Hide everything to guests

[afeurra]

Describe the issue

I wish I could prevent guests to see any part of my installation. I have removed all roles from Guest group in Django but they can still see the language list (including percentages of completion) and users list. A clear and concise description of problem you are facing.

To Reproduce

Steps to reproduce the behavior:

(using hosted.weblate.org as example)

1. Go to https://hosted.weblate.org/languages/ or https://hosted.weblate.org/user/
2. See the lists of languages and users.
3. Go to https://hosted.weblate.org/admin/
4. Login as Admin
5. Disable all permissions to Guests group
6. Logout
7. Repeat step 1
8. See you can still see lists as at step 2

Expected behavior

Admin should be able to hide everything (include users list) to unathorized guests.

Server configuration and status

• Weblate: 4.2.2
• Django: 3.1.1
• siphashc: 2.1
• Whoosh: 2.7.4
• translate-toolkit: 3.1.0
• lxml: 4.5.2
• Pillow: 7.2.0
• bleach: 3.1.5
• python-dateutil: 2.8.1
• social-auth-core: 3.3.3
• social-auth-app-django: 4.0.0
• django-crispy-forms: 1.9.2
• oauthlib: 3.1.0
• django-compressor: 2.4
• djangorestframework: 3.11.1
• django-filter: 2.3.0
• django-appconf: 1.0.4
• user-agents: 2.1
• filelock: 3.0.12
• setuptools: 40.8.0
• jellyfish: 0.8.2
• openpyxl: 3.0.5
• celery: 4.4.7
• kombu: 4.6.11
• translation-finder: 2.1
• html2text: 2020.1.16
• pycairo: 1.16.2
• pygobject: 3.30.4
• diff-match-patch: 20200713
• requests: 2.24.0
• django-redis: 4.12.1
• hiredis: 1.1.0
• sentry_sdk: 0.16.5
• Cython: 0.29.21
• misaka: 2.1.1
• GitPython: 3.1.8
• borgbackup: 1.1.13
• pyparsing: 2.4.7
• Python: 3.7.3
• Git: 2.20.1
• psycopg2: 2.8.6
• psycopg2-binary: 2.8.6
• phply: 1.2.5
• chardet: 3.0.4
• ruamel.yaml: 0.16.12
• tesserocr: 2.5.1
• akismet: 1.1
• boto3: 1.14.63
• zeep: 3.4.0
• aeidon: 1.7.0
• iniparse: 0.5
• mysqlclient: 2.0.1
• Mercurial: 5.5.1
• git-svn: 2.20.1
• git-review: 1.28.0
• hub: 2.13.0
• lab: 0.16
• Redis server: 5.0.9
• PostgreSQL server: 11.7
• Database backends: django.db.backends.postgresql
• Cache backends: default:RedisCache, avatar:FileBasedCache
• Email setup: django.core.mail.backends.smtp.EmailBackend: webmail.tecnoalarm.com
• OS encoding: filesystem=utf-8, default=utf-8
• Celery: redis://:weblate@weblate-chart-redis-master:6379/1, redis://:weblate@weblate-chart-redis-master:6379/1, regular
• Platform: Linux 4.19.112+ (x86_64)

[github-actions[bot]]

This issue looks like a support question. We try to answer these reasonably fast, but in case you are looking for faster resolution, please consider purchasing support subscription and make Weblate stronger.

[comradekingu]

When is that not a good thing? Suggestions and available translations by default really helps quality and participation. Makes it easy to understand how to get into the process, and where.

If you are committing to a public Git repo or similar, everyone sees all the user accounts/e-mails anyhow.

[nijel]

Yes, the lists are still available, see https://docs.weblate.org/en/latest/admin/access.html#locking-down-weblate

[afeurra]

Thanks to both for your replies. @comradekingu it is a good thing when translating open-source or public project such as websites or wikis, not when translating products for a company, which usually want to keep everything (including repos) private. I do not want guests to see the names of the users (nor the nickname) or the languages. @nijel I already set REGISTRATION_OPEN to 0 and it's working. I'll take a look at LOGIN_REQUIRED_URLS which I wasn't aware of.

[afeurra]

Ok setting

environment:
  WEBLATE_REQUIRE_LOGIN: 1

did what I expected (I'm using the Helm chart with the obvious configurations needed). Now every URL (including /widgets/) requires for authentication. Thanks @nijel for the suggestion and the great work!

[github-actions[bot]]

The issue you have reported seems to be resolved now.

• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, consider supporting Weblate by donating.