This is an automated email from the ASF dual-hosted git repository.
snoopdave pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
The following commit(s) were added to refs/heads/master by this push:
new 6f2df9174 Revert "Safer defaults for trust-users and file uploads,
plus install guide changes."
6f2df9174 is described below
commit 6f2df9174a740eac21d1a1e307b1349b1eb734ed
Author: David M. Johnson <[email protected]>
AuthorDate: Sun Sep 8 16:21:00 2024 -0400
Revert "Safer defaults for trust-users and file uploads, plus install guide
changes."
This reverts commit 308bcf868c0a5bce9e1683c807ea43f10c3dc30e.
---
.../roller/weblogger/config/roller.properties | 3 --
.../roller/weblogger/config/runtimeConfigDefs.xml | 4 +-
docs/roller-install-guide.adoc | 51 ++++++++++------------
3 files changed, 25 insertions(+), 33 deletions(-)
diff --git
a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
index 119bd9a78..2d439eaa8 100644
---
a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
+++
b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
@@ -342,9 +342,6 @@ authentication.method=db
# Enables HTTPS for login page only
securelogin.enabled=false
-# With this settings, all users will have HTML posts sanitized.
-weblogAdminsUntrusted=true
-
# Empty value used for passphrase in roller_user table when LDAP or CMA used;
# openid presently generates a random (long) password string instead.
users.passwords.externalAuthValue=<externalAuth>
diff --git
a/app/src/main/resources/org/apache/roller/weblogger/config/runtimeConfigDefs.xml
b/app/src/main/resources/org/apache/roller/weblogger/config/runtimeConfigDefs.xml
index 007117033..f67b65c04 100644
---
a/app/src/main/resources/org/apache/roller/weblogger/config/runtimeConfigDefs.xml
+++
b/app/src/main/resources/org/apache/roller/weblogger/config/runtimeConfigDefs.xml
@@ -199,7 +199,7 @@
<property-def name="uploads.enabled"
key="configForm.enableFileUploads">
<type>boolean</type>
- <default-value>false</default-value>
+ <default-value>true</default-value>
</property-def>
<property-def name="uploads.types.allowed"
key="configForm.allowedExtensions">
<type>string</type>
@@ -230,7 +230,7 @@
</property-def>
<property-def name="themes.customtheme.allowed"
key="configForm.allowCustomTheme">
<type>boolean</type>
- <default-value>false</default-value>
+ <default-value>true</default-value>
</property-def>
</display-group>
diff --git a/docs/roller-install-guide.adoc b/docs/roller-install-guide.adoc
index c89c04c2b..5b9381ec5 100644
--- a/docs/roller-install-guide.adoc
+++ b/docs/roller-install-guide.adoc
@@ -42,34 +42,29 @@ some recommendations for keeping your Roller installation
secure:
* *Perform Roller installation on a secure network*. When you are
installing Roller it is possible for other users to interfere with your
installation. If other users have access to the server, one of them
-could attempt to access the Roller database or files while you are
-installing Roller. To prevent this, install Roller on a secure network
-or at a time when other users are not using the server.
-
-* *Do not allow new user registrations*. By default, Roller allows new
-users to register themselves. This is convenient, but it also means that
-anyone can create an account on your Roller site. If you do not want
-this, go to the Server Administration page and disable the *Allow New
-Users* option.
-
-* *Sanitize all HTML*. By default, Roller sanitizes all HTML published by the
system to ensure that user posts are safe and free from malicious content. This
is controlled by the _weblogAdminsUntrusted=true_ property in your
_roller-custom.properties_ file.
-
-* *Do not allow custom themes*. By default, Roller does not allow users to
-create custom themes. You can enable this via the Server Admin page, but
-don't do it unless you trust your users because it can allow users to
-create custom themes that can be used to compromise your site.
-
-* *Do not allow File Uploads*. By default, Roller does not allow users to
upload
-files for display on their blogs. If you trust your users, then you can enable
-file uploads via the Server Admin page.
-
-* *Do not allow HTML in comments*. By default, Roller does not allow users to
write
-comments in HTML due to security concerns. This setting helps prevent potential
-security issues related to HTML content in comments.
-
-By following these recommendations, you can help ensure that your Roller
-installation remains secure and protected from common web vulnerabilities.
-
+could create the admin account before you do. So, when you install
+Roller, do so on a server that cannot be accessed by others.
+* *Do not allow open registration of new users*. Roller can offer a
+registration link so that new users can register themselves, but this
+feature is turned off because it is not safe to allow just anybody to
+register for an account on your blog server. If you want to turn it on,
+login as an administrative user, go to Roller’s Server Administration
+page and enable the *Allow New Users* option.
+* *Enable HTML Sanitization*. If you cannot trust the webloggers who
+will use your Roller site to author HTML, then you should configure
+Roller to sanitize all HTML published by the system. Do this by setting
+the _weblogAdminsUntrusted=true_ property in your
+_roller-custom.properties_ file.
+* *Do not allow File Uploads*. By default Roller allows users to upload
+files for display on their blogs. If don't trust your users, this is unsafe
+and you should disable File Uploads via the Server Administration page.
+* *Do not allow HTML in comments*. Roller can allow users to write
+comments in a safe-subset of HTML, but HTML use in comments is not
+allowed at all because of security concerns with even a so called
+safe-subset of HTML. If you want to turn it on, login as an
+administrative user, go to Roller’s Server Administration page, enable
+the *Allow html in comments* option and make sure the *HTML Subset
+Restriction* box is checked.
* *Run Roller over SSL connection*. If you run Roller over a plain old
HTTP connection, it is possible for others to snoop your password when
you login, for example over an open WIFI network. To configure Roller to
