.


Tim

Reply
User profile for user: tim_r_66
tim_r_66
User level: Level 1
51 points

May 11, 2013 12:12 PM in response to basilmir

Playing with this some more today and was amazed and how this is designed, not in a good way either. I set disable_people_view to true and then brought of the Wiki (after restarting the service). While people pages and my user settings, etc., no longer displayed, if I click on All Activity from the home page, even as an unauthenticated user, I can still see the blogs.


Editing the people_controller.rb as described above gets the closest to making blogs private but these are still visible to iPad (and I assume other mobile devices).


Disturbing. I guess I'll got the route of create a special wiki for my own personal private use, and leave the blog open for information I am comfortable having others read.

Reply
User profile for user: tim_r_66
tim_r_66
User level: Level 1
51 points

May 12, 2013 4:28 PM in response to tim_r_66

I am going to add another twist to this. Would be interested in knowing if someone else gets similar behavior.


I created a private wiki for just me so I could move my content I did not want public to even iPad users. I moved two blog entries to this new wiki. And, when I went back in to look from the iPad as an unauthenticated user, none of the content was visible except for my main page (People).


The server doesn't prompt the unauthenticated user to log in, it just doesn't display the content. This behavior differs from a full up Mac/Safari set up when the user is prompted to log in when trying to access any content.


Things that make you go, "hmmmmmmmm".


Tim

Reply

Change Permissions on Wiki People page?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up