Question

In a protected web nobody can access attachments. The error is:

Access Denied
Attention

Access check on CcS.FireWalls failed. 
Action "VIEW": access not allowed on web.

Contact twiki.support@cern.ch if you 
have any questions.

Related topics: TWikiGroups, TWikiAccessControl 

I get this message even though I am the admin.

It appears that viewfile does not recognise the user.

Following the upgrade to 4.1.2 our workaround for accessing attachments on protected webs no longer works.

In Store.pm we previously commented out the following

---
 > # Debug hack to get around attachment viewing problem
 > #    if( $user &&
 > #          !$this->{session}->{security}->checkAccessPermission
 > #            ( 'view', $user, undef, undef, $topic, $web )) {
 > #        throw TWiki::AccessControlException(
 > #            'VIEW', $user, $web, $topic,
 > #            $this->{session}->{security}->getReason());
 > #    }

I had origianally asked the question under AuthenticationAttachments

Does the paragraph

Controlling access to Attachments

in TWikiAccessControl

still apply?

Has anyone else had similar problems with this in 4.1.2 ?

Environment

-- PeterJones - 03 May 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Correction

The above workaround still works but the comments must be made in the subroutine readAttachment

sub readAttachment {
    my ( $this, $user, $web, $topic, $attachment, $theRev ) = @_;

    ASSERT($this->isa('TWiki::Store')) if DEBUG;

    # Changes as for Dakar to allow viewfile on protected webs
    #if( $user &&
    #      !$this->{session}->{security}->checkAccessPermission
    #        ( 'view', $user, undef, undef, $topic, $web )) {
    #    throw TWiki::AccessControlException(
    #        'VIEW', $user, $web, $topic,
    #        $this->{session}->{security}->getReason());
    #}

    my $handler = $this->_getHandler( $web, $topic, $attachment );
    return $handler->getRevision( $theRev );
}

However it would still be good to have a correct fix for this

-- PeterJones - 04 May 2007

You don't say what sort of security setup you have (login manager, password manager). Nor what a "protected web" means. Is it a web nobody can view? In that case, viewfile is just doing its job.....

-- CrawfordCurrie - 14 May 2007

We have kerberos authentication enabled. The protected webs are those with the access control variables like ALLOWWEBVIEW set in WebPreferences.

The problem occurs for those users that do have access including admin.

-- PeterJones - 14 May 2007

Sorry, closing this after more than 30 days...

-- PeterThoeny - 06 Jul 2007