Question

Good Day!

I've installed twiki for my group and it's taken off like wild fire. I am now in the process of setting up authentication (more for traceability of edits than security) and it not acting as expected. First let me tell you a little bit about our setup.

1. It was installed using a non-root accout so the twiki/bin is seperate from everything else.
2. We have .htaccess set at the top of the doc tree to block outside users from accessing the site.
3. It's set up as a virtual host using apache on Linux.
4. The bin cgi's are suffixed with .cgi

Now, in the twiki/bin/.htaccess file we have at the bottom of the file the lines...

<Files "*">
       allow from all
</Files>

With the .htaccess file set this way it doesn't prompt for a username/password when you edit the file. If it's changed to this...

<Files "view.cgi">
       allow from all
</Files>

What's even odder is that once logged in the variable %WIKINAME% still shows as TWikiGuest. But if you edit a page and then save changes the log shows the correct Twiki name.

Can anyone explain this behavior?
Thanks
JonOwen

• TWiki version:
• Perl version:
• Web server & version:
• Server OS:
• Web browser & version:
• Client OS:

-- JonOwen - 30 Jan 2003

Answer

This is mostly an Apache configuration issue. To learn the config directives, check out their docs - http://www.apache.org

Your first block matches everything and "allow from all" is applied for every file in the directory. Your second block disables the default directory behavior by setting "allow from all" for just the one file specified. Obviously, your directory's default behavior (either from the http.conf or the higher up .htaccess) is setting "require valid-user".

The reason why you are not seeing the correct %WIKINAME% on the view script in the second case is because you are not telling apache to mandate authorization anymore. Therefore, no http authorization headers are requested and passed on to the TWiki scripts. TWiki defaults to the user TWikiGuest in this case. So, to make TWiki work this way, you have to tell TWiki to remember you on subsequent view requests ($rememberUser in config file) after you become authorized to use any other scripts.

Apache can actually be configured to optionally give the authorization headers to to scripts, but TWiki is not expecting this configuration. It is probably better to follow TWiki's directions for this circumstance as documented: TWikiUserAuthentication

For the adventurous, here's how to allow optional authorization generically in apache:

SetEnvIf Authorization "^$" anon
<Files "FileNameInQuestion">
    satisfy any
    require valid-user
    Order Deny,Allow
    Deny from all
    Allow from env=anon
</Files>

Just don't come crying here if TWiki can't handle it. You need to do it TWiki's way if you expect TWiki to remember the %WIKINAME% without a "require valid-user" on the view script.

-- TomKagan - 31 Jan 2003