Tags:
create new tag
, view all tags

Feature Proposal: Empty DENY Setting Means Undefined Setting

Motivation

An empty DENYWEBCHANGE, DENY... currently means that nothing is denied, e.g. access is granted. This is counter-intuitive.

Description and Documentation

Change the spec like this:

  • An empty DENY... setting is the same is a non existing setting, e.g. it gets ignored.

The TWikiAccessControl#EvaluatingAllowDeny topic documents this in the "How TWiki evaluates ALLOW/DENY settings" section:

When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately.

  1. If the user is an administrator
    • access is PERMITTED.
  2. If DENYTOPIC is set to a list of wikinames
    • people in the list will be DENIED.
  3. If DENYTOPIC is set to empty ( i.e. Set DENYTOPIC = )
    • access is PERMITTED i.e no-one is denied access to this topic.
      ALERT! Attention: Use this with caution. This is deprecated and will likely change in the next release.
  4. If ALLOWTOPIC is set
    1. people in the list are PERMITTED
    2. everyone else is DENIED
  5. etc...

The third ordered bullet is changed as follows:

  • If DENYTOPIC has an empty value, i.e. * Set DENYTOPIC =
    • the access control setting is ignored.
      ALERT! Attention: The spec changed in TWiki-6.0; access was permitted in earlier TWiki releases.

Examples

Impact

Implementation

-- Contributors: Hideyo Imazu - 2013-08-29

Discussion

This was discussed and accepted as a feature by release meeting in JerusalemReleaseMeeting2013x08x29.

-- Peter Thoeny - 2013-08-29

I suspect empty DENYTOPIC* meaning everybody is allowed is for a situation where you want to allow an operation on the topic to everybody while the operation is restricted at the web level. As of now, that cannot be achieved by ALLOWTOPIC* since there is no group having all users.

I'm fine with the change but should we introduce such a special group? I've found the AllUsersGroup proposal and resurrected.

-- Hideyo Imazu - 2013-09-02

Good catch on need to open up topic where web is restricted.

-- Peter Thoeny - 2013-09-02

This spec change is on the safe side, e.g. access is more restricted than before.

-- Peter Thoeny - 2013-09-02

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2013-09-19 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.