• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
We would like to be able to control access to a Web using a group defined on that same web. In TWiki3 we were able to do something like this:
In your report above, you say
Crawford - We are using TWiki as the Centrally supported Wiki option for professors and students. We have very strict guidelines regarding student privacy so we have taken advantage of putting the Group Access List within the class Web to prevent public searching from ever finding or seeing who is part of a class. Now you are saying this won't be supported in TWiki4? You mention the reason is that it was a security hole, how so? Do you have another way to protect access to Class lists? We hacked the Perl code a bit and were able to put a work-around in place, but we are really hoping for a better solution to be part of the ongoing TWiki code. We are really happy with all the other features in TWiki4 as well as the flexibility TWiki gives us for use on our campus. TWiki:Main.EricHanson
If groups topics are stored in Main web, then they can be protected using the normal mechanisms e.g. in Biology101Group put * Set ALLOWTOPICVIEW = Biology101Group and * Set ALLOWTOPICCHANGE = ProfessorsGroup I said it was a bug, not a security hole. I'm not going to discuss potential security risks in public (don't want to give anyone ideas). If you want to change the definition of what a group is (for that is effectively what you have been relying on) then you need to provide an alternate UserMappingManager.
*Set ALLOWWEBVIEW = %WEB%.UserGroupand it worked fine. In TWiki4 (Dakar) this no longer works. We've tracked all the way to Users->findUser. It deals with the
%MAINWEB%variable by ditching it and always looking in Main. If we have other variables though, they never get expanded. Is this a bug or the way things are now? Note: I am marking this requirement because it seems that functionality from the last TWiki was lost. While the twiki does function (the usual criteria for a critical bug), it no longer functions as it used to.
In your report above, you say
* Set ALLOWWEBVIEW = %WEB%.UserGroupbut then go on to say It deals with the
Mainvariable by ditching it. Did you really mean %MAINWEB%? You used %WEB% in your Set. %WEB% is not expanded in access control definitions anyway. Anyway, true, it no longer functions as it used to. That particular bug has been fixed. I refer you to the TWiki-3 documentation, specifically TWiki.TWikiAccessControl: Groups are defined by group topics created in the Main web, like the TWikiAdminGroup. TWiki-4 introduced the concept of external authentication and user management. Included in this is the external definition of groups (e.g. in a corporate LDAP server). So the assumption that "a group is a topic" is no longer valid, I'm afraid. If you feel mortally wounded by this, then please raise a request for a spec change by opening a feature proposal in Codev web. Discarded. CC
Crawford - We are using TWiki as the Centrally supported Wiki option for professors and students. We have very strict guidelines regarding student privacy so we have taken advantage of putting the Group Access List within the class Web to prevent public searching from ever finding or seeing who is part of a class. Now you are saying this won't be supported in TWiki4? You mention the reason is that it was a security hole, how so? Do you have another way to protect access to Class lists? We hacked the Perl code a bit and were able to put a work-around in place, but we are really hoping for a better solution to be part of the ongoing TWiki code. We are really happy with all the other features in TWiki4 as well as the flexibility TWiki gives us for use on our campus. TWiki:Main.EricHanson
If groups topics are stored in Main web, then they can be protected using the normal mechanisms e.g. in Biology101Group put * Set ALLOWTOPICVIEW = Biology101Group and * Set ALLOWTOPICCHANGE = ProfessorsGroup I said it was a bug, not a security hole. I'm not going to discuss potential security risks in public (don't want to give anyone ideas). If you want to change the definition of what a group is (for that is effectively what you have been relying on) then you need to provide an alternate UserMappingManager.
lib/TWiki/Users/TWikiUserMapping.pm is the default one, which handles groups defined in topics in Main web. A subclass of it which overrides getListOfGroups is probably what you want.
CC
| ItemTemplate | |
|---|---|
| Summary | Allow/Deny 'Set' not expanding Bugs variables |
| ReportedBy |
TWiki:Main.EricHanson
|
| Codebase | 4.0.4 |
| SVN Range | TWiki-4.1-beta1, Tue, 29 Aug 2006, build 11384 |
| AppliesTo | Engine |
| Component | |
| Priority | Urgent |
| CurrentState | No Action Required |
| WaitingFor | |
| Checkins | |
| TargetRelease | n/a |
Topic revision: r5 - 2006-09-11 - CrawfordCurrie
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback