Feature Proposal: Access based WEBLIST

Update 05 Feb 2007: this has already been implemented since TWiki 4.0.

Motivation

Quite a number of support questions deal with the difficulty of showing webs based on access rights.

It should be easy to show only the webs the user has viewing rights to.

-- Contributors: ArthurClemens

Discussion

Unless the user is TWikiGuest? and could have seen them once they are logged in. People sometimes ask for things they do not really want once they have seen it in real life.

-- KennethLavrsen - 04 Feb 2007

I think Arthur's suggestion is quite reasonable. Why show webs (the same goes for topics in the index) the user is not allowed to view? I realize the TWiki security model is not that strong anyway, but at least the web level is reasonably secure. Giving a way names gives just another opportunity for attack.

-- ThomasWeigert - 04 Feb 2007

I've been running private and public webs together in the same TWikiSite for years now and it is very impractical. So much so that I am leaning ever more towards the conclusion that the two cannot cohabitate. To truly be private, hidden webs must be run in a completely separate twiki site (ideally made simpler by MultipleSitesSameCodebase). But then you've got multiple sites and user IDs in each, which is no panacea either.

From WebSearch displaying the contents of topics that the user isn't allowed to see, to the TagMePlugin not honoring the NOSEARCHALL = on setting in a hidden web's WebPreferences (raised as issue Bugs:Item3563), there is always another reason why private or hidden webs & topics are neither private nor hidden.

So improvements in this area would be very valuable, welcome and appreciated.

-- KeithHelfrich - 04 Feb 2007

This is what I did for a client on their TWiki home page:

You currently have access to the following webs (collaboration areas): Web area Used for Main Welcome to TWiki... Users, Groups, Offices - tour this expandable virtual workspace. TWiki Welcome, Registration, and other StartingPoints; TWiki history & Wiki style; All the docs... Blog Blog of the TWiki.org community Codev TWiki development: the core collaboration zone for the TWiki Project. Plugins Repository for TWiki Plugins, Skins and Add-Ons. Sandbox Sandbox test area. Support Tech support for the TWiki collaboration platform. TWiki01 Official documentation of the TWiki Release 01-Dec-2001 TWiki02 Official documentation of the TWiki Release 01-Feb-2003 TWiki03 Official documentation of the TWiki Release 01-Sep-2004 TWiki04 Official documentation of the TWiki Release 4.0 TWiki04x01 Welcome, Registration, and other StartingPoints; TWiki history & Wiki style; All the docs... TWiki04x02 Welcome, Registration, and other StartingPoints; TWiki history & Wiki style; All the docs... Note: You are currently not logged in. Please login to see the webs you have access to.

This shows a weblist based on a SEARCH for SITEMAPLIST in all WebPreferences. The webs that are not accessible are not shown, e.g. the user sees only the webs she has access to. There is also a conditional text below the table in case the user is not logged in. (View raw to see how this works.)

-- PeterThoeny - 05 Feb 2007

Is this list based on the public state of the webs, or on the access rights a user has (and groups this user is in)?

-- ArthurClemens - 05 Feb 2007

Peter's search leverages the fact that (since 4.0) for a web to be visible in a weblist, then the user has to have VIEW access to the WebPreferences topic in the web. I believe t.o. has several "hidden" webs that I presume are protected this way (I don't know, I can't see them either).

%WEBLIST% is also filtered on the basis of access rights: Blog Codev Main Plugins Sandbox Support TWiki TWiki01 TWiki02 TWiki03 TWiki04 TWiki04x01 TWiki04x02

Note that you can also play clever games with access rights to allow a user to see the existence of a web but not see the content - e.g. in WebPreferences,

• Clear DENYTOPICVIEW to allow anyone to see this topic
  • Set DENYTOPICVIEW =
• Deny TWikiGuest? access to everything else in the web
  • Set DENYWEBVIEW = TWikiGuest

Thus TWikiGuest? can know of the existence of a web, but the user must log in to see the content.

-- CrawfordCurrie - 05 Feb 2007

Maybe I did not understand the original request.

But the way things work as Crawford describes it so well above is the way I think it should work.

You can hide a web today. But you can also deny access to a web but not hide its existance. And the way Crawford describes it is exactly the way I have setup a TWiki to work and I would not want to loose this function and this is why I reacted against the proposal because I understood that this is what was proposed.

-- KennethLavrsen - 05 Feb 2007

I can confirm TWiki already behaves as desired, regarding the weblist. Closing this request.

-- ArthurClemens - 05 Feb 2007