Tags:
create new tag
view all tags

Question

Hi!

I've browsed the TWiki:Support for this, but haven't found the answer. Sorry if this has been asked before.

We'd like to put our team-internal TWiki public within the company. "Public" means, everyone is allowed to read things, but only the team members are allowed to write. Read access ( view) should be granted to all without password (they are allowed to view anything - if there's a way to restrict that securely, fine :-)). So far, so good, this is well documented. But there are some things which I didn't manage to resolve:

  1. There's the nasty "improper use of the save script thing when I just authenticated myself. Going back in the browser and trying again works. This has been discussed in other topics on this web. Although I haven't seen a solution that would apply to my setup.
  2. Somehow, Apples SAFARI Browser always asks for a password. Try http://problemlos.ch/ with Safari ...
  3. I would like to hide the "Edit" and "Attach" Stuff if the user is in Read-Only mode (not authenticated). I am using the PatternSkin. Is there an easy way to do that? I'll need to hack the templates if I see that correctly ...

Any hints appreciated. Hiding Controls is actually a nice-to-have, but it would help with the first points - I'd have to add a "login" button which everyone has to click in order to even see the control links.

Thanks a lot in advance

André Bonhôte (happy TWiki user)

Environment

TWiki version: TWikiRelease01Sep2004
TWiki plugins: Not relevant
Server OS: Solaris 8
Web server: Apache 1.3.31, non-SSL, but could be set to SSL if needed.
Perl version: 5.4.8
Client OS: Windows, Linux, FreeBSD, Mac OS X, Solaris
Web Browser: uh ... from lynx to Firefox

-- AndreBonhote - 14 Oct 2004

Answer

You would need to hack the templates, and I imagine you would want an button.

This all rather goes against the TWiki model, where everyone is invited to edit, but only certain people are allowed.

One question: you say the "improper" problem arises just after you authenticated yourself. Is this the use case:

  1. Unauthenticated user clicks edit
  2. Enter login details
  3. Get redierected to improper use message
?

-- CrawfordCurrie - 14 Oct 2004

Hi Crawford

Thanks for your response. About hacking the template: Yeah, that's what I thought. I need to find the right doc on that ...

Your question: Yeah, that's exactly the case where it doesn't work. When I view the page first using viewauth and edit it afterwards, it works fine. Have to check it again, though.

Cheers

PS: Shall I put the SupportStatus to "AskedQuestions" again?

-- AndreBonhote - 14 Oct 2004

Hide edit for not authenticated users: Use some SpreadSheetPlugin magic to hide Edit and Attach for TWikiGuests:

  • Write: %CALC{$IF($EXACT(%WIKINAME%,TWikiGuest),,[[%SCRIPTURL%/edit%SCRIPTSUFFIX%/%WEB%/%TOPIC%?t=%SERVERTIME{$year$mo$day$hour$min$sec}%][Edit]])}%
  • Renders as:

Put that in the skin where the Edit link is. For the PatternSkin, replace %EDITTOPIC% in view.pattern.tmpl. Do a similar thing for the Attach link.

(Yes, reopen a question if needed)

-- PeterThoeny - 15 Oct 2004

This is excellent! I have never used the SpreadSheetPlugin, maybe I'd have seen this possibilty myself.

Thanks a lot! I'll try it like that. Hope the "improper use" thing doesn't appear anymore smile

Cheers

André (even happier TWiki user smile )

-- AndreBonhote - 15 Oct 2004

Note for future readers. WebControlTopBar and WebControlBottomBar have been proposed (see PatternSkinDev). If these get implemented you will not need to hack the templates.

-- MartinCleaver - 15 Oct 2004

Hi again!

Another one popped up. I have now something like this in my view.pattern.tmpl: 

%CALC{$IF($EXACT(%WIKINAME%,guest),<a href="%SCRIPTURL%/viewauth%SCRIPTSUFFIX%/%WEB%/%TOPIC%">Log in</a>,%EDITTOPIC%)}%

This looks fine so far, I click on the login-button and voilà, the "EDIT" appears. But, Alas!, when I continue browsing (with view instead of viewauth), the login link reappears. User is only authenticated within viewauth.

Apache problem?

Adding this (after logging in) helps: 

<Files "view">
       require valid-user
</Files>

But of course, this will ask for a password again and does not solve the problem at all ...

In addition to this, the problem with "Improper use of the save script" and "Empty topic not allowed" reappeared.

frown

What now?

TIA

André

-- AndreBonhote - 19 Oct 2004

You need session tracking so that the user is known also in the not authenticated view script. Use a session Plugin or enable the $doRememberRemoteUser flag in TWiki.cfg

-- PeterThoeny - 20 Oct 2004

There have not been posts in this for 5 years. Is it considered "solved"? Where is the solution.

I am running TWiki 4.2. I'd rather not upgrade because it is very time-consuming to modify all of the settings and pages to make the pages 'cleaner' and 'more secure'. My TWiki site has been attacked by some script kiddies. I had forgotten to deny edit power to TWikiGuest in one web and, well, that web is all filled up with crud now. They keep at it with hundreds of hits per hour and the server administrator disabled TWiki until I can figure out what's going on and stop it.

Part of my solution is to eliminate as many links as possible from the template and topic pages, so robot programs don't overwhelm the server. I am eliminating the bottom action buttons entirely, and search, and through trial and error, I've learned I can modify WebLeftBarLogin to show only "Log In" for TwikiGuest and for logged in users it shows "Edit" and "More Actions". The syntax is very difficult to master, I think.

I am interested to know if this causes any trouble in your view. By taking this approach, I am exposing one link on my page, instead of the many links exposed by default to TWikiGuest. I tried to achieve the same by editing the topicactions templage, but I could never get it to work.

For the search links, I need something to stop robots from wasting time. Does TWiki have a security addon like "match the text in this image" (with a small image of squiggly letters) for non-authenticated users?

I'm pasting this in from the "raw text" output in the more topics display. 

%STARTINCLUDE%
---

%IF{"context authenticated" then='%MAKETEXT{"Hello [_1]" args="[[%WIKIUSERNAME%][%SPACEOUT{%WIKINAME%}%]]"}%'}%

%IF{"$ LOGOUT != ''" then='%BR%<ul><li class="patternLogOut">%LOGOUT%</l><li><a href="%SCRIPTURL%/edit.pl/%WEB%/%BASETOPIC%">EDIT</a></li><li><a href="%SCRIPTURL%/oops.pl/%WEB%/%BASETOPIC%?template=oopsmore&param1=%MAXREV%&param2=%CURRREV%">More Actions</a></li></ul>'}%

%IF{"$ LOGIN != '' and not context authenticated" then='<ul><li class="patternLogIn">%LOGIN%</li></ul>'}%

-- PaulJohnson - 2009-06-18

WebForm
SupportStatus AnsweredQuestions
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r10 - 2009-06-18 - PaulJohnson
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.