Wiki Module has a Security Hole

After tons of testing on why the permissions are not working in the Wiki module (EE version 6) I noticed that the control panel and module is actually using member roles (database table = exp_members_roles) to assign permissions to edit Wikis, in the past it was using member groups.

This seems to be a big security issue because when a new member signs up, there are NO roles assigned to that account by default. That table is blank unless you manually go to the CP and set a role for that user, then the proper role is created. Then the permissions in the Wiki module work but if the account has no roles, the permissions don’t apply for the Wiki module which means they have full admin access to all Wikis !!!

The security hole is that by default, all users can edit, create and modify all Wikis by default because that account has no roles as such the permissions are not checking anything instead of denying access.

This is dangerous. Any new sign up can basically access and edit all wikis. By default, the permissions should be NULL or deny access if no role is found in the database.

As a side note, how do I now assign roles for new users? I want specific users to have access to some Wikis by default on sign up but assign a role manually from the control panel to each new registration is not a viable option.

This worked fine in the past because basically if you had set a Wiki to allow for example “members group” access, you then assign new users on sign up that member group. But now, it’s using roles, and roles are not set on new sign ups by default.