Disable User Account Creation

Generally wiki's appear as public places where many people can collaborate. However, disabling user creation can be helpful.

Disabling user account creation is helpful when:

Create an option to disable new user creation. Possibly allow only the admin the rights to create users.

This feature would be useful to users who want to run a personal wiki. Moinmoin is a great wiki and many (like me) would like to choose it for a personal wiki, however this feature is missing.

It should be noted that currently there's a very easy way to accomplish that, but it's not optimal and a better solution (integrated in the interface or in the wikiconfig.py file) should be made.

Solution for 1.9

Disable the 'newaccount' action by adding it to 'actions_excluded' in your wiki's config:

    # stop new accounts being created
    import MoinMoin.config.multiconfig # if not already included in your config file
    actions_excluded = MoinMoin.config.multiconfig.DefaultConfig.actions_excluded + ['newaccount']

You will get the message "unknown action newaccount" when trying to make a new account.

Solution for 1.9 to only allow superusers to create new accounts

  1. Create a new authentication class MyAuth (myauth.py) derived from MoinAuth where there is no link in the login form to the newaccount action (line 12 from MoinAuth is commented out).

       1 from MoinMoin import log
       2 logging = log.getLogger(__name__)
       3 
       4 from MoinMoin.auth import BaseAuth, GivenAuth, MoinAuth
       5 from MoinMoin import user, wikiutil
       6 
       7 class MyAuth(MoinAuth):
       8     """ handle login from moin login form """
       9 
      10     def login_hint(self, request):
      11         _ = request.getText
      12         #userprefslink = request.page.url(request, querystr={'action': 'newaccount'})
      13         sendmypasswordlink = request.page.url(request, querystr={'action': 'recoverpass'})
      14         return _('<a href="%(sendmypasswordlink)s">Password vergessen?</a>') % {
      15                'sendmypasswordlink': sendmypasswordlink}
    
  2. use the new Class in your wikiconfig
       from MoinMoin.auth.myauth import MyAuth
       auth = [MyAuth()]
  3. Overwrite the newaccount action with your own and copy newaccount.py in your  plugin_dirs  and allow only superusers to execute the action.
    Changes in the newaccount (newaccount.py) action beginning from line 166:

       1     if not request.user.isSuperUser():
       2         request.theme.add_msg(_('You are not allowed to use this action.'), "error")
       3         return page.send_page()
    

    or alternatively, if e.g only users from AdminGroup are allowed to add users:

       1     groups = request.groups
       2     account_groups = set(groups.groups_with_member(request.user.name))
       3     if not "AdminGroup" in account_groups:
       4         request.theme.add_msg(_('You are not allowed to use this action.'), "error")
       5         return page.send_page()
    
  4. Create a wiki page with the new newaccount action and try out with some accounts (superuser and "normal" user).
     <<Action(newaccount)>>

Solution for 1.7 and 1.8

Disable the 'newaccount' action by adding it to 'actions_excluded' in your wiki's config:

    # stop new accounts being created
    actions_excluded = DefaultConfig.actions_excluded + ['newaccount']

Workaround to only allow trusted people to add new users

Configure your wiki as above. The idea is to set up another restricted instance of the wiki using the same user_dir which doesn't exclude 'newaccount'.

Lazy Config

newaccount-mywiki.py

from mywikiconfigfilename import Config as MainConfig
class Config(MainConfig)
    actions_excluded = ['recoverpass']
    #Overwrites ['newaccount']. Stops password requests which would include url of newaccount-wiki.
    #data_dir and user_dir inherited

(It might be sensible to exclude all actions that can change non-user data.) You then need to update wikis in farmconfig.py or similar and configure your webserver - If you're using Apache you probably need a ScriptAlias/ReWriteRule and mod_auth_digest, Allow or similar to secure it. -- Ro 2009-02-03 01:53:07

Solution for 1.6

  1. Create your first and only user
  2. Edit your wiki's userform.py ex: /usr/local/share/lib/python2.5/site-packages/MoinMoin

Change this:

     if newuser:
                if not password:
                     return _("Please specify a password!", formatted=False)
                pw_checker = self.request.cfg.password_checker
                if pw_checker:
                     pw_error = pw_checker(theuser.name, password)
                   if pw_error:
                      return _("Password not acceptable: %s", formatted=False) % pw_error

to this:

    if newuser:
                return _("New User Account Creation Disabled.", formatted=False)
                # if not password:
                #     return _("Please specify a password!", formatted=False)
                # pw_checker = self.request.cfg.password_checker
                # if pw_checker:
                #     pw_error = pw_checker(theuser.name, password)
                #    if pw_error:
                #       return _("Password not acceptable: %s", formatted=False) % pw_error
  1. Optional: comment out the create button in MoinMoin/userform.py.

note: it's quick and not so dirty, however, it would be much nicer if we could set a simple option in our wiki instance's wikiconfig.py, and put an IF above instead of simply breaking the program flow with a RETURN.

shared wiki note: because this change is happening in the system wide MoinMoin files, this will essentially disable newuser on ALL sites using that file.

Solution for 1.5

  1. Create your first and only user
  2. Edit your wiki's userform.py ex: /usr/local/share/lib/python2.5/site-packages/MoinMoin

Change this:

        if (form.has_key('create') or
            form.has_key('create_only') or
            form.has_key('create_and_mail')):
            if self.request.request_method != 'POST':
                return _("Use UserPreferences to change your settings or create an account.")

to this:

        if (form.has_key('create') or
            form.has_key('create_only') or
            form.has_key('create_and_mail')):

            return _("User registration is disabled.")

            if self.request.request_method != 'POST':
                return _("Use UserPreferences to change your settings or create an account.")

