Question
Hi-
I've upgraded to the lastest Beta from the December 2001 Release. I had setup my twiki so that some webs require authentication for viewing. The Main and the TWiki topics were viewable without authentication by leaving their
'Set ALLOWWEBVIEW =' preferences blank.
Now that the upgrade is finished and the old preferences have been merged, the Main and the TWiki webs require authentication. I have another web called 'RoBo' which has the same 'WebPreferences' as Main and TWiki, but it works fine (doens't need authentication). I can view the page: Main/WebPreferences without problems so it doesn't seem to be a problem with the whole web, just the file 'WebHome'.
Whenever I direct my web browser to cgi-bin/view/Main/WebHome, the page bin/viewauth/Main/WebHome pops up, but bin/view/Main/{WebChanges,
WebPreferences, etc} goes straight through with the 'view' script.
I'm pretty stuck here. Any suggestions?
Thanks!
Environment
--
TWikiGuest - 17 May 2004
Answer
The recent Beta releases are more strict with access control. Previously you could include a protected topic into an open topic without access check, which is a security hole. Now it verifies who the user is before showing protected content. You get a forced authentication (by a redirect to viewauth) if you have a
SiteMap in your Main web home that shows webs with access restrictions.
Workaround: In web preferences,
Set SITEMAPLIST = on
only for webs without access restrictions.
--
PeterThoeny - 18 May 2004
I've changed the above from Fix to Workaround as we're only addressing a symptom not providing a solution to the underlying cause. (I'd want a description for the site map in the event I did have access).
I'd also suggest that we need a
AnsweredQuestionWithWorkaround SupportStatus - these can be then used later to help direct future developments.
--
MartinCleaver - 18 May 2004
Thanks for the workaround, the change to SITEMAPLIST does allow me to get to my
Main (it does have a TWiki
SiteMap) without authentication. Though the new Beta does not completely address the security hole since my restricted webs are still visible because I use:
Set WIKIWEBLIST = %WEBLIST{"[[$name.%HOMETOPIC%][$name]]" separator=" %SEP% "}%
for my header in
TWikiPreferences.
--
TWikiGuest - 18 May 2004
This is not the case, WEBLIST does not list non-public webs, e.g. web that have the NOSEARCHALL set.
--
PeterThoeny - 20 May 2004
I have the same problem, but setting "SITEMAPLIST = " to all webs doesn't solve the problem. Furthermore, I'm using Koalaskin and I have set all webs to HIDDEN. The funny thing is that everyhting worked fine at the begginig, and we have not done any upgrade to beta. We have the latest stable. Any further ideas? Thanks.
--
AlfredoRuiz - 23 Jun 2005