Provide a more secure (from spammers mostly) default trac setup

[Jorge <jorge.vargas@…>]

Hello

As far the initial setup is concern a new trac install gives full write access to anyone, this is a good setup if we live in a good world, but in a world where spammers ruin open source it's a big problem.

I know that trac admins should set this right but the sad truth is that not everyone does it, and we end up with sad things like http://deliciouspython.python-hosting.com/report/1 and http://deliciouspython.python-hosting.com/timeline

so how about some more safe default features?

as a more advance setup here is what we want to use at Turbogears trac. please note we are not using the wiki component, for that I suggest create/delete for level 3 and modify for level 2

1- anon 2- user 3- developer 4- administrator 5- root

each group will inherit the permissions of the above.

permissions from http://trac.edgewall.org/wiki/TracPermissions

1- *_VIEW, except REPORT_SQL_VIEW and probably CONFIG_VIEW 2- TICKET_CREATE,TICKET_APPEND 3- - REPORT_SQL_VIEW - REPORT_CREATE,REPORT_MODIFY (this may be usefull when your working on a feature, but should be abused.) - WIKI_MODIFY (so he/she can delete the page, and put a sign pointing to docs.turbogears.org) 4- - TICKET_ADMIN - REPORT_ADMIN 5- - MILESTONE_ADMIN - WIKI_ADMIN

[Noah Kantrowitz (coderanger) <coderanger@…>]

Have you tried the SpamFilter plugin?

[cboos]

Well, I just had a look at http://deliciouspython.python-hosting.com, and it really seems that you should take down the site, clean it up, and only restart it with 0.10 and the SpamFilter...

If you can't do that yourself, then you should bug your provider to do that urgently.

As for the default install suggestion, yes, we should probably make the default access rights to be read-only. Too many forgotten "test" or seldom used Trac installations on the Web turned into SPAM reservoirs. We certainly don't want to spread that further in the future.

[jorge.vargas@…]

the solution cboos suggests seems ok read only will let everyone notice the powers of trac and yet keep spam off it.

I'm sorry if I gave a bad impression deliciouspython is not mine, it was just some project I google some time ago and went I finally got to the real code it turns out all the comments where on german :) I put it here just as an example.

about the SpamFilter I'll take a look at it for my sites. thanks.

[simon]

Would be good to load default permissions from a file so that people who setup lots of tracs for different projects can start with their own set of default permissions each time.

[cboos]

Supersedes #3866, there's no need to put the default wiki page in read-only mode if by default anonymous can't write.

[Noah Kantrowitz (coderanger) <coderanger@…>]

Replying to simon:

Would be good to load default permissions from a file so that people who setup lots of tracs for different projects can start with their own set of default permissions each time.

This is on the docket for TracForge? as part of the project creation system.

[cboos]

Implemented in r5243.

[cboos]

Ported to 0.10-stable in r5247.