Bug: ALLOWTOPICVIEW Broken

ALLOWTOPICVIEW is not working.

Test case

Set up a user who is denied viewing of a web. Add them to ALLOWTOPICVIEW for a topic in the web. Try to view the topic

Environment

-- AdamMorton - 07 Oct 2005

Impact and Available Solutions

Follow up

I'm not really up on the innards of twiki, but what I found was that Access::checkAccessPermission was being called via Store::readTopic (line 103) in UI::View, and then called again at line 250. However, at 250, the $text that was being passed in for $theTopicText was already HTMLified, and thus would not match the regex at line 132:

if( /^\s+\*\sSet\s(ALLOWTOPIC|DENYTOPIC)$theAccessType\s*\=\s*(.*)/ ) {

This seems to be part of the issue reported in ViewScriptPartiallyIgnoresTopicPermissions -- i can't quite figure out what the status of that issue is.

-- AdamMorton - 07 Oct 2005

Fix record

To fix this, I had to not pass in $text at View.pm line 250:

@@ -247,7 +247,7 @@
   $tmpl =~ s/( ?) *<\/?(nop|noautolink)\/?>\n?/$1/gois;   # remove <nop> tags (PTh 06 Nov 2000)

   # check access permission
-  my $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $wikiUserName, $text, $topic, $webName );
+  my $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $wikiUserName, undef, $topic, $webName );

   if( (!$topicExists) || $TWiki::readTopicPermissionFailed ) {
     # Can't read requested topic and/or included (or other accessed topics

This makes checkAccessPermission re-read in the original topic text at line 124.

Not sure if this is the right fix, but it seems to work for me!

-- AdamMorton - 07 Oct 2005

Discussion