SID-00496: Ceate Topic Only Under Form Control

Status:	Answered	TWiki version:	4.2.0	Perl version:	5.8.1
Category:	CategorySecurity	Server OS:	Gentoo	Last update:	16 years ago

I have 3 levels of TWiki user -

1. Can see everything, but change nothing 2. can see everything & add new topics via a form & submit, but not create topics of their own 3. can view & change anything

levels 1 & 3 are easy. I have set access controls for level 2 users, which in the main work, but if I set in WebPreferences DENYWEBCHANGE or leave the level 2 group out of WEBCHANGE they cannot create new topics directly (which is good), but the ALLOWTOPICCHANGE setting in the templates is not looked at (I think) before create access is denied.

Can I get TWiki to honour the ALLOWTOPICCHANGE in the template whilst also setting the DENY or ALLOW WEBCHANGE to prevent upcontrolled addition of new topics?

Reading the TWiki Access Control it implies that it works - and it certainly does for existing topics - but I think that is not so for new topics.

-- ChrisHogan - 2009-08-23

Discussion and Answer

I notice that a sub-routine checkaccesspermission exists, but the save script does not supply the text of the topic body

If edit is already checked to see if the user can generate new text in the first place, is there any harm in supplying text (and therefore the override ALLOW) here?

Of course, if the user can update using comment or edit table plugin then he/she can edit to add a save script & therefore create new topics. Although RCS would catch that they did it.

-- ChrisHogan - 2009-08-23

Also in NeedAccessControlDENYWEBNEW there was a proposal for a create control. The patch is a bit out of date now. The main objections seemed (at a glance) to be naming conventions & it wasn't "wiki" like.

Well I suppose the application I'm working on is collaborative, but not wiki like - but TWiki can be used to build such applications & control of create (and edit other than through edittable renderform and comment plugins) is a great way to enhance TWiki as an application platform.

-- ChrisHogan - 2009-08-24

I would need to look into details, but just a quick thought:

1. You can lock down the whole web for edit to a specific group

2. You can lock down WebTopicEditTemplate to the person creating a page:

   * Set ALLOWTOPICCHANGE = %WIKIUSERNAME%

Note the embedded %NOP%, it defuses the access control of the template topic, and gets removed in the instantiated topic.

3. If needed you can restrict access of the template topic to a different person or group than the instantiated topic:

%NOP{
   * Set ALLOWTOPICCHANGE = Main.SomeGroup
}%

The content within %NOP{}% will be removed.

-- PeterThoeny - 2009-08-24

Seems to be answered?

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- PeterThoeny - 2009-10-02

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.