Item13315: Change terminology to "internal admin"

sudo is "geek" and the admin user is available as either a sudo or a direct login, so "internal admin" is more correct.
foswiki · Mar 21, 2015 · 0eee45c · 0eee45c
1 parent 924e0de
commit 0eee45c
Show file tree

Hide file tree

Showing 9 changed files with 47 additions and 45 deletions.
diff --git a/core/data/Main/AdminUser.txt b/core/data/Main/AdminUser.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1426891830" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1426913092" format="1.1" version="1"}%
 %META:TOPICPARENT{name="WikiUsers"}%
 ---+ Wiki Administrator User
 
@@ -14,11 +14,11 @@ If your system is configured using a !UserMapper that permits group maintenance,
       * %ADMINLOGIN%
    * Logout from Administrator:
       * click the [[%LOGOUTURL%][Logout link]]"
-else="%MAKETEXT{"There is no Admin superuser password set.  See [[[_1]][Installation Guide section on the Super User]] for further help." args="%SYSTEMWEB%.InstallationGuide#SuperUser"}%"}%
+else="%MAKETEXT{"There is no _internal admin_ password set.  See [[[_1]][Installation Guide section on the internal admin]] for further help." args="%SYSTEMWEB%.InstallationGuide#InternalAdmin"}%"}%
 
 *%X% NOTE:* If you lock yourself out of <nop>AdminUser during setup activities, never established a password, or have forgotten the password,
-See %SYSTEMWEB%.InstallationGuide#SuperUser for information on configuring the
-superuser.
+See %SYSTEMWEB%.InstallationGuide#InternalAdmin for information on configuring the
+_internal admin_ password..
 %ENDSECTION{"sudo_login"}%
 
 ---+++ Prerequisites
@@ -28,8 +28,8 @@ superuser.
 
 <blockquote class="foswikiAlert">
 %X% Do not add =AdminUser= to your =.htpasswd= file or other authentication system.  You should only access the =AdminUser= by logging in
-with the special user and password set in the first save in the =bin/configure= script. Use the =sudo= feature, or log in directly with
-Template Login. Logging in with the =AdminUser= !WikiName through the normal authentication process will not acquire admin rights.
+with the special user and password set in the first save in the =bin/configure= script. Use the =sudo= login link on this page, or log in directly with
+Template Login. Logging in with the =AdminUser= !WikiName through the normal authentication process will not work, and will not acquire admin rights.
 </blockquote>
 
 ---

diff --git a/core/data/System/AdminToggle.txt b/core/data/System/AdminToggle.txt
@@ -1,9 +1,9 @@
-%META:TOPICINFO{author="ProjectContributor" comment="reprev" date="1426810437" format="1.1" reprev="2" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" comment="reprev" date="1426913092" format="1.1" reprev="2" version="1"}%
 ---+ Group Member Toggle
 
 This topic implements a button that will turn Admin status on or off for the
 current user (!%WIKINAME%), by adding or removing the user from the
-!AdminGroup.  This new function is recommended to replace =sudo= login when
+!AdminGroup.  This new function is recommended to replace _internal admin_ login when
 possible.  It provides better security and allows changes to be tracked to the
 user making the change instead of the anonymous !AdminUser.
 

diff --git a/core/data/System/CommandAndCGIScripts.txt b/core/data/System/CommandAndCGIScripts.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1426278577" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1426913092" format="1.1" version="1"}%
 %META:TOPICPARENT{name="DeveloperDocumentationCategory"}%
 %STARTINCLUDE%
 ---+ CGI and Command Line Scripts
@@ -168,7 +168,7 @@ Used for logging in with !TemplateLoginManager, and for interactive validation o
 | =foswikiloginaction= | If 'validate', the login script is being used for interactive validation of an operation. Otherwise it is being used for login. | |
 | =foswiki_origin= | URL that was being accessed when an access violation occurred. the login process will redirect to this URL if it is successful | |
 | =remember= | If set, this will cause the user's login to be retained even after their browser is shut down. |
-| =sudo= | promote login to internal wiki admin (admins only) | |
+| =sudo= | promote login to _internal admin_ (admins only) | |
 | =password= | password of user logging in | |
 | =username= | username of user logging in (if set, login will attempt to authenticate) | |
 | =usernamestep= | used to initialise the =username= input field in the login form (will not attempt to authenticate) | |

diff --git a/core/data/System/IfStatements.txt b/core/data/System/IfStatements.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1426278810" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1426913092" format="1.1" version="1"}%
 %META:TOPICPARENT{name="DeveloperDocumentationCategory"}%
 ---+!! IF statements
 
