Tags:
create new tag
, view all tags

Bug: Invalid ALLOWWEBVIEW

If you set one of the ALLOW preferences (e.g. ALLOWWEBVIEW) to a group that has no members, then twiki treats that as if there were no ALLOWWEBVIEW property -- i.e. all users are allowed access. To me this seems surprising and wrong; I would expect all access to the topic to be denied for all users in this case.

This bug is also in the Debian BTS. The behavior has changed in recent versions; ALLOWTOPICVIEW = Main.AnInvalidUser no longer allows access to the world, but ALLOWTOPICVIEW = Main.AnEmptyGroup and ALLOWTOPICVIEW = AnInvalidGroup still do.

Test case

Set ALLOWTOPICVIEW = Main.AnInvalidGroup in a random topic, and watch as all users can still view the topic.

Patch

I've included a patch against the 01Feb2003 release, which is tested and has been working. I've also included a patch against the DEVELOP head, which I don't even know to be free of syntax errors.

Environment

TWiki version: TWikiRelease01Feb2003
TWiki plugins:  
Server OS: Debian 3.0
Web server:  
Perl version:  
Client OS:  
Web Browser:  

-- AndrewMoise - 22 Nov 2004

Follow up

This also applies to the situation where the permissions of a Group topic are set to restrict non-group members from viewing it ... secret groups if you will. Basically, allowList was coming back empty due to permissions. Anyway, I made a simple three line change in Access.pm to allow for the this scenario and it's working great.

    139                 if( $allowOrDeny eq "DENYTOPIC" ) {
    140                     @denyList = @tmpList;
    141                 } elsif( @tmpList eq 0 ) {
    142                     return 0;
    143                 } else {
    144                     @allowList = @tmpList;
    145                 }

I haven't thought this all the way through yet, nor have I fully understood the changes contained within the patches attached to this topic. So, let me know if this is the same issue or if I need to submit another bug report.

-- RobKirk - 01 Jan 2005

Fix record

Patch for DEVELOP was almost perfect. When I wrote the testcase for the bug it showed up another undetected bug in View.pm - thanks Andrew!

Checked in to DEVELOP svn rev 3265. testcase is ViewDEVELOP:TestCases/TestCaseEmptyGroupTreatedAsNoGroup.

-- CrawfordCurrie - 22 Nov 2004

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatpatch empty-ALLOWWEBVIEW-01Feb2003.patch r1 manage 0.9 K 2004-11-22 - 01:16 AndrewMoise Patch fixing 01Feb2003 version (tested)
Unknown file formatpatch empty-ALLOWWEBVIEW-DEVELOP.patch r1 manage 2.1 K 2004-11-22 - 01:16 AndrewMoise Patch fixing DEVELOP (not tested at all, even slightly)
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2005-01-01 - RobKirk
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.