Previous 1 2 Next 21 Replies Latest reply: May 12, 2013 4:28 PM by tim_r_66
joe_mck Level 1 (25 points)

I am Using Wiki Server 3 on a Mini Lion Server install.

I find it to be an intolerable security problem that, without logging in, any one can see my Wiki's "People Page"

At best it gives hackers a good starting point at guessing login names.

At worst, if someone uses a photo for their profile pic it gives predators a name & face.


I can disable the People Page entirely by editing the proper plist file, but then the whole page, and everyone's personal documents pages are completely inaccessable.


Is there a way to re-enable the People page, but make it available ONLY to logged in users? It doesn't treat "People" and personal pages like Wiki pages. I can't seem to find settings for permissions.





Mac mini, Mac OS X (10.7.1)
  • Colin Cannell Level 1 (95 points)

    The only way I can think to do what you want requires that everyone whom you wish to permit to see the People pages be located in a pre-defined block of IP addresses. For example, you could make it so that the People pages were only visible to people coming in from your company's internal addresses or VPN address pool.


    I don't have time to work out all the details, but what you'd do is use Apache's RewriteCond rules to tell Apache that "all requests for pages meeting these criteria that do not come from this set of IP addresses should be redirected to the root page."


    Something like:

    RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0$

    RewriteCond %{REQUEST_URI} ^/people_page\.html$ [NC]

    RewriteRule ^(.*) /root_page.html [R]


    But don't take my syntax as necessarily correct - you'll have to root around Apache's website to work out the proper commands.

  • attymullins Level 1 (10 points)

    I've encountered the same problem. We're running 10.7.2 and the only solution I've found is to edit the actual code to require that the user be authenticated in order to view the people page. This probably isn't a good long term solution, but just in case you're interested here's what I did.


    1) Edit the file /usr/share/collabd/coreclient/app/controllers/people_controller.rb to include 'before_filter :ensure_user_is_authenticated' at the top of the PeopleController class definition.


    2) Stop and restart the wiki server (serveradmin stop wiki;serveradmin start wiki).


    This will prevent unauthenticated users from seeing the people pages. Note that this change will likely be overwritten when you upgrade.


    Hope this helps.

  • Colin Cannell Level 1 (95 points)

    These are neat little config files. It looks like you could make other changes as well, such as restricting People access to only users with Owner privileges. I wish I knew more about what options I could use in these files.

  • joe_mck Level 1 (25 points)

    @attymullins thank you; thank you; thank you.


    Hopefully when it's overridden in the next upgrade it will get overridden by a version that requires authenticated users by default, or at least makes it more easily configured.


    It's a pretty stupid security flaw making that open by default. Just think about the first 10 minutes of "The Social Network."


    For those reading this in the future; note that running serveradmin (step 2) requires a sudo.

  • carstenlevin Level 1 (0 points)

    I must admit that I am a little bit confused. Is it the build in Wiki in Mac OS X 10.7?

    If this is the case you should just set your wiki not to be public.



    And then set the access for each wiki when you create it



    Did I miss the point, or are the solutions proposed here a little bit to complicated when the needed controll is already build in by Apple?

  • Colin Cannell Level 1 (95 points)

    I think you did miss the point. The OP wants to have a public wiki, so he can share information with anyone, but private People pages, so only logged-in users can see personal details of contributors.

  • joe_mck Level 1 (25 points)

    carstenlevin wrote:


    Did I miss the point, ... ?



    I do have the wiki set so only registered users can create wikis. Once created, the Wiki's can be public or private. Generally, my public wikis are read only. Announcements and so forth.


    The problem is that Apple makes the people page itself publicly viewable.


    Publicly listing valid accounts on your system is TERRIBLE computer security practice.

    And when some of your users are minors, with profile pictures, then it can compromise their personal safety too.


    I can scrap and rebuild my system if hackers get in; but the kids are important.


    The flagged "Correct Answer" basically answers the mail exactly. the fix it simpler than it looks; the dumb thing is that it is not the default configuration.

  • Gregory Homyak Level 1 (0 points)

    Thanks for the info, it worked like a charm!  Now I have another question for the Wiki gurus.  Let's say I have two People, Amy and John.  Technically Amy owns Amy's People page and John owns his own, I'm assuming.  The problem I have is Amy can change John's People page and Vice Versa with John and Amy.  Is there a way to drill the permissions down any further to only allow Amy to change her People page and no one else's?  Thanks for any info on this topic!

  • Colin Cannell Level 1 (95 points)

    My initial guess is no, because the Wiki server isn't designed to work like this. It thinks of people as members of collaborative workgroups, so there's no need to prohibit authorized users from making changes.


    Maybe a workaround would be to use the Blogs feature. You could create a blog for each user and put their personal info there. Then only that user could edit that info.

  • stephen.willis.smith Level 1 (65 points)

    What I ended up doing is removing people pages (no one has a people page or blog) and making a wiki for each person (giving them owner rights on that wiki) they can then allow all logged in users to view but not edit and they can allow certain users read/write access.....  This seems much easier to control for my needs

  • Gregory Homyak Level 1 (0 points)

    Thanks for the info Colin, I cracked the nut, so to speak.  It seems I had marked Amy and John and admins to the server so no matter what the permissions for the People and Blog pages, both could do whatever they wanted to to each other.  Once I create a user account, Frank, as a standard user then Frank could only edit Frank's pages and not Amy's.  But Amy could edit anything Frank did.  It all makes sense now.  I just won't give Admin rights to the users on the Wiki to make it all easier.  Thanks again everyone! 

  • Gregory Homyak Level 1 (0 points)

    Just an update for everyone.  It seems Apple did not fix the People permissions in 10.7.3 Server.  Boo!  Oh well, just be sure to backup the people_controller.rb file before you update to 10.7.3.  The edited file still works in 10.7.3, just turn off Wiki Server, move the file back in, and turn on Wiki Server.  Maybe in 10.7.4???

  • ITmonkey Level 1 (0 points)

    Gregory, sorry to say 10.7.4 has not fixed the problem.


    I had installed the latest update to 10.7.4 prior to seeing this thread to fix problem of publicly viewable people pages. So sad to say Apple still haven't seen the importance of securing our personal information in their wikis.


    I have now ran the fix suggested by attymullins and can confirm the fix is still valid and works for 10.7.4 (11E53)


    Do we have to wait for Mountain Lion for this feature to be a default?

  • chrisksm Level 1 (0 points)

    Still seems to be a problem with Mountail Lion!


    Does the fix suggested by attymullins still wrok with Mountain Lion?

Previous 1 2 Next