SID-00825: Apache auth hides webs when using access control group

Status:	Answered	TWiki version:	4.3.1	Perl version:	5.8.8
Category:	CategoryAccessControl	Server OS:	Ubuntu 8.04.4 LTS	Last update:	15 years ago

I set up my twiki site with the ApacheConfigGenerator and needed to tweak it a bit. With {LoginManager} set to Twiki::LoginManager::TemplateLogin and {PasswordManager} set to Twiki::Users::HtPasswdUser set in configure, the webs appear in the side toolbar when I log in. I have a group set up and that group is added to ALLOWWEBVIEW for the webs.

When I have {LoginManager} set to Twiki::LoginManager::ApacheLogin and {PasswordManager} set to Twiki::Users::ApacheHtPasswdUser set in configure and {Register}{AllowLoginName} checked, the webs do not appear in the side toolbar when I log in. However, I can type in the URL for the web and view it and edit it.

Is this a known bug, or am I doing something wrong?

my included /etc/apache2/twiki.conf:

# Autogenerated httpd.conf file for TWiki.
# Generated at http://twiki.org/cgi-bin/view/TWiki/ApacheConfigGenerator
# For TWiki version 4.2.X

# We set an environment variable called blockAccess.
#
# Setting a BrowserMatchNoCase to ^$ is important. It prevents TWiki from
# including its own topics as URLs and also prevents other TWikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a twiki
#
# Example:
# BrowserMatchNoCase ^SiteSucker blockAccess
# BrowserMatchNoCase ^$ blockAccess

BrowserMatchNoCase ^Accoona blockAccess
BrowserMatchNoCase ^ActiveAgent blockAccess
BrowserMatchNoCase ^Attache blockAccess
BrowserMatchNoCase BecomeBot blockAccess
BrowserMatchNoCase ^bot blockAccess
BrowserMatchNoCase Charlotte/ blockAccess
BrowserMatchNoCase ^ConveraCrawler blockAccess
BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess
BrowserMatchNoCase ^EmailCollector blockAccess
BrowserMatchNoCase ^EmailSiphon blockAccess
BrowserMatchNoCase ^e-SocietyRobot blockAccess
BrowserMatchNoCase ^Exabot blockAccess
BrowserMatchNoCase ^FAST blockAccess
BrowserMatchNoCase ^FDM blockAccess
BrowserMatchNoCase ^GetRight/6.0a blockAccess
BrowserMatchNoCase ^GetWebPics blockAccess
BrowserMatchNoCase ^Gigabot blockAccess
BrowserMatchNoCase ^gonzo1 blockAccess
BrowserMatchNoCase ^Google\sSpider blockAccess
BrowserMatchNoCase ^ichiro blockAccess
BrowserMatchNoCase ^ie_crawler blockAccess
BrowserMatchNoCase ^iGetter blockAccess
BrowserMatchNoCase ^IRLbot blockAccess
BrowserMatchNoCase Jakarta blockAccess
BrowserMatchNoCase ^Java blockAccess
BrowserMatchNoCase ^KrakSpider blockAccess
BrowserMatchNoCase ^larbin blockAccess
BrowserMatchNoCase ^LeechGet blockAccess
BrowserMatchNoCase ^LinkWalker blockAccess
BrowserMatchNoCase ^Lsearch blockAccess
BrowserMatchNoCase ^Microsoft blockAccess
BrowserMatchNoCase ^MJ12bot blockAccess
BrowserMatchNoCase MSIECrawler blockAccess
BrowserMatchNoCase ^MSRBOT blockAccess
BrowserMatchNoCase ^noxtrumbot blockAccess
BrowserMatchNoCase ^NutchCVS blockAccess
BrowserMatchNoCase ^RealDownload blockAccess
BrowserMatchNoCase ^Rome blockAccess
BrowserMatchNoCase ^Roverbot blockAccess
BrowserMatchNoCase ^schibstedsokbot blockAccess
BrowserMatchNoCase ^Seekbot blockAccess
BrowserMatchNoCase ^SiteSnagger blockAccess
BrowserMatchNoCase ^SiteSucker blockAccess
BrowserMatchNoCase ^Snapbot blockAccess
BrowserMatchNoCase ^sogou blockAccess
BrowserMatchNoCase ^SpiderKU blockAccess
BrowserMatchNoCase ^SpiderMan blockAccess
BrowserMatchNoCase ^Squid blockAccess
BrowserMatchNoCase ^Teleport blockAccess
BrowserMatchNoCase ^User-Agent\: blockAccess
BrowserMatchNoCase VoilaBot blockAccess
BrowserMatchNoCase ^voyager blockAccess
BrowserMatchNoCase ^W3C blockAccess
BrowserMatchNoCase ^w3search blockAccess
BrowserMatchNoCase ^Web\sDownloader blockAccess
BrowserMatchNoCase ^WebCopier blockAccess
BrowserMatchNoCase ^WebDevil blockAccess
BrowserMatchNoCase ^WebSec blockAccess
BrowserMatchNoCase ^WebVac blockAccess
BrowserMatchNoCase ^Webwhacker blockAccess
BrowserMatchNoCase ^Webzip blockAccess
BrowserMatchNoCase ^Wells blockAccess
BrowserMatchNoCase ^WhoWhere blockAccess
BrowserMatchNoCase www\.netforex\.org blockAccess
BrowserMatchNoCase ^WX_mail blockAccess
BrowserMatchNoCase ^yacybot blockAccess
BrowserMatchNoCase ^ZIBB blockAccess
BrowserMatchNoCase ^$ blockAccess

