Tags:
create new tag
, view all tags

Question

Hi-

I've upgraded to the lastest Beta from the December 2001 Release. I had setup my twiki so that some webs require authentication for viewing. The Main and the TWiki topics were viewable without authentication by leaving their 'Set ALLOWWEBVIEW =' preferences blank.

Now that the upgrade is finished and the old preferences have been merged, the Main and the TWiki webs require authentication. I have another web called 'RoBo' which has the same 'WebPreferences' as Main and TWiki, but it works fine (doens't need authentication). I can view the page: Main/WebPreferences without problems so it doesn't seem to be a problem with the whole web, just the file 'WebHome'.

Whenever I direct my web browser to cgi-bin/view/Main/WebHome, the page bin/viewauth/Main/WebHome pops up, but bin/view/Main/{WebChanges, WebPreferences, etc} goes straight through with the 'view' script.

I'm pretty stuck here. Any suggestions? Thanks!

Environment

TWiki version: TWikiBetaRelease
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS:  
Web server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
Perl version: 5.6.1
Client OS:  
Web Browser:  

-- TWikiGuest - 17 May 2004

Answer

The recent Beta releases are more strict with access control. Previously you could include a protected topic into an open topic without access check, which is a security hole. Now it verifies who the user is before showing protected content. You get a forced authentication (by a redirect to viewauth) if you have a SiteMap in your Main web home that shows webs with access restrictions.

Workaround: In web preferences, Set SITEMAPLIST = on only for webs without access restrictions.

-- PeterThoeny - 18 May 2004

I've changed the above from Fix to Workaround as we're only addressing a symptom not providing a solution to the underlying cause. (I'd want a description for the site map in the event I did have access).

I'd also suggest that we need a AnsweredQuestionWithWorkaround SupportStatus - these can be then used later to help direct future developments.

-- MartinCleaver - 18 May 2004

Thanks for the workaround, the change to SITEMAPLIST does allow me to get to my Main (it does have a TWiki SiteMap) without authentication. Though the new Beta does not completely address the security hole since my restricted webs are still visible because I use:

Set WIKIWEBLIST = %WEBLIST{"[[$name.%HOMETOPIC%][$name]]" separator=" %SEP% "}%

for my header in TWikiPreferences.

-- TWikiGuest - 18 May 2004

This is not the case, WEBLIST does not list non-public webs, e.g. web that have the NOSEARCHALL set.

-- PeterThoeny - 20 May 2004

I have the same problem, but setting "SITEMAPLIST = " to all webs doesn't solve the problem. Furthermore, I'm using Koalaskin and I have set all webs to HIDDEN. The funny thing is that everyhting worked fine at the begginig, and we have not done any upgrade to beta. We have the latest stable. Any further ideas? Thanks.

-- AlfredoRuiz - 23 Jun 2005

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2005-06-23 - AlfredoRuiz
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.