@@ -308,7 +308,7 @@ Context identifiers are used in Foswiki to label various stages of the rendering
 | =search= | in search script (see CommandAndCGIScripts) |
 | =static= | in a script that generates static content, such as PDF generation. Extensions should avoid rendering edit markup in this context. |
 | =statistics= | in statistics script (see CommandAndCGIScripts) |
-| =sudo_login= | if user is currently running with sudo admin authority |
+| =sudo_login= | if user is currently running with _internal admin_ authority |
 | =SUPPORTS_PARA_INDENT= | render supports the paragraph indent syntax |
 | =SUPPORTS_PREF_SET_URLS= | Preferences can be set in the URL |
 | =textareas_hijacked= | provided for use by editors that highjack textareas, and want to signal this fact. This is used by skins, for example, so they can suppress extra controls when textareas have been hijacked. |

diff --git a/core/data/System/InstallationGuide.txt b/core/data/System/InstallationGuide.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1426891830" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1426913092" format="1.1" version="1"}%
 %META:TOPICPARENT{name="AdminDocumentationCategory"}%
 <noautolink>
 ---+ Installation Guide
@@ -133,17 +133,19 @@ Different script execution mechanisms are disabled in different ways; see your w
 
 <div class="foswikiHelp">%T% If you do not want to or are unable to configure from the web interface, there is an alternate command line configuration documented in [[InstallationGuidePart2#ConfiguringFoswikiManually]]</div>
 
-<div class="foswikiHelp"> *Start your configuration by browsing to the default view URL for your site.* This will Bootstrap your configuration and help Foswiki determine whether or not you are using Short URLs. It also logs you in as a the admin user. Don't close your browser until you've gone through the configuration process and registered your first user.</div>
+---++++ 5a. Start your configuration by browsing to the default view URL for your site. 
+This will Bootstrap your configuration and help Foswiki determine whether or not you are using Short URLs. It also logs you in as a the admin user. *Don't close your browser until you've completed the configuration process and registered your first user.*
    * *Follow the link to configure rendered in the Bootstrap banner.* (Do not manually enter the =bin/configure= URL or Foswiki will not correctly detect the URL configuration).
-   * Make any required changes, and save the settings, whether or not you needed to make any changes.
+   * Make any required changes, and save the settings.  
+      * This will create the initial configuration and end the bootstrap process.
       * Configuration items which may require further attention will be highlighted.
-      * Review [[#DefineAdminUser][Define the administrator user(s)]].
+      * *Save as soon as possible*, especially if your site is exposed. Anyone accessing foswiki before the configuration has been saved will be granted admin rights.
 
    * If the Foswiki installation can be accessed by more than one !protocol://domain, ensure the additional alternative URLs are set in ={PermittedRedirectHostUrls}=.
    <div class="foswikiHelp">%T% *Example:* if ={DefaultUrlHost}= is set to =https://wiki.company.com=, an example ={PermittedRedirectHostUrls}= might contain: <verbatim class="html">https://company.com, http://111.222.123.234</verbatim> </div>
 
    * If your server requires a Proxy in order to access external resources like your mail server, this is configured on the "Security and Authentication" tab, "Proxies" sub-tab. Complete that before proceeding with the E-mail configuration.
-
+---++++ 5b.  Configure email (you can defer and come back to this later)
    * Setup the =Mail= section. E-mail should be available so Foswiki can send registration e-mails. Easiest way is to use the "%T%auto-configure email" button on the "Basic settings and Auto-configure" sub-tab.  Fill out the following parameters:
       * The ={WebMasterEmail}= should be set to a valid e-mail address. This will be the From: ID used to send Foswiki Emails and will also appear on webmaster mailto: links. <div class="foswikiHelp">If you are running on a <nop>*nix server with a configured local mail transport agent, you can try pressing the "%T%auto-configure email" button now.  If auto-configure succeeds, *proceed to Step 6*. If your server is a Windows server, if auto-configure failed, or you know a local transport agent is not available, continue with the SMTP e-mail configuration</div>
       * The ={SMTP}{MAILHOST}= should be set to your e-mail server hostame: ex: =smtp.gmail.com=
@@ -157,18 +159,18 @@ Different script execution mechanisms are disabled in different ways; see your w
 
 The configure tool should generally be restricted to a very small subset of users.  There are several choices for how to protect configure:
 
-   * *Restrict configure to members of the !AdminGroup:*
+   * *Option 1* Restrict configure to members of the !AdminGroup:
       * This is the default configuration. You don't need to set anything special from within configure.
       * After you save your configuration, be sure to register a user and add them to the !AdminGroup before you log out from the initial super admin login. Once you log out, you'll be blocked from any further configure access unless you can log in as a user in the !AdminGroup. The default behaviour is that members of the !AdminGroup have access to =bin/configure=
 
-   * *Restrict configure to a defined list of users:*
+   * *Option 2* Restrict configure to a defined list of users:
       * Visit the "Security and Authentication" tab, "Access control" sub-tab.
       * Set ={FeatureAccess}{Configure}= to a list of WikiNames that will be allowed access to configure.
       * This setting overrides use of the !AdminGroup, and these users do not have to be members of the !AdminGroup.
 
