SID-02515: Locked down Main web blocks user Watchlist topic creation

Status:	Asked	TWiki version:	6.1.0	Perl version:	5.32.1-4+deb11u2
Category:	WatchlistPlugin	Server OS:	Debian 11.8 bullseye	Last update:	1 year ago

I have our Main web set (in WebPreferences) with "ALLOWTOPICCHANGE = TWikiAdminGroup", to prevent users from mucking about with other user topics or system topics under Main. (Our content is in other webs, and those are not so restrictive. Vandalism/spam have been problems in the past.) I added "ALLOWTOPICCHANGE = Main.%TOPIC%" to NewUserTemplate so that users could edit their own user topics. This all worked fine.

The problem arises that users cannot create the WikiNameWatchlist topic (as used by WatchlistPlugin) that goes along with their base WikiName topic.

If there is already a fix for this someone knows of, please tell me. Otherwise, I'm willing to work on a fix, but would like feedback on approach.

One way to work around this would be to have new user creation/registration also create the watchlist topic, from another template, and have that template set ALLOWTOPICCHANGE to the user, like I'm doing with the user pages. I don't know if that functionality exists currently.

The other way I can think of to address this would be to modify WatchlistPlugin to ignore/override topic permissions for the watchlist topic. I don't know if that would be kosher from a TWiki security perspective. Maybe make this security override an optional feature, off by default?

Other ideas welcomed.

-- Ben

-- Ben Scott - 2024-02-09

Discussion and Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.