Tags:
create new tag
view all tags

Question

Have I set up access control incorrectly? Some scripts operate normally and others do not. See the symptoms below:

symptom one

When I try to view the differences between two versions of a topic (say, FooBar) in the Main web, I get the following response:

You do not have permission to view topic Main.FooBar

However, I am able to view differences in the TWiki web...

symptom two

When a new user registers (say, NewUser), the TWikiUsers topic gets ruined and I no longer have permission to view it. Instead, the contents on the server's hard disk of Main/TWikiUsers.txt in its entirety are as follows:

%META:TOPICINFO{author="NewUser" date="1098203746" format="1.0" version="1.23"}% No permission to read topic Main.TWikiUsers  - perhaps you need to log in?

The following used to be in the topic but I deleted it entirely: Set ALLOWTOPICCHANGE = TWikiAdminGroup ... Should I put it back?

I realized that the newly registered user definitely does not have permission to view anything in the Main web (because of my access control) and this includes Main.TWikiUsers. But why does this error message get written to Main/TWikiUsers.txt? Shouldn't it leave the file alone and reject the user?

symptom three

When viewing http://me.freeshell.org/twiki/bin/changes/Main the following appears in the left side-bar:

No permission to read topic WebLeftBar - perhaps you need to log in?

However, http://me.freeshell.org/twiki/bin/viewauth.cgi/Main/WebLeftBar loads normally.

So far, I have tried to restrict access to everything except registration since I really only intend to have 15 specific users.

Other scripts seem to operate normally such as viewing, editing.

Background

I recently installed TWiki 10sep2004 on freeshell.org and had some trouble getting the scripts to execute.

Currently most of them seem to work and the twiki/bin directory looks like this: 

  drwxr-x---  2 me  nobody   1536 Oct 19 18:48 .
  drwxr-x---  7 me  nobody    512 Oct 19 14:42 ..
  -rwxr-x---  1 me  nobody   1315 Oct 16 23:55 .htaccess
  -rwxr-xr-x  1 me  nobody   1477 Oct 18 21:19 attach.cgi
  -rwxr-xr-x  1 me  nobody   1739 Oct 18 21:21 changes.cgi
  -rwxr-xr-x  1 me  nobody   2012 Oct 18 21:21 edit.cgi
  -rwxr-xr-x  1 me  nobody   1896 Oct 18 21:21 geturl.cgi
  -rwxr-xr-x  1 me  nobody   6707 Oct 18 21:21 installpasswd.cgi
  -rwxr-xr-x  1 me  nobody   7331 Oct 18 21:21 mailnotify.cgi
  -rwxr-xr-x  1 me  nobody   3575 Oct 18 21:21 manage.cgi
  -rwxr-xr-x  1 me  nobody   1466 Oct 18 21:21 oops.cgi
  -rwxr-xr-x  1 me  nobody   4080 Oct 18 21:21 passwd.cgi
  -rwxr-xr-x  1 me  nobody   1524 Oct 18 21:21 preview.cgi
  -rwxr-xr-x  1 me  nobody   1508 Oct 18 21:21 rdiff.cgi
  -rwxr-xr-x  1 me  nobody   1508 Oct 18 21:21 rdiffauth.cgi
  -rwxr-xr-x  1 me  nobody   7653 Oct 18 21:21 register.cgi
  -rwxr-xr-x  1 me  nobody   1792 Oct 18 21:22 rename.cgi
  -rwxr-xr-x  1 me  nobody   1672 Oct 18 21:22 save.cgi
  -rwxr-xr-x  1 me  nobody   1746 Oct 18 21:22 search.cgi
  -rwxr-x---  1 me  nobody   2379 Oct 18 21:15 setlib.cfg
  -rwxr-xr-x  1 me  nobody   2614 Oct 18 21:22 statistics.cgi
  -rwxr-xr-x  1 me  nobody  40161 Oct 18 21:22 testenv.cgi
  -rwxr-xr-x  1 me  nobody   1496 Oct 18 21:22 upload.cgi
  -rwxr-xr-x  1 me  nobody   1707 Oct 18 21:22 view.cgi
  -rwxr-xr-x  1 me  nobody   1707 Oct 18 21:22 viewauth.cgi
  -rwxr-xr-x  1 me  nobody   1456 Oct 18 21:22 viewfile.cgi

And the .htaccess file is now: 

# The first path here must be a URL path, not a file pathname
Redirect /index.html http://me.freeshell.org/twiki/bin/view

# The path here must be a file pathname, not a URL - first part should match
# the $dataDir setting in TWiki.cfg
AuthUserFile /www/me/m/me/twiki/data/.htpasswd
AuthName ByPassword
AuthType Basic

# No changes necessary to this line unless you are using mod_perl
# SetHandler cgi-script

# The path here must be a URL path, not a file pathname - first part should
# match the $scriptUrlPath in TWiki.cfg
ErrorDocument 401 /twiki/bin/oops/TWiki/TWikiRegistration?template=oopsauth

<Files ~ "[^/]*\.html$">
       SetHandler blabla
       allow from all
</Files>

<Files "viewauth.cgi">
       require valid-user
</Files>

<Files "edit.cgi">
       require valid-user
</Files>

<Files "preview.cgi">
       require valid-user
</Files>

<Files "save.cgi">
       require valid-user
</Files>

<Files "attach.cgi">
       require valid-user
</Files>

<Files "upload.cgi">
       require valid-user
</Files>

<Files "rename.cgi">
       require valid-user
</Files>

<Files "rdiffauth.cgi">
       require valid-user
</Files>

<Files "manage.cgi">
       require valid-user
</Files>

<Files "installpasswd.cgi">
       require valid-user
</Files>

<Files "*">
       allow from all
</Files>

I have the following groups:

  • MyUserGroup
    • Members: Main.MemberMe, Main.MemberYou
    • where ALLOWTOPICCHANGE is Main.TWikiAdminGroup
  • NobodyGroup
    • Members:
  • TWikiAdminGroup
    • Members: MemberMe
    • where ALLOWTOPICCHANGE is TWikiAdminGroup
    • the tag Main is not used in the definition of this group. Is that okay?

I am MemberMe.

Main.WebPreferences has the following set ... (I replaced "=" with "..." in this question to make sure variables are not set by it.): 

      * Set DENYWEBVIEW ... 
      * Set ALLOWWEBVIEW ... %MAINWEB%.MyUserGroup, %MAINWEB%.TWikiAdminGroup
      * Set DENYWEBCHANGE ... 
      * Set ALLOWWEBCHANGE ... %MAINWEB%.MyUserGroup, %MAINWEB%.TWikiAdminGroup
      * Set DENYWEBRENAME ... 
      * Set ALLOWWEBRENAME ... %MAINWEB%.MyUserGroup, %MAINWEB%.TWikiAdminGroup
   * Users or groups allowed to change or rename this WebPreferences topic: (I.e. TWikiAdminGroup)
      * Set ALLOWTOPICCHANGE ... 
      * Set ALLOWTOPICRENAME ... %MAINWEB%.TWikiAdminGroup

I did something crazy (stupid?) to get the Calendar Plug-in to work. Apparently it requires perl5.8 (as described by CalendarPluginUndefinedSubroutine) and I didn't want to ask freeshell.org to upgrade. So I downloaded perl5.8 and compiled it in a tmp directory and then installed it in a subdirectory under my home directory. And then I edited twiki/bin/setlib.cfg (below). The calendar works like a charm, but in the output for testenv, I don't see the two CPAN modules I had to install as prerequisites! 

# TWiki Collaboration Platform, http://TWiki.org/
#
# Copyright (C) 2002-2004 Peter Thoeny, peter@thoeny.com
#
# For licensing info read license.txt file in the TWiki root.
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details, published at
# http://www.gnu.org/copyleft/gpl.html
#
# setlib.cfg: configuration file for TWiki and Perl library paths
#
# Used to configure non-standard locations for TWiki and Perl modules.


# -------------- Only needed to work around an Apache 2.0 bug on Unix
#
#    If you are running TWiki on Apache 2.0 on Unix you might experience cgi
#    scripts to hang forever. This is a known Apache 2.0 bug. A fix is
#    available at http://issues.apache.org/bugzilla/show_bug.cgi?id=%2022030.
#    It is recommended to patch your Apache installation.
#
#    As a workaround, uncomment one of the following two lines. (As a drawback,
#    errors will not be reported anymore to the browser via CGI::Carp)

# open(STDERR, ">>/dev/null");         # throw away cgi script errors, or
# open(STDERR, ">>/tmp/error.log");    # redirect errors to a log file of choice


# -------------- Change these settings if required

#    Path to lib directory containing TWiki.pm.
#    ATTENTION: Set to absolute file path:
$twikiLibPath = '/www/me/m/me/twiki/lib';


#    Path to local Perl modules (e.g. under home directory for users
#    without 'root' on Unix/Linux). Uncomment and set if needed:
# $localPerlLibPath = '/www/me/m/me/twiki/lib';

# per http://twiki.org/cgi-bin/view/Codev/CpanPerlModulesRequirement
@localPerlLibPath = qw(
/arpa/me/m/me/perl/lib/site_perl/5.8.5/alpha-netbsd
/arpa/me/m/me/perl/lib/site_perl/5.8.5
/arpa/me/m/me/perl/lib/site_perl
);

# -------------- Don't change anything below this line

# Prepend to @INC, the Perl search path for modules
unshift @INC, $twikiLibPath;
unshift @INC, @localPerlLibPath if @localPerlLibPath;

1;                              # Return success for module loading

So you may be wondering what my path is for perl. According to testenv... 

Perl version:   5.8.5

@INC library path:   

/arpa/me/m/me/perl/lib/site_perl/5.8.5/alpha-netbsd
/arpa/me/m/me/perl/lib/site_perl/5.8.5
/arpa/me/m/me/perl/lib/site_perl
/www/me/m/me/twiki/lib
/arpa/me/m/me/perl/lib/5.8.5/alpha-netbsd
/arpa/me/m/me/perl/lib/5.8.5
/arpa/me/m/me/perl/lib/site_perl/5.8.5/alpha-netbsd
/arpa/me/m/me/perl/lib/site_perl/5.8.5
/arpa/me/m/me/perl/lib/site_perl

User: me
Note: Your CGI scripts are executing as this user

Environment

TWiki version: TWikiRelease01Sep2004
TWiki plugins: CalendarPlugin
Server OS: Unix (netbsd)
Web server: Apache/1.3.29 (Unix)
Perl version: 5.8.5
Client OS: Windows XP
Web Browser: Firefox 0.9.3

-- TWikiGuest - 19 Oct 2004

Answer

for symptom ONE of three

I AM DUMB! smile apparently this was missing from my .htaccess file. duh. 

<Files "rdiff.cgi">
       require valid-user
</Files>

However, doing the same for changes.cgi does not help symptom three.

for symptom two

...?

for symptom three

...?

-- TWikiGuest - 19 Oct 2004

So many questions, it is better to ask one question per support request.

For authetication, in your case it is easier and safer to require a valid user for the whole TWiki bin directory

CalendarPlugin, should work with older Perl if you replace all occurances of our with my in CalendarPlugin.pm

-- PeterThoeny - 20 Oct 2004

Sorry, I had three symptoms which seemed to be all related to access control and possibly had one solution for all I knew. The calendar was only mentioned here because it affected where Perl was installed.

In order to implement your suggestion, would the .htaccess file look like this? 

Redirect /index.html http://me.freeshell.org/twiki/bin/view

AuthUserFile /www/me/m/me/twiki/data/.htpasswd
AuthName ByPassword
AuthType Basic

ErrorDocument 401 /twiki/bin/oops/TWiki/TWikiRegistration?template=oopsauth

<Files ~ "[^/]*\.html$">
       SetHandler blabla
       allow from all
</Files>

<Files "*">
       require valid-user
</Files>

-- TWikiGuest - 29 Oct 2004

WebForm
SupportStatus ClosedUnanswered
Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2004-12-04 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.