-   * *Define a "super user" ID and allow it access to configure*
+   * *Option 3* Define a "super user" ID and allow it access to configure (This is not recommended)
       * Visit the "Security and Authentication" tab, "Passwords" tab. Enable "Expert" options. Set the ={Password}= field to a hashed =ApacheMD5= encoded password.
-      * Visit the "Security and Authentication" tab, "Access control" sub-tab. Ensure that ={FeatureAccess}{Configure}= lists includes =BaseUserMapping_333=, the internal representation of the "admin" super-user.
+      * See #InternalAdmin for more information.
 
 You must at least do one of the above before closing your browser or logging out from the temporary admin authority established during bootstrap.  Once you
 close your browser, you have to have a usable id to run configure or you'll need to add a super-user admin login using the command line.
@@ -208,10 +210,10 @@ By adding users to %USERSWEB%.AdminGroup:
    * Changes made are always attributed to a unique logged in user.
    * Password sharing of the super-user admin password set in =bin/configure= is not required
 
-By using the _internal admin login_:
+By using the _internal admin_ login:
    * You don't need to grant admin rights to individual users
    * All users will be subject to access controls.
-   * Changes made while using the _internal admin login_ are attributed to %USERSWEB%.AdminUser
+   * Changes made while using the _internal admin_ login are attributed to %USERSWEB%.AdminUser
    * Administrators have to share a common password, which is not considered a good security practice.
 
 ---++++ Adding users to the %USERSWEB%.AdminGroup
@@ -237,17 +239,17 @@ To add an initial administrator to the =AdminGroup=, perform the following steps
      then="
    1 First authenticate as the internal administrator:
       * %ADMINLOGIN% "
-    else="<div class='foswikiAlert'><b>You do not have admin rights, and no super user password is set.  You  must first establish a super user password.  See [[%SYSTEMWEB%.InstallationGuide#SuperUser]]</b></div>
+    else="<div class='foswikiAlert'><b>You do not have admin rights, and no super user password is set.  You  must first establish a super user password.  See [[%SYSTEMWEB%.InstallationGuide#InternalAdmin]]</b></div>
    "}%
 "}%
 
 %IF{"%BASETOPIC%='InstallationGuide'" then="   * View the =%USERSWEB%.AdminGroup= topic. Follow the instructions on the page to add users to the %USERSWEB%.AdminGroup. You do _not_ need to edit the topic."}%
-Any member of the %USERSWEB%.AdminGroup can add subsequent members, you do not have to use the internal admin login.
+Any member of the %USERSWEB%.AdminGroup can add subsequent members, you do not have to use the _internal admin_ login.
 
 To more easily debug access control issues, you may want to have a regular Foswiki user account for daily use, and a special one that belongs to the =AdminGroup= that you use only for administering your Foswiki site. See [[System.AccessControls][%SYSTEMWEB%.AccessControls]] for more information on access controls and user groups.
 
 <div class="foswikiHelp">If you lose admin access and cannot access configure,
-see %SYSTEMWEB%.InstallationGuide#SuperUser for information on how to set /
+see %SYSTEMWEB%.InstallationGuide#InternalAdmin for information on how to set /
 reset the password.
 </div>
 %ENDSECTION{"addadmin"}%
@@ -257,8 +259,8 @@ reset the password.
 Foswiki 1.2 has changed how configure is protected. You no longer need to establish special protections within the web server configuration.
    * *Default protection:* If nothing special is configured, any user in the %USERSWEB%.AdminGroup has full access to configure. There is no _admin_ super user, and no special protection.
    * *Restrict to specific listed users:* List users who should have access in configure under the [Security and Authentication] [Access Control] tab, {FeatureAccess}{Configure} field. This separates configure access from wiki administrators, and the %USERSWEB%.AdminGroup is not considered.  If you want the _admin_ super-user to also have access to configure, you need to include "BaseUserMapping_333" in that list.
-#SuperUser
----++++ Establishing a sudo super-user
+#InternalAdmin
+---++++ Establishing the _internal admin_ login 
 
 %T% *Don't log in with the wikiname* *AdminUser, and never register or set a password for AdminUser*.
 
