create new tag
, view all tags

TWiki Security requires believeable read/view access restrictions

According to TWikiAccessControl

  • Open, freeform editing is the essence of WikiCulture - what makes TWiki different and often more effective than other collaboration tools. For that reason, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with care - the more restrictions, the less Wiki in the mix. Experience shows that unrestricted write access works very well

  • Technically it is possible to restrict read access to an individual topic based on DENYTOPICVIEW / ALLOWTOPICVIEW preferences variables, provided that the view script is authenticated. However this setup is not recommended since all content is searchable within a web - a search will turn up view restricted topics.

As TWiki's focuses on use in corporate Intranets, I would like to recommend the team take a step back from pushing WikiCulture quite this strongly. On a corporate Intranet, Corporate culture takes first place. Inside a company, many things are "Eyes Only" with various levels of confidentiality. Restricting Read access to less than everyone in the company is assumed. Anything less is bad For Business.

As JohnRouillard pointed out in ShouldNoViewImplyNoEdit (italics mine)

  • If I set ALLOWTOPICVIEW on a page, then only those people can view it. Nobody else is allowed to view it. However, anybody can still edit the page. Since you can view the page when you edit it, it makes the restriction somewhat less than useful.

This is more serious than making the ALLOWTOPICVIEW restriction "less than useful". This is a security hole.

Where I work, we are currently moving the Company TWiki into the limelight, from being a backwater plaything to a major tool of the Corporate Intranet. Yet, whenever I see statements that imply that Wiki security is suboptimal, e.g. "Technically it is possible to restrict read access... however... a search will turn up view restricted topics." I shudder to consider how well this will go over with executive management.

It's all very nice to say that Collaboration is the heart of Wiki but there are some things I'm just not supposed to read at work let alone be bumbling around and changing. And yes, you could say that Highly Confidential Information doesn't belong on a TWiki (but why not?) or on the Web at all (again, why not?). There are many levels and variations on "confidentiality".

If we're going to make TWiki feel acceptable to the "suits" as well as to the techies, we need to praise the Everybody Can Do Everything aspect a little less and focus on stronger access controls and read/write locking that isn't trivially bypassed by a search engine (or a misunderstanding in whether DENYVIEW implies DENYCHANGE).

(btw, I should mention that it's one of our techie techies who is currently asking to make certain pages readable only by group members).

-- VickiBrown - 02 Dec 2004

Semantically, DENYVIEW has to imply no change, as to change a page via edit implies viewing it.

In anticipation of agreement on this point I changed it in the DEVELOP branch (revision 3333) so that view access is required to edit. Note that this does not prevent a save, just an edit.

-- CrawfordCurrie - 03 Dec 2004

Just to note that I welcome this change - the current semantics in Cairo is confusing and impossible to justify.

My next concern would be that permissions are not handled in Store but in the CgiScripts. This means that Plugins are responsible for making their own checks, and as we know 1 2, most don't. In fact, I would hazard that 90% of them don't, (and those that do are likely to do so inconsistently). These two admit it because they are well-used enough to point out that this is the case.

-- MartinCleaver - 03 Dec 2004

TopicClassification TWikiDeployment
TopicSummary Security, access control, and presenting TWiki to the Corporate Intranet world in a positive secure fashion


Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2004-12-03 - MartinCleaver
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.