SID-01446: %INCLUDE% parts of topic based on user entitlement

Status:	Answered	TWiki version:	4.1.0	Perl version:	5.10
Category:	CategoryAccessControl	Server OS:		Last update:	13 years ago

Hi all, I would like to create a public version of my group's web to show only pieces of the information to the general public. in concrete i need my team to maintain only one web (locked down to allow edit and view to the team only) and in each topic they decide which parts can be readable by the public. this parts should be then (flagged and) included into the public web (sub web of the private one). i read the docs but seems that the entitlements work only on entire topics and cannot get more granular than that, i.e. if i lock down a topic the %INCLUDE% don't include anything whereas it would be nice if it could include "just this and that".

Is there a plugin/workaround/something i can use (or documents i missed to read) to achieve that result?

Requirements from the team (driven by the fact they are not keen on updating even one topic ):

• Only one topic to be maintained by them (the private one)
• Easy flagging of the "public" parts
• Automatic update of the public topic when new flags are added/removed

Cheers

p

-- PaoloGallo - 2012-04-13

Discussion and Answer

Just an update, i found the following code in the IfStatement topic:

<div style="visibility: %IF{"'%USERNAME%' ingroup 'TWikiAdminGroup'" then="visible" else="hidden"}%">
   * Conditional text enclosed in div tags here...
   * ...can be as long as needed
</div>

I changed the group with the group specified in the ALLOWWEBCHANGE variable, but the content is still visible by users that are not part of the group. the ALLOWWEBVIEW variable is empty but i assume that the style setting above is supposed to locally override it.

Any help would be appreciated.

Thanks

p

-- PaoloGallo - 2012-04-13

Several options:

1. If you do not need hard access control, e.g. just hide content from users you can use the %HIDE{...}% variable. Content within the variable will not be sent to the browser, however, it is still visible in raw view and edit. You can conditionally hide content with IfStatements. With this option you would have all content in one web.

2. Use two webs as you stated, a Team web and a Public web. In the Team web topics use %STARTINCLUDE% ... %STOPINCLUDE% to specify what to include in the Public web. Create topics in the Public web that match the names in the Team web, with a single line content: %INCLUDE{Team.%TOPIC%}. You can restrict edit of the Team web to the team, but you can't restrict view or the include will not work for unprivileged people.

3. Use the PublishWebPlugin with a custom publish skin. You can lock down access to the Team web or the whole TWiki. On each topic save in the Team web, an HTML page is generated for your public site. You can use %STARTPUBLISH% ... %STOPPUBLISH% to indicate what should be published as HTML.

-- PeterThoeny - 2012-04-16

Hi Peter, thanks for the suggestions, but i did try them before the post and the result i gather suggest the behaviour i am looking for is something in between this solutions.

1. the HIDE variable cannot work because my team wouldn't be able to see the content themselves, as it appears to be a "blind" variable. More on the IfStatement laer as it looks the interesting one.
2. the two separate webs was my first immediate idea, but it crashes against the fact that the whole point is to lock the view on the team web which obviously ruin the %<nop>INCLUDE%
3. Unfortunately :(, we don't have installed lots of nice plugins, including PublishWebPlugin, TopicCryptPlugin and HideInEditModePlugin (which i was planning to use for another little thing)

Now, the viable solution could be the if statement in a div tag (maybe stored in a variable or topic so that the team just need to write a word), but it doesn't seems to work with the users and groups. As i wrote in my first comment the condition "'%<nop>USERNAME%' ingroup 'TWikiAdminGroup'" evaluate to true whatever user and group i put in there. So i guess my question now is: since the IF seems to be the most feasible way, how can i make it understand if a user is part of a group? and clearly, since this will work only with the team web not locked for view, how can i lock down the raw view mode?

Thanks for any help, if i find any workaround i'll post it here.

Cheers

p

-- PaoloGallo - 2012-04-17

If you are member of the TWikiAdminGroup you have access to everything. For testing, try hardcoding "'TWikiGuest' ingroup 'TWikiAdminGroup'" and it will return 0.

-- PeterThoeny - 2012-04-18

Bad news, i've just been notified that the "ingroup" attribute is not available in our twiki installation. I need to think to something else, the double web cannot be the only solution...my team would kill me!

p

-- PaoloGallo - 2012-04-18

You can hand-craft your own SEARCH, and also embed in a variable for ease of use:

   * Before conditional
%STARTHIDE%
   * Conditionally hide
%ENDHIDE%
   * After conditional

Displays as:

• Before conditional

• After conditional

This should be in WebPreferences of Main.TWikiPreferences:

   * Set STARTHIDE = <div style="display: %IF{ "'%SEARCH{ "\* *Set *[G]ROUP *=[^\n]+%WIKINAME%" web="Support" topic="SID-01446" type="regex" nonoise="on" format="block" }%'='block'" else="none"}%">
   * Set ENDHIDE = </div>

This is a group setting in one of the TWikiGroups: (change web="Support" topic="SID-01446" in above search to the group's web and topic name)

• Set GROUP = PaoloGallo, PeterThoeny

In this example, only you and I can see the hidden text between STARTHIDE and ENDHIDE.

-- PeterThoeny - 2012-04-18

Thanks Peter, sorry for the late reply. This solution works, but apparetnly the div trick is not secure enough for us as it doesn't hide the content when seen through the html source. I think we'll just keep the topic entirely public for the time being.

-- PaoloGallo - 2012-04-23

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.