Feature Proposal: Adding Access control on Form Fields

Motivation

A few work-flow kind of Application require access restrictions on the fields/meta data of the applications. A few attributes of the Application needs to be moderated.

Description and Documentation

Let us consider the example of ticketing system. The ticketing system is based on form with fields:

• Subject
• Issue (text)
• Status -open, close

Define the restriction on "Status" field. Not every user can modify the "Status". Give change rights to "Managers" Group. In this case - Only Managers should be able to modify the status of the ticket while rest fields can be modified by any user.

I think this can be achieved if we modify the current definition of TWikiForms. Add one more attribute to the forms called "Restrictions"

| *Name* | *Type* | *Size* | *Values* | *Tooltip message* | *Attributes* | *Restriction* |
| Status | select | 1 | Open, Close, Confirmed | blah blah... | | ManagerGroup, HariSadu |

In this case - Any body can modify the other fields but "Status" will be modified by members of ManagerGroup and HariSadu user.

Examples

Impact

Implementation

-- Contributors: SopanShewale - 2010-01-14

Discussion

This might be a bit of overkill, complicating the spec of TWiki for a smaller use case need.

You can achieve this by using form fields of type label, which can't easily be changed. To change the values, create a separate access controlled page that has an HTML form; on submit it pushes those values into the the label fields of the form in another page. This is not hard access control (a savvy user could edit a page and append the proper name=value to change a label field), but may be secure enough in many cases because of the TWiki audit trail.

-- PeterThoeny - 2010-01-15