Tags:
create new tag
view all tags

SID-01688: Can I prevent raw view on a topic

Status: Answered Answered TWiki version: 5.0.1 Perl version: ActivePerl 5.12.2
Category: CategoryAccessControl Server OS: Windows 2003 Server Last update: 10 years ago

I want to block users from being able to see Main in raw view mode because it exposes group names and access control rules.

I'm using separate webs for different collaboration groups and I don't any group to see the others' names. I successfully used ALLOW/DENY access controls to do this in every other topic, but the Main needs to be viewable to everyone and have links like this one to allow authenticated users to get to their GroupWeb pages:

%IF{"PRIVATEWEBNAME' allows 'VIEW'" then=PRIVATEWEBNAME.WebHome}%

This hides the links to webs which the user is not authorized to view. The one hole I've found is that the raw view mode shows these rules with the group (=web) names.

I expect that the solution will be to add a custom skin or modify the template to remove the link from this page only. Am I headed in the right direction, and if so how can I find the file which puts this link on the page in the first place?

-- John Artman - 2013-04-25

Discussion and Answer

With the latest PatternSkin and TopMenuSkin you can enable the read-only skin mode. This removes all topic actions to modify topics, but the view links are still there, including raw view. You could modify the skin to conditionally remove the raw view links, but this does not help if a user reads the docs and adds a ?raw=on parameter to a topic.

You could impose a view access restriction on group topics the same way you impose change restriction.

-- Peter Thoeny - 2013-05-01

The TopMenuSkin will only show the webs in the drop down that a user is permitted to view. You could rely on that mechanism instead of text in a topic. For example my installation has several webs that have access restrictions. If a user visits the installation without logging in and they click the drop-down they will only see the public webs. If they then log in and click the drop-down they will also see the webs that they have been granted read access.

-- Joshua Tharp - 2013-05-02

Still, topics in twiki.org (including this one) doesn't allow raw view without logging (i.e. this topic is public, but if you try to add ?raw=on to the url you are prompted for username and password). I was wondering how this is implemented..

Thanks

-- Thomas Fozzi - 2015-04-09

We do that on TWiki.org to reduce the server load caused by greedy spiders. It's done with apache rules for the twiki/bin directory: 

    RewriteEngine On
    RewriteCond %{QUERY_STRING}  !^$
    RewriteCond %{QUERY_STRING}  !^(slideshow=|note=|search=|skin=text|skin=plain|tag=|dir=|ip=)
    RewriteRule view/(.*) /cgi-bin/viewauth/$1

-- Peter Thoeny - 2015-04-09

      Change status to:
ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
SupportForm
Status Answered
Title Can I prevent raw view on a topic
SupportCategory CategoryAccessControl
TWiki version 5.0.1
Server OS Windows 2003 Server
Web server Apache 2.2.17
Perl version ActivePerl 5.12.2
Browser & version IE 9.0.8112
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2015-04-09 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.