<IfModule mod_perl.c>
    # Mod_perl preloading
    PerlRequire /opt/twiki/tools/mod_perl_startup.pl
    PerlSwitches -T
</IfModule>

# The ScriptAlias defines the bin directory as a directory where CGI
# scripts are allowed.
# The first parameter will be part of the URL to your installation e.g.
# http://my.co.uk/twiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /twiki/bin "/opt/twiki/bin"

# The Alias defines a url that points to the root of the twiki installation.
# It is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
#Alias /twiki "/opt/twiki"
Alias /twiki/pub "/opt/twiki/pub"

# Block access to typical spam related attachments
# Except the TWiki directory which is read only and does have attached html files.
SetEnvIf Request_URI "twiki/pub/.*\.[hH][tT][mM][lL]?$&" blockAccess
SetEnvIf Request_URI &#34;twiki/pub/TWiki/.*\.[hH][tT][mM][lL]?$&#34; !blockAccess

# This specifies the options on the TWiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. &#34;Allow from all&#34;
# lets any IP address access this URL.
<Directory "/opt/twiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options ExecCGI FollowSymLinks
    SetHandler cgi-script

    # Password file for TWiki users
    # has to be in twiki group
    AuthName "Restricted Access"
    AuthType Basic
    AuthUserFile /etc/apache2/passwords
    AuthGroupFile /etc/apache2/groups
    require group twiki

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)">
    SetHandler cgi-script
#    Order Deny,Allow
#    Deny from all
    Require user adminuser
</FilesMatch>

# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated.
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
   require valid-user
</FilesMatch>

# Enable mod_perl for the bin scripts listed
<IfModule mod_perl.c>
    <FilesMatch "(attach|edit|manage|rename|save|upload|view|rest|.*auth).*">
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlSendHeader On
        PerlOptions +ParseHeaders
   </FilesMatch>
</IfModule>
</Directory>

# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are *not* protected by TWiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/opt/twiki/pub">
    Options None
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    AuthName "Restricted Access"
    AuthType Basic
    AuthUserFile /etc/apache2/passwords
    AuthGroupFile /etc/apache2/groups
    require group twiki

    # Disable execusion of PHP scripts
    php_admin_flag engine off

    # This line will redefine the mime type for the most common types of scripts
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
#
#add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly
#IF you can, you should enable this - it _will_ improve your twiki experience, even if you set it to under one day.
# you may need to enable expires_module in your main apache config
#LoadModule expires_module libexec/httpd/mod_expires.so
#AddModule mod_expires.c
#&#60;ifmodule mod_expires.c&#62;
#  &#60;filesmatch &#34;\.(jpg|gif|png|css|js)$&#34;&#62;
#       ExpiresActive on
#       ExpiresDefault &#34;access plus 11 days&#34;
#   &#60;/filesmatch&#62;
#&#60;/ifmodule&#62;
#

</Directory>

# Spammers are known to attach their stuff and then move it to trash where it remains unnoticed.
# We prevent viewing any attachments directly from pub
<Directory "/opt/twiki/pub/Trash">
   deny from all
</Directory>

# Security note: All other directories should be set so
# that they are *not* visible as URLs, so we set them as =deny from all=.
<Directory "/opt/twiki/data">
    deny from all
</Directory>

<Directory "/opt/twiki/templates">
    deny from all
</Directory>

<Directory "/opt/twiki/lib">
    deny from all
</Directory>

<Directory "/opt/twiki/locale">
    deny from all
</Directory>

<Directory "/opt/twiki/tools">
    deny from all
</Directory>

<Directory "/opt/twiki/working">
    deny from all
</Directory>

-- SeanLazar - 2010-05-05

Discussion and Answer

Hi,

Check the ACL for WebLeftBar in your TWiki. Looks like you or users do not have view access to TWiki.WebLeftBar topic.

-- SopanShewale - 2010-05-07

Hmm. I don't have any ACLs on TWiki.WebLeftBar, in Twiki.WebPreferences, or Twiki.WebLeftBarWebsList. I will dig some more.

-- SeanLazar - 2010-05-13

I believe the TWiki::Users::ApacheHtPasswdUser is marked as experimental. For Apache auth I usually use TWiki::LoginManager::ApacheLogin and TWiki::Users::HtPasswdUser.

-- PeterThoeny - 2010-05-13

That did the trick! Having {LoginManager} set to Twiki::LoginManager::ApacheLogin and {PasswordManager} set to Twiki::Users::HtPasswdUser set in configure made it work. Thanks!

-- SeanLazar - 2010-05-14

-- SeanLazar - 2010-05-14

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.