Purpose
- To provide methods for the CgiScripts to check whether a user is permitted to change something.
- NB Plugins should use the equivalent interface in FuncDotPm
- provides an API to access the information in TWikiGroups - though the Name of the topic seems to be configurable too
Used by
This module is primarily used by the
CgiScripts
Important parameters
| Actions | TOPIC | WEB | |
|---|
| | DENY | ALLOW | DENY | ALLOW | Notes |
|---|
| CHANGE | DENYTOPICCHANGE | ALLOWTOPICCHANGE | DENYWEBCHANGE | ALLOWEBCHANGE | |
| VIEW | DENYTOPICVIEW | ALLOWTOPICVIEW | DENYWEBVIEW | ALLOWEBVIEW | |
| RENAME | DENYTOPICRENAME | ALLOWTOPICRENAME | DENYWEBRENAME | ALLOWEBRENAME | |
| MANAGE | | | | | ? what's this? |
| VOTE | DENYTOPICVOTE | ALLOWTOPICVOTE | - | - | PollPlugin |
| HISTORY | DENYTOPICHISTORY | ALLOWTOPICHISTORY | - | - | proposed |
| VIEWRAW | DENYTOPICVIEWRAW | ALLOWTOPICVIEWRAW | - | - | proposed |
Please see
CodevDocumentationProject and
CodevDocumentationProjectDev for comments on the format of these pages.
| Note: | Below documentation is extracted from the currently installed TWiki::Access Perl module, which is done by the PerlDocPlugin |
|---|
package TWiki::Access
A singleton object of this class manages the access control database.
ClassMethod new()
Construct a new singleton object to manage the permissions database.
ObjectMethod permissionsSet ( $web ) -> $boolean
Are there any security restrictions for this Web (ignoring settings on individual pages).
ObjectMethod getReason() -> $string
Return a string describing the reason why the last access control failure occurred.
ObjectMethod checkAccessPermission( $action, $user, $text, $meta, $topic, $web ) -> $boolean
Check if user is allowed to access topic *
$action - 'VIEW', 'CHANGE', 'CREATE', etc. *
$user - User object *
$text - If undef or '': Read '$theWebName.$theTopicName' to check permissions *
$meta - If undef, but
$text is defined, then metadata will be parsed from
$text. If defined, then metadata embedded in
$text will be ignored. Always ignored if
$text is undefined. Settings in
$meta override * Set settings in plain text. *
$topic - Topic name to check, e.g. 'SomeTopic' *undef to check web perms only) *
$web - Web, e.g. 'Know' If the check fails, the reason can be recoveered using getReason.
Contributors:
--
MartinCleaver - 23 Jun 2002
--
PeterThoeny - 01 Feb 2004
Discussions
Calls from bin
testwiki$ grep checkAccessPermission bin/*
bin/attach: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, "", $topic, $webName ) ) {
bin/edit: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $text, $topic, $webName ) ) {
bin/edit.orig: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $text, $topic, $webName ) ) {
bin/editsection: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $text, $topic, $webName ) ) {
bin/mailtotwiki: if (! TWiki::Func::checkAccessPermission('CHANGE',
bin/manage: unless( &TWiki::Access::checkAccessPermission( "manage", $wikiUserName, "",
bin/megarename: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $scantext,
bin/megarename: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $ret, $oldTopic, $oldWeb ) ) {
bin/passwd: #if( &TWiki::Access::checkAccessPermission( "change", "Main.TWikiGuest", "", $wikiName, $TWiki::mainWebname )) {
bin/poll: if( ! &TWiki::Func::checkAccessPermission( "vote", $wikiUserName, "", $topic, $webName ) ) {
bin/rdiff: my $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $wikiUserName, "", $topic, $webName );
bin/rename: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $scantext,
bin/rename: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $ret, $oldTopic, $oldWeb ) ) {
bin/rename: if( ! &TWiki::Access::checkAccessPermission( "rename", $wikiUserName, $ret, $oldTopic, $oldWeb ) ) {
bin/save: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, "", $topic, $webName ) ) {
