Question
How to set aside an area with the same egalitarian qualities as TWiki but with very strict
read permissions? We made a web with sensitive information viewable (using
Set ALLOWWEBVIEW) only by a certain group.. but the problem we were having was that un-authenticated users would have no way of getting into the web: they would always be denied. If they tried to do anything secured through htacess, like edit a page, they would be properly authenticated and subsequently let into the web; but you don't want to tell someone that in order to get into a certain part of the website, you'd have to edit a document first.
- TWiki version: Sept. 2001
- Web server: Apache 1.3
- Server OS: Linux RH 7.1
- Web browser: Any
- Client OS: Any
--
RickOliver - 10 Jun 2002
Answer
The first thing we tried was setting up separate htaccess restrictions in the web directory (i.e.
../twiki/data/Fooweb/.htaccess) until I realized that the webserver never reads files from that directory (Perl does). The next option was to add "view" to the directives in the
../twiki/bin/.htaccess file, but that would force everyone to log in just to view a page, including new users.. not acceptable.
Finally we came up with an extremely simple solution: symlink the "view" file in the
../twiki/bin/ directory to a file called "secureview" and then add that to the access directives in
../twiki/bin/.htaccess. So now when I have a read-restricted topic that requires authentication, I pass a URL with
secureview in it, like so:
/twiki/bin/secureview/Main/SecretFoo.
But what stops the user from changing the URL to:
/twiki/bin/view/Main/SecretFoo
and accessing the page anyway?
--
JohnRouillard - 21 Dec 2001
The WebPreferences are set up with Set ALLOWWEBVIEW to a group of my choosing. So if you go to the vanilla
bin/view
version you'll get an automatic view access denied if:
- you're not logged in (hence the need to force an authentication)
- you are logged in and you don't have access (which is a good thing)
This solution leaves a dirty taste in my mouth but it works. The only drawback are the hundreds of annoying emails from people saying that they can't view topics (because they didn't use my authentication link).
--
RickOliver - 10 Jun 2002
TWiki will transparently redirect from the view script to an autheticated viewauth script in case it exists and the user is not logged in. Read the details in
TWiki.TWikiAccessControl
--
PeterThoeny - 11 Jun 2002
First I was not able to find that "redirecting" to a viewauth script paragraph in
TWiki.TWikiAccessControl ... But finaly, I found it : check in "Authenticate and Restricting Selected Webs Only" (
TWiki.TWikiAccessControl#Authenticate_and_Restricting_Sel), and eventually search for "viewauth" in the page if that failed.
--
OlivierBerger - 21 Feb 2003