In other words add the line: return _("User registration is disabled.") after the if statement.

I have only tested this with 1.5.9 but I'm hoping all previous 1.5 versions contain similar code.

The clean solution

  1. Create your first and only user
  2. Add an action named userform.py in your wiki plugin/action/ directory

       1 from MoinMoin.Page import Page
       2 from MoinMoin import wikiaction
       3 
       4 def execute(pagename, request):
       5     if 'create' in request.form:
       6         return Page(request, pagename).send_page(request, msg="Creating user accounts disabled.")
       7 
       8     wikiaction.do_userform(pagename, request)
    
  3. Optional: comment out the create button in MoinMoin/userform.py.

<!> Tested with 1.5.2

For 1.6.0 try this version:

   1 from MoinMoin.Page import Page
   2 from MoinMoin import action
   3 
   4 def execute(pagename, request):
   5     if 'create' in request.form:
   6         return Page(request, pagename).send_page(msg="Creating user accounts disabled.")
   7 
   8     action.do_userform(pagename, request)

The quick & dirty solution

That will prevent new users being created, but will also throw an exception error if you try to create one. That exception can be handled easily in the code. Just edit the file .../lib/python2.x/site-packages/MoinMoin/userform.py and change the line:

# save data
theuser.save()

to look like:

# save data
try:
        theuser.save()
except IOError:
        return _("User registration is disabled")

and a nice message will be shown in the page stating that user creation is disabled. But it will only show the message after the user have filled the form of user creation and tried to submit it (which is not optimal, as said).

If you need to create a new user, or need to let a new user registrate himself in, just chmod +w the user dir, and after chmod -w it again.

this does prevent users to change theire settings too.

Another solution

I'm not an expert on Moin and not a good programmer at all - so there are certainly better, cleaner solutions for that.

/!\ Solution is to use acls, wikiconfig has no option for this at the moment and I am not sure if it could be done easily from there. It should be easy for fcgi server too.

In wikiconfig.py I granted myself all rights, visitors are only allowed to read

acl_rights_before = u"OliverSiemoneit:read,write,delete,revert,admin"
acl_rights_default = u"All:read"

Then I openend in underlay/pages/userpreferences/revisions the file 000001 with some texteditor and changed the acls there

#acl MoinPagesEditorGroup:read,write,delete,revert OliverSiemoneit:read All:

/!\ you do have set the admin acl right so you can do this from the browser window too. Of course in a new revision but then you are able to change it again. May be you should add at least that macro SendAccountMail.py from FeatureRequests/LoginHintToSendPasswordonlyWithoutUserCreation to a page and add it to the navi_bar otherwise it could be fanny to tell a user his password. This page has to get the acl rights read for All.

/!\ Instead of acl_rights_default = u"All:read" you should set up a UserGroup in the wiki and do add there all users who should be able to read and then set acl_rights_default = u"UserGroup:read" So you can add in the wiki the users or remove some. Of course you could have much more groups and you could add a whole group to UserGroup. May be the parser SortText from ParserMarket/SortText could be usefull if it becomes a large list.

/!\ users could be created then from the moin command. May be this patch is interesting too FeatureRequests/MoinSendMailAndCreateShouldCreateAlwaysAPassword

/!\ Check FixLeaks (may be some 3rd party plugins need changes too)

/!\ some more hints on ReimarBauer/ModeratedWikiRules too

That worked for me - but I haven't spent a lot of thoughts on the pros and cons of this "ugly" solution. Some problems might be: If you've installed different language packets you have to make sure to change the acls on the according "userpreferences pages" either to have no backdoors for account creation. Also creation of new user accounts is a problem. Or to make it more clear: it's not possible anymore. As OliverSiemoneit I can read the UserPreferences page, but entering a new username and pwd changes the existing account and does not create a new one (Question: does this behaviour make sense, i.e. renaming the existing account rather than creating a new one?). -- OliverSiemoneit 2006-11-11 19:02:06

Another simple workaround (tested in release 1.5.6)

Although it appears (thanks to OliverSiemoneit's excellent work and patches on this topic submitted to FeatureRequests) that in an upcoming MoinMoin release soon the situation in this regard will be much improved, I thought it was still worth it in the meantime to post the simple method I'm currently using. This is only meaningful if anonymous users can't write pages, but I expect that's the case anyway if you're trying to disable user creation.

Simply comment out the indicated line in userform.py (this snippet is from MoinMoin-1.5.6:

        else: # not logged in
            # Login / register interface
            buttons = [
                # IMPORTANT: login should be first to be the default
                # button when a user hits ENTER.
                #('login', _('Login')),  # we now have a Login macro
                ('create', _('Create Profile')),  ###### COMMENT OUT THIS ONE
                ('cancel', _('Cancel')),
            ]

and then on some page (whose access you control), add a [[UserPreferences(createonly)]] macro. Now as far as I can see only users who have the ability to read the page you've made, or write any page (to add such a macro) can create users. -- GlenWhitney 2007-1-12

Patch for FeatureRequests/MakeInvitations which allows a wikiadmin to invite users to participate in a wiki, i.e. to create an account and sent them their login and password and a link for login. This feature is especially helpful if you have user creation disabled in non-public wikis or in wikis you want to controll who participates..

Discussion

May be it is a good idea to collect a bit more here and afterwards we could create from that a nice Howto page ReimarBauer/Photo/img.png -- ReimarBauer 2006-11-11 20:01:04


CategoryFeatureImplemented

MoinMoin: FeatureRequests/DisableUserCreation (last edited 2014-09-20 14:20:22 by RogerHaase)