Question

I'm trying to get access control set up, following the "Authenticate all Webs and Restrict Selected Webs" example in TWikiAccessControl. When I open up a page it prompts for a password, and fails if I don't authenticate. I have a web I created called LTSA, and in LTSA.WebPreferences I put my username in the existing ALLOWWEBVIEW setting, like so:

   * Users or groups who are not / are allowed to view / change / rename topics in the LTSA web: (See TWikiAccessControl)
      * Set DENYWEBVIEW = 
      * Set ALLOWWEBVIEW = Main.DanielMundy

Now the problem is, once a user has authenticated, they can access the LTSA web. It doesn't even seem to matter if I add eg. Main.FredBob to DENYWEBVIEW, he can still view the LTSA web.

Is there something I have to do to make TWiki check my access control settings for a web? I have read through the documentation so many times and can't see what I've missed out.

I copied the latest version of testenv from cvs, and the output can be found at http://linuxterminal.com/twiki/bin/testenv

Also attached is my lib/TWiki.cfg: http://twiki.org/p/pub/Support/AccessControlSettingsDontTakeEffect/TWiki.cfg

I will gladly provide any more information that is needed.

• TWiki version: from readme.txt, "Version: 01 Feb 2003"
• Perl version: v5.6.0 built for i386-linux
• Web server & version: apache-1.3.27-1.7.2
• Server OS: Redhat Linux 7.3
• Web browser & version: mozilla 1.3, IE 5.0
• Client OS: Redhat Linux 7.3, Windows 98

-- DanielMundy - 12 Jun 2003

Answer

Is the user authenticated in view? See details in TWikiUserAuthentication.

-- PeterThoeny - 14 Jun 2003

I think so. It does ask me for a password when I try to access any page of the wiki, as I have the following lines in /var/www/html/twiki/bin/.htaccess:

<Files "view">
       require valid-user
</Files>

-- DanielMundy - 16 Jun 2003

Are you and Main.FredBob in the TWikiAdminGroup on your site? Admins can view all content regardless of the settings.

Regards, Peter

-- PeterThoeny - 16 Jun 2003

Aaah! Thanks Peter, that was the problem.

One other thing though, when I take out view from .htaccess, so that only viewauth is authenticated, unauthenticated users can reach the page, even with

Set ALLOWWEBVIEW = Main.DanielMundy

Eg, it doesn't ask for authentication when I access http://linuxterminal.com/twiki/bin/view/LTSA/WebHome, but it does ask when I access http://linuxterminal.com/twiki/bin/viewauth/LTSA/WebHome. I was just wondering, at which point (if it works how I understand) does view redirect you to viewauth? Is there a configuration option I'm missing to enable this or something?

-- DanielMundy - 16 Jun 2003

You need to set the remember flag in TWiki.cfg. See details in TWikiUserAuthentication.

-- PeterThoeny - 18 Jun 2003

I don't understand how this would affect my situation. (btw, I did already have the remember flag set (if you are indeed talking about the $doRememberRemoteUser flag in TWiki.cfg)). From my understanding, remember simply means that you only have to login once, as for all subsequent logins you are remembered by your IP.

When I type in the address, if I type bin/view it doesn't ask for a password, and if I use bin/viewauth, it does. This seems to easy for someone to bypass the security.

-- DanielMundy - 23 Jun 2003

Heh, I just noticed that because remember was set, even when I closed/reopened Mozilla to test (assuming that since mozilla didn't ask me to authenticate, I was now guest), that I was really logged in as my own user (which has admin rights).

Thanks for your patience

-- DanielMundy - 24 Jun 2003