Wiki source for ThoughtsOnSecurity
=====Security in Wikka=====
<<Moved from SecurityInfo<<
~& TryMe, I want other users to take a look at this page before I modify it, but it contains **several errors** that we'll have to remove (considering this page is linked from the official documentation page). -- DarTar
Security in Wikka is on a page by page basis. The concept of a Wiki is that content can be posted easily and freely by anyone, so security is not at the core of Wikka.
~& Saying that //security is not at the core of Wikka// because the concept of a wiki is that anyone can post content is blatantly false.
~&//First//, ACL privileges can be modified and restricted at will by wiki admins not only on a per-page basis, but also in the system-wide configuration. Many companies use Wikka to power their intranet, restricting access to members only.
~&//Second//, the fact that you can give write access to any user on a Wikka installation has nothing to do with security issues of the wiki engine. If the wiki is open to write-access, then everyone will be able to post content in Wiki pages, nothing more and nothing less -- DarTar
To learn more about controlling access to individual pages see ACLInfo.
There are two main considerations under Security:
~-User Registration (below)
~-File Upload Security (further down)
=====User Registration=====
Restricting user registration can help by ensuring anyone can't register and then upload anything to your server.
~& By default, only wiki-admins can upload files to the server, registered users cannot. But here you probably mean "have write access" -- DarTar
For more information see the (again, uncategorised) links below:
~-RegisterInfo
~-RegisterAction
~-UserRegistration
~-AutomaticUserPageCreation (related but not hugely!)
~-UserSettingsAndPasswords (again, related but not hugely!)
=====File Upload Security=====
A key security risk in Wikka is the file upload facility, if your Wiki can be accessed on the web.
~& A //key security risk// ?? This is pure disinformation. If you know of any security issue, please post it in WikkaBugs. If you don't know any, please avoid spreading false information!-- DarTar
In this situation, there are a few options open to you:
~-Files only uploaded by admins (default)
~-Control access to the whole board by using .htaccess / .htpasswd
~-Use some of the hacks / plugins available
~-Control User Registration
====Files only uploaded by admins (default)====
As standard, files can only be uploaded by site admins. How you change a user to an admin I don't know (sorry) but you should be able to find out somewhere. If you do, please post it here!
~& Admin users are set in the [[Docs:ConfigurationOptions | Wikka Configuration file]] -- DarTar
====Control access to the whole board by using .htaccess / .htpasswd====
If you're doing this, be sure to copy the settings from the existing .htaccess file that is installed as standard with Wikka or you might find that the whole thing stops working (as I did, DOH!).
====Use some of the hacks / plugins available====
Please note, I haven't had a chance to search through these, so they're just all linked on here:
~-FilesAction
~-MimeTypesFile
~-FileManagerHack
~-FilesManagementSolution
~-FilesHandler
~-FilesHandlerInfo - documentation for the above
~-Mod015fFilesAction
====Control User Registration====
See the section above
<<Moved from SecurityInfo<<
~& TryMe, I want other users to take a look at this page before I modify it, but it contains **several errors** that we'll have to remove (considering this page is linked from the official documentation page). -- DarTar
Security in Wikka is on a page by page basis. The concept of a Wiki is that content can be posted easily and freely by anyone, so security is not at the core of Wikka.
~& Saying that //security is not at the core of Wikka// because the concept of a wiki is that anyone can post content is blatantly false.
~&//First//, ACL privileges can be modified and restricted at will by wiki admins not only on a per-page basis, but also in the system-wide configuration. Many companies use Wikka to power their intranet, restricting access to members only.
~&//Second//, the fact that you can give write access to any user on a Wikka installation has nothing to do with security issues of the wiki engine. If the wiki is open to write-access, then everyone will be able to post content in Wiki pages, nothing more and nothing less -- DarTar
To learn more about controlling access to individual pages see ACLInfo.
There are two main considerations under Security:
~-User Registration (below)
~-File Upload Security (further down)
=====User Registration=====
Restricting user registration can help by ensuring anyone can't register and then upload anything to your server.
~& By default, only wiki-admins can upload files to the server, registered users cannot. But here you probably mean "have write access" -- DarTar
For more information see the (again, uncategorised) links below:
~-RegisterInfo
~-RegisterAction
~-UserRegistration
~-AutomaticUserPageCreation (related but not hugely!)
~-UserSettingsAndPasswords (again, related but not hugely!)
=====File Upload Security=====
A key security risk in Wikka is the file upload facility, if your Wiki can be accessed on the web.
~& A //key security risk// ?? This is pure disinformation. If you know of any security issue, please post it in WikkaBugs. If you don't know any, please avoid spreading false information!-- DarTar
In this situation, there are a few options open to you:
~-Files only uploaded by admins (default)
~-Control access to the whole board by using .htaccess / .htpasswd
~-Use some of the hacks / plugins available
~-Control User Registration
====Files only uploaded by admins (default)====
As standard, files can only be uploaded by site admins. How you change a user to an admin I don't know (sorry) but you should be able to find out somewhere. If you do, please post it here!
~& Admin users are set in the [[Docs:ConfigurationOptions | Wikka Configuration file]] -- DarTar
====Control access to the whole board by using .htaccess / .htpasswd====
If you're doing this, be sure to copy the settings from the existing .htaccess file that is installed as standard with Wikka or you might find that the whole thing stops working (as I did, DOH!).
====Use some of the hacks / plugins available====
Please note, I haven't had a chance to search through these, so they're just all linked on here:
~-FilesAction
~-MimeTypesFile
~-FileManagerHack
~-FilesManagementSolution
~-FilesHandler
~-FilesHandlerInfo - documentation for the above
~-Mod015fFilesAction
====Control User Registration====
See the section above
