Tags:
access_control1Add my vote for this tag create new tag
, view all tags

Wiki access control based on change/view is broken

I have set up several wiki sites where access control is important. If TWiki did not have access control, we would have to use (gag) SharePoint.

Today, I noticed for the umpteenth time that TWiki's access control is, um, suboptimal, a pain to administer.

TWiki has separate lists for read access - ALLOWWEBVIEW - and change access - ALLOWWEBCHANGE.

Since nearly everyone who is allowed to change a topic is also allowed to read it, these are redundant. The ALLOWEBCHANGE list should always be a subset of the ALLOWWEBVIEW list. When it isn't, well, it's a pain - e.g. if you leave yourself off the ALLOWWEBVIEW list you can still read the pages by going into edit, but you have to type URLs in yourself.

I recommend that a user or group being in ALLOWWEBCHANGE imply that it also has ALLOWWEBVIEW access.

If you really want some people to have edit only, but not view, access ---- well, ewe could come up with a way of representing that. But I have trouble imaging such a use.

-- Contributors: AndyGlew

Discussion

Very sadly, I have used topics where the user has write access and not view access - for logging purposes. It was decided that the edit & state log for the ISO system should not be public. So yeah, while not necessarily being hugely important, it meant that for that application, i didn't need to make a plugin, or resort to non-topic storage of info.

-- SvenDowideit - 14 Apr 2006

(Apparently the comment formatting is broken.)

Fine. So provide:

  • ALLOW_TOPIC_ACCESS_READONLY
  • ALLOW_TOPIC_ACCESS_READWRITE
  • ALLOW_TOPIC_ACCESS_WRITEONLY

and compute

  • reads_allowed = readonly + readwrite
  • writes_allowed = readwrite + writeonly

This is not a functionality issue. It's a user interface issue - for the user who is the admin setting up perms.

Or, equivalently, go to an access control list

My point is that the present system violates the OAOO rule - once and only once. The user must enter a group name in multiple lists.

Heck... I just realized that a plugin could be used to fix this.

-- AndyGlew - 14 Apr 2006

TWiki's access control is suboptimal because it is confusing.

I strongly recommend looking at Role Based Access Control.

It is simple to institute and simple to administer.

-- AntonAylward - 15 Apr 2006

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2006-04-15 - AntonAylward
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.