Creating a private wiki with MoinMoin

MoinMoin has Access Control Lists (ACLs) so I figured it would work for creating a private wiki on the internet.

Unfortunately this is against the MoinMoin philosophy so it took a little work.

MoinMoin pages can be protected by adding a processing instruction to the top of the page


#acl Known:read,write

This would work but is not what I was looking for since I want all pages to be protected. I don’t want the users to have to remember to add the acl to every page.

In the Security section of wikiconfig.py I changed the default acl rights so a user must be logged in to read or write wiki pages.


# the user must be logged in to view or write pages
acl_rights_default = u'Known:read,write'

This works great except that anyone can just create an account and view pages. So I also needed to disable user registration. MoinMoin uses the same form for user creation and editing users, so a file system hack worked the best.


$ cd /path/to/wiki/instance/data
$ chmod -w users

This allows users with existing accounts to edit them, but if someone attempts to create a user account, they get a nice IOError since MoinMoin can’t create the file. Effective but ugly.

Last I hacked userform.py to catch this error and display an message

When user registration was disabled the IOError was on line 155 of userform.py. theuser.save() became


try:
  theuser.save()
except IOError:
  return _("User registration is disabled")

This solution seems to work fine. Adding users is a bit of a pain, but it doesn’t happen often. Since users can’t register, I need to create the new accounts. I enable user creation (chmod +w users), use the UI to create users and then disable user registration again (chmod -w users).

Advertisements
Posted in moinmoin, python, wiki
16 comments on “Creating a private wiki with MoinMoin
  1. Andre Ruiz says:

    You rock man!!! I have been in search of a good solution for a private wiki for some weeks now. Having tested more than 6 apparently good solutions, I sticked with MoinMoin. But quickly I realized the problems you addressed here. A little googling before putting hands on dirty work, and you have already done it. Thank you.

  2. Rabe Ralf says:

    Hi, if you use

    acl_rights_before = u’+Known:read,write All:’

    then unknown users can’t access any page, not even the UserPreference page to create an account. You used acl_rights_default, which is only applied to pages that doesn’t have an acl set on its own. But the UserPreferences page has. See HelpOnAccessControlLists. At least, this is true for version 1.5+.

  3. donc says:

    Rabe: For my wiki I don’t want unknown users to access any page including the UserPreferences page. Setting acl_rights_before is a good way for me to enforce this policy.

  4. Joseph Armbruster says:

    I did not want users to be able to access User Preferences to register… So, for UserPreferences, I set:

    #acl MoinPagesEditorGroup:read,write,delete,revert

    Any thoughts?

  5. Hey, thanks a bunch! Just the information I was looking for :-)

  6. Marcus Goldfish says:

    I modified this like Joseph did:

    (1) in wikiconfig (farmconfig.py for me, as I run multipl wikis):

    acl_rights_before = u”MyName:read,write,delete,revert,admin
    acl_rights_default = u”+Known:read,write All:”

    (2) in UserPreferences

    #acl MoinPagesEditorGroup:read,write,delete,revert

    This seems to work fine.

  7. Rafael Santos says:

    As superuser I’ve edited the UserPreferences page and changed the ACL from
    #acl MoinPagesEditorGroup:read,write,delete,revert All:read
    to
    #acl MoinPagesEditorGroup:read,write,delete,revert Known:read

    And it worked as expected.

    So far it is working, please try that.

  8. Ted says:

    I put the following right after “newuser” is determined, within userform.py so that only a particular IP-address is allowed to create new users.

    if newuser and self.request.remote_addr != “1.1.1.23”:
    return _(“You have enountered a security flaw, user cannot be created. (%s)” % self.request.remot
    e_addr)

    Then, in wikiconfig.py I assign

    acl_rights_default = u”Known:read,write All:read”

    This makes a wiki that can be updated by those who log in and have Ids (which can only be created in a controlled way), yet everyone can read the wiki.

  9. Eduardo Pinetti says:

    Is it possible to have disable the search engine form to not logged users?

    My idea is to have a private wiki limiting a only logging form as FrontPage. without any buttons

    some idea??? thank

  10. WennaIllece says:

    Is that a new way? There are very few things like my nutritious ideas Wanna good joke? How many Microsoft employees does it take to screw in a lightbulb? None. We’ll just declare darkness the new standard.

  11. […] nowych użytkowników mniej więcej tak jak zostało to opisane na wygooglanej przeze mnie tej oto stronie. Jaws Administrator | 26 February 2009 | General | 0 komentarze Trackback URI: […]

  12. Thanks! Very useful information! But now the line “theuser.save()” is at the file “MoinMoin/action/newuser.py”. Thanks!

  13. Dale Amon says:

    Is there a better wiki to use? It just does not make sense to me that one should have to jump through hoops like this to have the most basic elements of security for collaboration on proprietary data.

  14. Dale Amon says:

    Never mind. XWiki Enterprise looks pretty good. May also check out TWiki.

  15. Hey would you mind letting me know which hosting company you’re using?
    I’ve loaded your blog in 3 completely different browsers and I must say this blog loads
    a lot faster then most. Can you recommend a good web
    hosting provider at a honest price? Thanks, I appreciate it!

  16. Time to joinsafewow Chrismas Event:Safewowfirst Xmas gift-free30000K free fifa   15 coins giveaways is coming on December 18, 2014,Ready to rush for free fifa 15   coins.

    Manager mode is the most interesting and popular mode within the entire series.

    Its fine white sand beaches and crystal-clear waters are ideal for kayaking, snorkeling,
    and scuba diving.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: