Question

I'm experimenting with a closed TWiki using SSL and basic authentication. It's going well but I just stumbled across a problem. I want to deny all access to the Main web for everybody (except administrators) except the user may view and change their own page. This is how I tried to do it:

• Changes to Main/WebPreferences

      * Set ALLOWWEBVIEW = Main.TWikiAdminGroup
      * Set ALLOWWEBCHANGE = Main.TWikiAdminGroup
      * Set ALLOWWEBRENAME = Main.TWikiAdminGroup
      * Set FINALPREFERENCES = WEBTOPICLIST

• Changes to Main/JohnnyTest

      * Set ALLOWTOPICVIEW = Main.JohnnyTest
      * Set ALLOWTOPICCHANGE = Main.JohnnyTest
      * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup

Unfortunately JohnnyTest never gets to view his own page as intended? Anybody know why not? TWikiAccessControl suggests that the topic access rules should override the web access rules, or?

• TWiki version: Beijing release
• Perl version: 5.6.1
• Web server & version: Apache something-or-other
• Server OS: Linux
• Web browser & version: IE 6
• Client OS: WinXP

-- SimonHardyFrancis - 13 May 2003

I had a very quick look in the sources and found this potentionally worrying comment in Access.pm:

sub checkAccessPermission
{
...
        # Different Web to current one, but we assume read access to twiki and main webs to
        # save frequent loading of these preferences
...
}

-- SimonHardyFrancis - 14 May 2003

Answer

The root of the problem is the evil effect of in-band access control. To see the access control, the topic has to be readable.

See my discussions of this in

• DatabaseForAccessControl
• AccessDotPm
• MetaDataSucksMeasurement
• HandlingCategoriesinaTopic

Despite Peter's personal e-mail to me when I brought to his attention that Simon had locked out some key pages with his experimentation, this IS about the evils of in-band access control. If the Web level access prevents you reading the topic level access ... you get the situation Simon describes.

Think of a file system. I can stat(2) file and find that it is -rw------- so I can't read it. But I can see why I can't read it.

Mind you, I think Simon is wrong to apply web level lock out to the Main web.

What is needed is something like a control that prevents people altering the access control.

My solution is slightly different. I've re-written the templates so that the %MAINWEB%.username automatically has a setting so its not editable, and a link to the "Home" web - "Home.UserName". That is only editable by the user. If the user doesn't want to fill in any information, there, so be it This also losens up the "home page" concept to what many users would expect.

-- AntonAylward - 15 May 2003

Excellent idea, Anton, to have "User" web for system-owned user info, and "Home" web for user's homepages. I'll steal it into Codev.BetterDefaults.

-- PeterMasiar - 16 May 2003

The problem here isn't whether inline access control is good or bad - this would happen with the current permissions method no matter where the access controls are stored. The root of the problem here is the resolution order, and whether defaults can or cannot be overridden.

TWiki's access control follows norms that access control can only become tighter rather than looser the deeper, or more specific into a tree you get. It doesn't supply any access control for anything other than read/write however - which is the problem here. In terms of granularity you have the following:

• Access to any web
• Access to a specific web
• Access to a specific topic
• You could then argue access to a specific revision

The access controls of the higher levels apply to the lower levels.

The root cause of this problem here is it doesn't allow for the concept of "access to check permissions" - it just supports read and write. The requirement indicated above is simple to achieve under Unix - you allow execute access to the container directory only, and then make the user pages read/write only by the user. This effectively implements the access to check permissions.

drwxr-xr-x    3 root     root           54 2003-06-02 01:54 foo
drwx--x--x    3 root     root           58 2003-06-02 01:55 foo/bla
drwx------    2 jbloggs  root           35 2003-06-02 01:55 foo/bla/jbloggs

No matter where the access control information is hidden (in topics, databases, where-ever) this is a policy matter not a technology matter.

If you work on the assumption however that what is really wanted is for home pages to default to read/write only by the user, then simply setting

• • Set ALLOWTOPICVIEW = JohnnyTest
  • Set ALLOWTOPICCHANGE = JohnnyTest
  • Set ALLOWTOPICRENAME = TWikiAdminGroup

By default when the topic is created you achieve your goal - user pages are private to the user.

-- TWikiGuest - 02 Jun 2003

First of all thanks for all the responses!

After doing my best to digest the info then I tend to agree with TWikiGuest that this is a policy matter.

What I want is to have a "farm" of closed webs, each containing confidential information. A registered user would only have permission to access (e.g.) one web and isn't interested in having their name "advertised" across the whole TWiki. Ideally such registered users should only have access to their own home page, or maybe only those home pages belonging to other users of their web. Thus my attempt to configure access for JohnnyTest so that access is disabled to the complete Main web except for his own home page.

Two examples applications for such a "farm" of closed webs are:

• collaboration webs for confidential (multiple) client / service-provider (multiple) projects
  a sort of inter-company "intranet" for particular projects
• school web
  schools don't like the idea of open webs because they like to guard their reputation,
  parents don't like the idea of open webs because of fears of "advertising" information about their children on the internet

I notice that other people have achieved similar results my running several TWiki installations in parallel. Perhaps they did this for similar reasons but I have found to evidence to suggest this.

-- SimonHardyFrancis - 02 Jun 2003

I see your point(s). Based on this I think there's a good case for allowing access to check permissions. I'm not sure how to implement this at the moment, but it strikes me as an important feature.

About all I can suggest as a workaround is to modify your NewUserTemplate, and include the following two lines:

• • Set ALLOWTOPICVIEW = %MAINWEB%.%WIKIUSERNAME%
  • Set ALLOWTOPICCHANGE = %MAINWEB%.%WIKIUSERNAME%
  • Set ALLOWTOPICRENAME = %MAINWEB%.TWikiAdminGroup

Leave the Main web open to view, and but add access controls like this to the remainder of the pages so that they can't be read. At the moment that's AFAICT the closest you can come to what you want without multiple installations.

I'll log your need as a FeatureEnhancementRequest.

-- TWikiGuest - 11 Jun 2003