archive_me1Add my vote for this tag create new tag
, view all tags

Feature Proposal: Access based WEBLIST

Update 05 Feb 2007: this has already been implemented since TWiki 4.0.


Quite a number of support questions deal with the difficulty of showing webs based on access rights.

It should be easy to show only the webs the user has viewing rights to.

-- Contributors: ArthurClemens


Unless the user is TWikiGuest and could have seen them once they are logged in. People sometimes ask for things they do not really want once they have seen it in real life.

-- KennethLavrsen - 04 Feb 2007

I think Arthur's suggestion is quite reasonable. Why show webs (the same goes for topics in the index) the user is not allowed to view? I realize the TWiki security model is not that strong anyway, but at least the web level is reasonably secure. Giving a way names gives just another opportunity for attack.

-- ThomasWeigert - 04 Feb 2007

I've been running private and public webs together in the same TWikiSite for years now and it is very impractical. So much so that I am leaning ever more towards the conclusion that the two cannot cohabitate. To truly be private, hidden webs must be run in a completely separate twiki site (ideally made simpler by MultipleSitesSameCodebase). But then you've got multiple sites and user IDs in each, which is no panacea either.

From WebSearch displaying the contents of topics that the user isn't allowed to see, to the TagMePlugin not honoring the NOSEARCHALL = on setting in a hidden web's WebPreferences (raised as issue Bugs:Item3563), there is always another reason why private or hidden webs & topics are neither private nor hidden.

So improvements in this area would be very valuable, welcome and appreciated.

-- KeithHelfrich - 04 Feb 2007

This is what I did for a client on their TWiki home page:

You currently have access to the following webs (collaboration areas):
Web area Used for
Main TWiki home with users and groups for access control
TWiki TWiki documentation, welcome, registration and other starting points
Blog Blog of the TWiki.org community
Codev TWiki development: the core collaboration zone for the TWiki Project.
Plugins Repository for TWiki Plugins, Skins and Add-Ons.
Sandbox Sandbox test area. Use this workspace to try out TWiki.
Support Tech support for the TWiki collaboration platform.
TWiki01 Official documentation of the TWiki Release 01-Dec-2001
TWiki02 Official documentation of the TWiki Release 01-Feb-2003
TWiki03 Official documentation of the TWiki Release 01-Sep-2004
TWiki04 Official documentation of the TWiki Release 4.0
TWiki04x01 Official documentation of the TWiki Release 4.1
TWiki04x02 Official documentation of the TWiki Release 4.2
TWiki04x03 Official documentation of the TWiki Release 4.3
TWiki05x00 Official documentation of the TWiki-5.0 Release
TWiki05x01 Official documentation of the TWiki-5.1 Release
TWiki06x00 TWiki documentation, welcome guest and user registration
WikiWed Keep track of Wiki Wednesday events

warning.gif Note: You are currently not logged in. Please login to see the webs you have access to.

This shows a weblist based on a SEARCH for SITEMAPLIST in all WebPreferences. The webs that are not accessible are not shown, e.g. the user sees only the webs she has access to. There is also a conditional text below the table in case the user is not logged in. (View raw to see how this works.)

-- PeterThoeny - 05 Feb 2007

Is this list based on the public state of the webs, or on the access rights a user has (and groups this user is in)?

-- ArthurClemens - 05 Feb 2007

Peter's search leverages the fact that (since 4.0) for a web to be visible in a weblist, then the user has to have VIEW access to the WebPreferences topic in the web. I believe t.o. has several "hidden" webs that I presume are protected this way (I don't know, I can't see them either).

%WEBLIST% is also filtered on the basis of access rights: Blog Codev Main Plugins Sandbox Support TWiki TWiki01 TWiki02 TWiki03 TWiki04 TWiki04x01 TWiki04x02 TWiki04x03 TWiki05x00 TWiki05x01 TWiki06x00 WikiWed

Note that you can also play clever games with access rights to allow a user to see the existence of a web but not see the content - e.g. in WebPreferences,

  • Clear DENYTOPICVIEW to allow anyone to see this topic
  • Deny TWikiGuest access to everything else in the web

Thus TWikiGuest can know of the existence of a web, but the user must log in to see the content.

-- CrawfordCurrie - 05 Feb 2007

Maybe I did not understand the original request.

But the way things work as Crawford describes it so well above is the way I think it should work.

You can hide a web today. But you can also deny access to a web but not hide its existance. And the way Crawford describes it is exactly the way I have setup a TWiki to work and I would not want to loose this function and this is why I reacted against the proposal because I understood that this is what was proposed.

-- KennethLavrsen - 05 Feb 2007

I can confirm TWiki already behaves as desired, regarding the weblist. Closing this request.

-- ArthurClemens - 05 Feb 2007

Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r11 - 2008-08-12 - RafaelAlvarez
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.