We would like to be able to control access to a Web using a group defined on that same web. In TWiki3 we were able to do something like this:
*Set ALLOWWEBVIEW = %WEB%.UserGroup
and it worked fine. In TWiki4 (Dakar) this no longer works. We've tracked all the way to Users->findUser. It deals with the
variable by ditching it and always looking in Main. If we have other variables though, they never get expanded.
Is this a bug or the way things are now?
Note: I am marking this requirement because it seems that functionality from the last TWiki was lost. While the twiki does function (the usual criteria for a critical bug), it no longer functions as it used to.
In your report above, you say
* Set ALLOWWEBVIEW = %WEB%.UserGroup
but then go on to say It deals with the
Main variable by ditching it
. Did you really mean %MAINWEB%? You used %WEB% in your Set. %WEB% is not expanded in access control definitions anyway.
Anyway, true, it no longer functions as it used to. That particular bug has been fixed. I refer you to the TWiki-3 documentation, specifically TWiki.TWikiAccessControl: Groups are defined by group topics created in the Main web, like the TWikiAdminGroup
TWiki-4 introduced the concept of external authentication and user management. Included in this is the external definition of groups (e.g. in a corporate LDAP server). So the assumption that "a group is a topic" is no longer valid, I'm afraid.
If you feel mortally wounded by this, then please raise a request for a spec change by opening a feature proposal in Codev web.
We are using TWiki as the Centrally supported Wiki option for professors and students. We have very strict guidelines regarding student privacy so we have taken advantage of putting the Group Access List within the class Web to prevent public searching from ever finding or seeing who is part of a class. Now you are saying this won't be supported in TWiki4? You mention the reason is that it was a security hole, how so? Do you have another way to protect access to Class lists?
We hacked the Perl code a bit and were able to put a work-around in place, but we are really hoping for a better solution to be part of the ongoing TWiki code. We are really happy with all the other features in TWiki4 as well as the flexibility TWiki gives us for use on our campus.
If groups topics are stored in Main web, then they can be protected using the normal mechanisms e.g. in Biology101Group
put * Set ALLOWTOPICVIEW = Biology101Group
and * Set ALLOWTOPICCHANGE = ProfessorsGroup
I said it was a bug, not a security hole. I'm not going to discuss potential security risks in public (don't want to give anyone ideas).
If you want to change the definition of what a group is
(for that is effectively what you have been relying on) then you need to provide an alternate UserMappingManager
is the default one, which handles groups defined in topics in Main web. A subclass of it which overrides
is probably what you want.