Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Unexpectedly able to read and write node-server wiki with no username/passwd #6374

Closed
jaguart opened this issue Dec 29, 2021 · 3 comments
Closed

[BUG] Unexpectedly able to read and write node-server wiki with no username/passwd #6374

jaguart opened this issue Dec 29, 2021 · 3 comments

Comments

@jaguart
Copy link

jaguart commented Dec 29, 2021
edited
Loading

Describe the bug

Unexpectedly able to read and write on a node-server wiki without a username, when reader, writer and user args were specified.

I started my wiki (internal private network) with the following command line:

sudo tiddlywiki /var/www/tw-jeff --listen host=0.0.0.0 port=9001 reader=jeff writer=jeff user=jeff password=apasswd use-browser-cache=yes &

I noticed that newly created Tiddlers no longer creator or modifier details.

I checked and found:

$:/status/UserName - blank
$:/status/IsReadOnly - no
$:/status/IsAnonymous - yes
$:/status/IsLoggedIn - yes

The server has been running for about three days. I was asked to login on the first day. Pages created on the first day do show the correct creator and modifier. The server no longer asks for username/password, even after browser cache clearance and server restart.

To Reproduce

Wiki now seems stuck in the state of allowing anonymous read/write access, ignoring the --listen args. I have restarted, cleared browser cache etc.

Expected behavior

I expect the wiki to refuse anonymous read / write access with a 401 (Unauthorized) when started with the reader, writer and user --listen arguments. I would also expect any previous user sessions to be terminated, and for login to be required after a server restart.

Screenshots

None

TiddlyWiki Configuration:

  • Version: 5.2.1
  • Saving mechanism: Node.js
  • Plugins installed: Highlight, TiddlyWeb, Filesystem, Core
  • Server OS: Linux 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux
  • Node / NPM: Node v16.13.1, NPM 8.1.2

Desktop:

  • OS: Microsoft Windows 11 Pro 10.0.22000 Build 22000
  • Browser: Chrome Version 96.0.4664.110 (Official Build) (64-bit)
  • Version [e.g. 22]

Additional context

I have tried the following:

  1. restarted the server
  2. restarted the server without the use-browser-cache=yes option
  3. cleared the browser cache
  4. combinations of the above
@jaguart
Copy link
Author

jaguart commented Dec 29, 2021
edited
Loading

Doh - I think I must have misread the listen args - it appears it should be username readers and writers rather than user reader and writer... maybe I originally looked at old docs.

@jaguart jaguart closed this as completed Dec 29, 2021
@Jermolene
Copy link
Member

Thanks @jaguart, it's a very reasonable mistake to make.

I wonder if we can reduce the risks of this happening by issuing a warning message for any unrecognised parameters to the --listen command.

@Jermolene Jermolene mentioned this issue Dec 29, 2021
Closed
@Jermolene
Copy link
Member

I made a ticket at #6375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jermolene @jaguart