@@ -286,7 +288,7 @@ $Foswiki::cfg{Password} = '$apr1$y.98c9Yc$oHRsHOwPr1vOq3vpjaJxb.';
 </verbatim>
 
 
-Note that with the _sudo_ or internal admin login, it is not necessary to add other users to the !AdminGroup. However if you have more than one administrator, you may still want to do this to ensure that topic changes are attributed to a specific user instead of the default %USERSWEB%.AdminUser.
+Note that with the _sudo_ or _internal admin_ login, it is not necessary to add other users to the !AdminGroup. However if you have more than one administrator, you may still want to do this to ensure that topic changes are attributed to a specific user instead of the default %USERSWEB%.AdminUser.
 
 ---+++ Step 9. Save your configuration!
 

diff --git a/core/data/System/ReleaseNotes01x02.txt b/core/data/System/ReleaseNotes01x02.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" comment="reprev" date="1426819211" format="1.1" reprev="2" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" comment="reprev" date="1426913092" format="1.1" reprev="2" version="1"}%
 %META:TOPICPARENT{name="ReleaseHistory"}%
 ---+!! Foswiki Release 1.2.0 (alpha)
 
@@ -177,8 +177,8 @@ not block access.
 
 In Foswiki 1.2, sessions ID's will be changed whenever the user identity changes.  This improves the resistance to certain session hijack attacks.
 This is not believed to have any negative impact, however there is a race condition if the user uses multiple browser tabs, and authenticates in one
-tab while the other tabs are interacting with the server (for ex. a long running attachment upload in one tab, followed by a sudo login in another tab.
-The session ID in use for the upload will be deleted because of the sudo login and results are unpredictable.
+tab while the other tabs are interacting with the server (for ex. a long running attachment upload in one tab, followed by a _internal admin_ login in another tab.
+The session ID in use for the upload will be deleted because of the _internal admin_ login and results are unpredictable.
 
 This change is important for security purposes and cannot be disabled.
 ---+++++ Sessions and Roaming or Mobile Users
@@ -215,7 +215,7 @@ Extensions like the Foswiki:Extensions.SafeWikiPlugin can be optionally used to
    * Configure requires that the user has logged in to Foswiki and is in the !AdminGroup, or is identified as an authorized configure user.
    * The "admin" superuser password is now optional:
       * If not set, configure depends solely upon the session authentication
-      * By not setting, or by clearing the admin password, sites can disable the "sudo" admin login, eliminating sharing of admin passwords.
+      * By not setting, or by clearing the admin password, sites can disable the _internal admin_ login, eliminating sharing of admin passwords.
    * Configure can be restricted to individual users in or out of the !AdminGroup.
       * If a ={FeatureAccess}{Configure}= is NOT configured, then the current user must be in the !AdminGroup in order to view or save the configuration.
       * If ={FeatureAccess}{Configure}= user list is configured, then the current user must be in the list to be allowed access to configure, regardless of whether or not they are in the !AdminGroup.

diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec
@@ -480,7 +480,7 @@ $Foswiki::cfg{DefaultUserWikiName} = 'WikiGuest';
 $Foswiki::cfg{AdminUserLogin} = 'admin';
 
 # **STRING 20 LABEL="Admin User WikiName" EXPERT**
-# An admin user WikiName that is displayed for actions done by the
+# The internal admin user WikiName that is displayed for actions done by the
 # {AdminUserLogin}.
 # This is a special WikiName and should never be directly authenticated.
 # It is accessed by logging in using the AdminUserLogin either directly
@@ -740,13 +740,13 @@ $Foswiki::cfg{Htpasswd}{AutoDetect} = $TRUE;
 # iterations.
 $Foswiki::cfg{Htpasswd}{BCryptCost} = 8;
 
-# **PASSWORD LABEL="Super Admin Password" EXPERT CHECK_ON_CHANGE="{FeatureAccess}{Configure}" CHECK="also:{FeatureAccess}{Configure}"**
+# **PASSWORD LABEL="Internal Admin Password" EXPERT CHECK_ON_CHANGE="{FeatureAccess}{Configure}" CHECK="also:{FeatureAccess}{Configure}"**
 # If set, this password
-# permits use of the "sudo" facility.  *As it is a "shared password",
+# permits use of the "internal admin" (sudo) facility.  *As it is a "shared password",
 # this is no longer recommended per good security practices and is not
-# set by default.*  If you want to restore sudo access, set this field
+# set by default.*  If you want to enable the internal admin login, set this field
 # to a valid hashed password generated by the apache =htpasswd= command
-# Example: Set the sudo password to 'password'
+# Example: Set the internal admin password to 'password'
 # <verbatim>
 # htpasswd -nb admin password
 # admin:$apr1$3xBPRZAV$iqaC9QyWdzC/93os7A9np1