bin/savecomment: if( ! &TWiki::Access::checkAccessPermission( "post", $wikiUserName, "", $topic, $webName ) ) {
bin/savemulti: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, "", $topic, $webName ) ) {
bin/upload: if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, "", $topic, $webName ) ) {
bin/view: my $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $wikiUserName, $text, $topic, $webName );
bin/viewauth: my $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $wikiUserName, $text, $topic, $webName );
Calls from lib
testwiki$ grep checkAccessPermission lib/TWiki/*
lib/TWiki/Search.pm: $topicAllowView{ $tempVal } = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $tempVal, $thisWebName );
lib/TWiki/Search.pm: $topicAllowView{ $tempVal } = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $tempVal, $thisWebName );
lib/TWiki/Search.pm: $topicAllowView{ $tempVal } = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $tempVal, $thisWebName );
lib/TWiki/Search.pm: $allowView = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $topic, $thisWebName );
lib/TWiki/Search.pm: my $changeAccessOK = &TWiki::Access::checkAccessPermission( "change", $TWiki::wikiUserName, $text, $topic, $thisWebName );
lib/TWiki/Store.pm: $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $theTopic, $theWeb );
Issues
userIsInGroup should be declared a Public method or not used in scripts.
A grep of the source tree indicates that
checkAccessPermission() is the most used method.
However,
userIsInGroup() is used in
-
bin/edit
-
bin/preview
-
bin/save
-
bin/savemulti
The vector of public methods
in the code should be updated to reflect this. -- which code? In access.pm? I see this as saying that userIsInGroup
is public [
MartinCleaver 22 Oct 2003 ]
Also consider if
userIsInGroup() should be substituted and made private. --
why? and with what?
--
AntonAylward - 10 May 2003
userIsInGroup should be made recursive
By making isUserInGroup check recursively we would enable a group to be a member of a group. I think this simple modification could help manage large installations.
check access for VIEWTOPICRAW and VIEWTOPICHISTORY need to be added
I set up a poll on my system that was supposed to be anonymous. Of course, it isn't because everyone can see the history. So doing a 'Diffs' (Page history) is different to a view and IMO they should be treated differently.
There are many reasons that you'd want to prevent someone from seeing the raw view (e.g. for polls). I think this could also be usefully extended.
--
MartinCleaver - 22 Oct 2003
Added
%PERLDOC{...}% to pull the doc from the
TWiki.pm Perl module. Removed PublicMethods and PrivateMethods section since they are no longer needed.
--
PeterThoeny - 01 Feb 2004
Set parent topic to
CodevDocumentationProject.
--
WalterMundt - 01 Feb 2004
It looks like I am going to need support for more
AccessControlFunctions? (initially for
DeleteAccount, later for TWiki interface to manage groups).
- getGroupsUserIsIn
- removeUserFromGroup
- addUserToGroup
- getAllGroups
PROBLEM!! - how do i get a list of all the groups in a TWiki? in a reasonable amount of time? at the moment I have to do a SEARCH for Set GROUPS
yeuch
Search:
Set GROUP =
DevelopBranchGroup
SaccAdminGroup
SecurityTeamSupportGroup
TWikiAdminGroup
TWikiCommunityGroup
WikiITStestgroup
EmotivSystemsGroup
MemoriasEPCGroup
RobleRealGroup
SfzgGroup
TrentoGroup
WalterGroup
AutomaticallyPutNewUsersIntoGroup
CantAddMyLoginNameToTWikiAdminGroup
HowToEmailAGroup
RenderListforGroup
TWikiGroup
--
SvenDowideit - 15 Feb 2004
Codev Web > TWikiRoot > LibDir > TWikiDir > AccessDotPm
Codev Web
Readme first
Developers News
Changes
Major Only
RSS Feed
Search
Topics of interest
Categories
All tags / My tags
Create New Topic
Georgetown
TWiki 4.2.0
Answer Support questions
Blog
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.