Tags:
create new tag
view all tags

Question

How to set aside an area with the same egalitarian qualities as TWiki but with very strict read permissions? We made a web with sensitive information viewable (using Set ALLOWWEBVIEW) only by a certain group.. but the problem we were having was that un-authenticated users would have no way of getting into the web: they would always be denied. If they tried to do anything secured through htacess, like edit a page, they would be properly authenticated and subsequently let into the web; but you don't want to tell someone that in order to get into a certain part of the website, you'd have to edit a document first.

  • TWiki version: Sept. 2001
  • Web server: Apache 1.3
  • Server OS: Linux RH 7.1
  • Web browser: Any
  • Client OS: Any

-- RickOliver - 10 Jun 2002

Answer

The first thing we tried was setting up separate htaccess restrictions in the web directory (i.e. ../twiki/data/Fooweb/.htaccess) until I realized that the webserver never reads files from that directory (Perl does). The next option was to add "view" to the directives in the ../twiki/bin/.htaccess file, but that would force everyone to log in just to view a page, including new users.. not acceptable.

Finally we came up with an extremely simple solution: symlink the "view" file in the ../twiki/bin/ directory to a file called "secureview" and then add that to the access directives in ../twiki/bin/.htaccess. So now when I have a read-restricted topic that requires authentication, I pass a URL with secureview in it, like so: /twiki/bin/secureview/Main/SecretFoo.


But what stops the user from changing the URL to:

/twiki/bin/view/Main/SecretFoo

and accessing the page anyway?

-- JohnRouillard - 21 Dec 2001


The WebPreferences are set up with Set ALLOWWEBVIEW to a group of my choosing. So if you go to the vanilla bin/view version you'll get an automatic view access denied if:

  • you're not logged in (hence the need to force an authentication)
  • you are logged in and you don't have access (which is a good thing)

This solution leaves a dirty taste in my mouth but it works. The only drawback are the hundreds of annoying emails from people saying that they can't view topics (because they didn't use my authentication link).

-- RickOliver - 10 Jun 2002

TWiki will transparently redirect from the view script to an autheticated viewauth script in case it exists and the user is not logged in. Read the details in TWiki.TWikiAccessControl

-- PeterThoeny - 11 Jun 2002

First I was not able to find that "redirecting" to a viewauth script paragraph in TWiki.TWikiAccessControl frown ... But finaly, I found it : check in "Authenticate and Restricting Selected Webs Only" (TWiki.TWikiAccessControl#Authenticate_and_Restricting_Sel), and eventually search for "viewauth" in the page if that failed.

-- OlivierBerger - 21 Feb 2003

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2003-02-21 - TWikiGuest
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.