SID-01432: Protected Topic does not use viewauth

Status:	Answered	TWiki version:	4.3.2	Perl version:	5.8
Category:	CategoryAccessControl	Server OS:	RHL 7	Last update:	13 years ago

We have cases where a Wikiword link to a topic, which is either protected by the Webpreferences or the topic preferences is delivered by the 'view' script and is not redirected to viewauth. This has consquences and it means that the bottom page links for rdiff and history are also non-auth scripts. Conseqently rdiff and history fail. Users have to add 'rdiffauth' in the URL to make the script work. In more topic actions the Compare Revisiions also fails as it calls rdiff and not rdiffauth.

Sessions are enabled and in general the ACLs(ALLOWTOPICVIEW and ALLOWTOPICCHANGE) are respected.

It is only on the bottom line of commands where TWiki throws a deny error.

Any ideas on this ?

-- PeterJones - 2012-03-23

Discussion and Answer

Apparently you are using Apache auth, not template auth. Any reason to stick with Apache auth?

I am not sure I understand all. Are you stating that in some cases access restricted topics are shown non-authenticated with the view script?

If a page is access restricted, TWiki will redirect to the corresponding *auth script. As long as the *auth scripts are listed in the Apache configuration you should be OK:

<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
   require valid-user
</FilesMatch>

-- PeterThoeny - 2012-03-26

Hi Peter

We use SSO for authentication and so that is why we have ApacheLogin. We have the auth scripts correctly configured as written above.

As many of our webs are protected we would expect to see viewauth in the URL of topics in these webs. That is to say after the selected topic is returned the URL (in the web browser URL address window) should show viewauth. This we find is not always the case but the user does get access to the page. The ACLs are working ok and non-authorized user would not be allowed acces to the topic.

On such a protected page if I run the cursor over the topicactionbuttons at the bottom of the page then they all show as view or rdfiff instead of viewauth or rdiffauth.

It appears as if TWiki is losing Session information at some point.

-- PeterJones - 2012-03-27

See new blog post How to: Single Sign-on, a Convenient Way to Authenticate Users.

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- PeterThoeny - 2012-07-01

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.