Feature Proposal: "All Users" Groups

Motivation
Description and Documentation
Examples
Impact and Available Solutions
Implementation
Discussion

Motivation

Having such a group would help in access control, particularly in areas such as a web where access in controlled, but comments can be added to an included topic with access allowed.

When EmptyDenySettingMeansUndefinedSetting is implemented, such a group becomes necessary.

Description and Documentation

The following groups will be introduced.

Main.AllUsersGroup - literally all users including non-authenticated access
Main.AllAuthUsersGroup - all users authenticated

The original proposal was to introduce Main.AllRegisteredUsersGroup, but there are TWiki installations not requiring user registration - user authentication might be provided outside TWiki. So "Registered Users" is not appropriate.

Examples

Impact and Available Solutions

WhatDoesItAffect:	Security
AffectedExtensions:
HaveQuickFixFor:

Implementation

Here's a first cut I tried this morning: I've added:

push(@{$this->{grouplist}}, $this->findUser($TWiki::cfg{AllRegisteredUsersGroup}));

into

getAllGroups() -- (Users.pm)

like so :

sub getAllGroups() {
    my $this = shift;
    ASSERT($this->isa( 'TWiki::Users')) if DEBUG;

    unless (defined($this->{grouplist})) {
        # Always add $cfg{SuperAdminGroup}
        my $sawAdmin = 0;
        @{$this->{grouplist}} =
          map { $sawAdmin ||= ($_->wikiName() eq $TWiki::cfg{SuperAdminGroup}); $_ }
            $this->{usermappingmanager}->getListOfGroups();
        if (!$sawAdmin) {
            push(@{$this->{grouplist}}, $this->findUser($TWiki::cfg{SuperAdminGroup}));
        }
+        push(@{$this->{grouplist}}, $this->findUser($TWiki::cfg{AllRegisteredUsersGroup}));
    }
    return \@{$this->{grouplist}};
}

also I've added:

} else {
  if ($group->{wikiname} eq "AllRegisteredUsersGroup") {
    $group->{members} = $this->{session}->{users}->getAllUsers;
  }
}

into

groupMembers() -- (TWikiUserMapping.pm)

like so:

sub groupMembers {
    my $this = shift;
    my $group = shift;
    ASSERT($this->isa( 'TWiki::Users::TWikiUserMapping')) if DEBUG;
    my $store = $this->{session}->{store};

    if( !defined $group->{members} &&
          $store->topicExists( $group->{web}, $group->{wikiname} )) {
        my $text =
          $store->readTopicRaw( undef,
                                $group->{web}, $group->{wikiname},
                                undef );
        foreach( split( /\r?\n/, $text ) ) {
            if( /$TWiki::regex{setRegex}GROUP\s*=\s*(.+)$/ ) {
                next unless( $1 eq 'Set' );
                # Note: if there are multiple GROUP assignments in the
                # topic, only the last will be taken.
                $group->{members} =
                  $this->{session}->{users}->expandUserList( $2 );
            }
        }
        # backlink the user to the group
        foreach my $user ( @{$group->{members}} ) {
            push( @{$user->{groups}}, $group );
        }
+#   }
+    } else {
+      if ($group->{wikiname} eq "AllRegisteredUsersGroup") {
+        $group->{members} = $this->{session}->{users}->getAllUsers();
+      }
+    }

    return $group->{members};
}

All of this seems to work but the modification seemed too simple, and I don't really know enough about TWiki to be sure.

-- GregPendlebury

The above implementation is for TWikiUserMapping and does not work with other user mappings.

Having AllUsersGroup and AllAuthUsersGroup implemented in TWiki::Users::BaseUserMapping is a possibility. But this doesn't sound right because a group in a user mapping should have the users defined in the mapping.

As such, having those groups defined in TWiki::Users::isInGroup() seems reasonable.

-- HideyoImazu

-- Contributors: GregPendlebury

Discussion

-- GregPendlebury - 14 Nov 2006

This started in Support.GroupWithAllUsers. An AllUsersGroup or AllRegisteredUsersGroup would be useful to have. It could be done implicitly with a TWiki internal test, e.g. without the need to update the AllUsersGroup at registration time.

-- PeterThoeny - 14 Nov 2006

Updated with my first try at a working version.

-- GregPendlebury - 11 Dec 2006

Now, I'm committed to this proposal and modified it. Since this was proposed a long time ago and no objection has been raised, isn't this regarded as "Accepted by 7 day feedback period"?

-- Hideyo Imazu - 2013-09-02

Technically, the clock starts once the committed developer and date of commitment is filled in. So it would start today. We can make an exception so that it can ship with TWiki-6.0.

What is the difference between AllUsersGroup and AllAuthUsersGroup?

-- Peter Thoeny - 2013-09-02

The only difference is unknown/unregistered/unauthenticated users are included or not. AllUsersGroup includes literally all users even if they are not registered and hence not authenticated. AllAuthUsersGroup excludes unregistered and unauthenticated users.

-- Hideyo Imazu - 2013-09-02

I've changed the status to AcceptedProposal with the reason being AcceptedByReleaseMeeting, which is sort of true - EmptyDenySettingMeansUndefinedSetting is approved by the last release meeting and that enhancement requires this enhancement.

-- Hideyo Imazu - 2013-09-03

Cross-proposal at CreateAnAllUsersGroup.

-- Peter Thoeny - 2013-09-19

ChangeProposalForm
TopicClassification	FeatureRequest
TopicSummary	"All Users" Groups
CurrentState	MergedToCore
CommittedDeveloper	HideyoImazu
ReasonForDecision	AcceptedByReleaseMeeting
DateOfCommitment	2013-09-02
ConcernRaisedBy
BugTracking	TWikibug:Item7329
OutstandingIssues
RelatedTopics	EmptyDenySettingMeansUndefinedSetting
InterestedParties
ProposedFor	JerusalemRelease
TWikiContributors	HideyoImazu

Topic revision: r9 - 2013-09-19 - PeterThoeny

Account
- Log In
- Register User

Edit
Attach

Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.