create new tag
, view all tags

Feature Proposals » Allow or deny access to topic in addition to allowed or denied at the web level


Current State: Developer: Reason: Date: Concerns By: Bug Tracking: Proposed For:
MergedToCore HideyoImazu AcceptedBy7DayFeedbackPeriod 2016-12-09   TWikibug:Item7766 KampalaRelease

Edit Form

DateOfCommitment:   Format: YYYY-MM-DD


You may want to allow or deny access to a topic in addition to the users allowed or denied with ALLOWWEB* or DENYWEB*. It would be nice if a change to ALLOWEB* or DENYWEB* is reflected to the topic level restriction.

This is achievable if ALLOWWEB* or DENYWEB* consists only of a TWiki group. Let's assume the following line is there on WebPreferences.

   * Set ALLOWWEBVIEW = AccessGroup
Then the following line on a topic makes the topic viewable to the users having web level access plus CronieGroup members.
   * Set ALLOWTOPICVIEW = AccessGroup, CronieGroup

But this is not flexible. And there is no guarantee that something is not added to ALLOWWEBVIEW.

Description and Documentation

If ALLOWTOPIC* or DENYTOPIC* starts with +, it's treated as if the corresponding ALLOWWEB* or DENYWEB* is inserted there.


Let's say the following line is there on WebPreferences.
   * Set ALLOWWEBVIEW = AccessGroup
Also assume that the topic ForCronies needs to be viewable by CroniesGroup in addition to AccessGroup. Then, ForCronies would have the following line.
   * Set ALLOWTOPICVIEW = + CroniesGroup

Even if ALLOWWEBVIEW is changed, ForCronies topic is always viewable by the users allowed by ALLOWWEBVIEW plus GroniesGroup.

Maybe the above example is not so compelling. Think about a large organization having a lot of LDAP groups and there is a TWiki installation configured to be able to use LDAP groups. Let's assume LDAPGROUP:group-name is the way to specify an LDAP group for access control. Then you may have the line below on WebPreferences.

   * Set ALLOWWEBVIEW = LDAPGROUP:team-tango, LDAPGROUP:team-foxtrot, LDAPGROUP:team-waltz
In that case, duplicating those three on ALLOWTOPICVIEW and put something in addition is cumbersome and may cause inconsistency in the future. Writing as follows is much cleaner.
   * Set ALLOWTOPICVIEW = + LDAPGROUP:team-samba



-- Contributors: Hideyo Imazu - 2016-12-09


Looks good to me!

-- Peter Thoeny - 2017-01-05

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2017-01-23 - HideyoImazu
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.