Feature Proposal: User mapping manager to be able to have a method to allow new web creation
Motivation
There are cases where ROOTCHANGE and ALLOWWEBCHANGE are not powerful enough to implement web creation permission you want.
For example, you may want to allow a user to create a certain subweb of the web Foo while you don't want to allow
to create topics on the web Foo.
The way to achieve the goal efficiently is to be able to have a method in the user mapping manager allowing web creation depending on the user and the name of the web to be create.
Here are two concrete examples requiring the capability.
A large TWiki site in a large organization employing UserSubwebs
Let's assume:
- It's about a large organization having 50,000 users in its LDAP. User IDs, real names, email addresses, etc. are in the LDAP
- It has an intranet single sign-on mechanism leveraging the LDAP data
- Everybody in the organization may edit topics on a TWiki site having 5,000 webs
- The TWiki site authenticate users with the intranet single sign-on mechanism
- UserSubwebs is in use
Implication:
- Requiring user registration on the TWiki site for editing doesn't make a lot of sense. Because all user account data is already in LDAP, which is supposed to be referred to if needed.
- Users need to be forbidden to create topics on the Main web. Otherwise, it accumulates a lot of clutters in the long run.
- Users need to be able to create/delete their personal web on their own
- Here needs an enhancement
UsingMultipleDisks and /pub/... rewritten to /cgi-bin/viewfiles/...
Let's assume:
- There is a TWiki site employing UsingMultipleDisks
- The HTTP server housing TWiki needs to rewrite /pub/... to /cgi-bin/viewfile/... so that all attachments are obtainable by /pub/... path without symbolic links
Implication:
- The rewriting rule doesn't rewrite /pub/TWiki/... and /pub/Public/... so that files there can be retrieved directly (=quickly) from the HTTP server without going through TWiki.
- For every top level web A, there can be Public/A subweb. The owner of the web A can create Public/A if they like. Web owners must not be able to create topics in Public or a subweb unrelated to web names the user owns
- Here needs an enhancement
Description and Documentation
In TWiki::UI::Manage::_createWeb(), check if the new web is allowed to be created as follows.
unless ( $session->{users}->canCreateWeb($newWeb) ) {
...
TWiki::UI::checkAccess( $session, $parent, undef, 'CHANGE', $session->{user} );
}
TWiki::Users::canCreateWeb() calls $session->{users}{mapping}->canCreateWeb($newWeb) and then returns the value if it exists. Otherwise, TWiki::Users::canCreateWeb() returns false.
There should be no need for TWiki::Users::canCreateTopic() because isAdmin() in the user mapping handler can do a similar thing with topics.
Examples
Impact
Implementation
--
Contributors: HideyoImazu - 2012-09-20
Discussion
This is now regarded as accpeted by the 7 day feedback period.
The topic title "Customizable permission to create a new web" wasn't so good.
So it's now changed to "User mapping manager to be able to have a method to allow new web creation"
--
HideyoImazu - 2012-10-16
Sensible enhancement.
--
PeterThoeny - 2012-10-17
The topic name CanCreateWebMethodOfUserMappingManager was too long and has been changed to AllowWebCreateByUserMappingManager.
--
HideyoImazu - 2012-10-17
The topic name CanCreateWebMethodOfUserMappingManager sounded too conding centric. So it's renamed (again) to AllowWebCreateByUserMappingManager.
--
HideyoImazu - 2012-10-19