Tags:
create new tag
view all tags

Question

I have some new users and I have permission-protected the TWiki page against view. It seems to work right, because they really can't see the pages with the view CGI.

The problem is, I'm developing PhotonSearch and soon began to realize that some "illegal" results were being presented (ie, pages the user couldn't see anyway). I made some checks, and discovered that the same problem is present of the regular search script. That is, the search methods present some results that cannot be really viewed, but if the user clicks on them, the "permission denied" page is shown (of course). The worst thing is that, using the BookView format, they can really view the entire topic text in the search results page.

The curious thing is, if I massage the URL by hand, and make the search "from" the TWiki web, the TWiki web preferences are taken right, and the TWiki web results are not shown.

Looking at the sources, I discovered, in TWiki::Access, the following comment: 

# Different Web to current one, but we assume read access to twiki and main webs
# to save frequent loading of these preferences
I think this is the source of the problem. Any ideas, comments?

  • TWiki version: 20030201
  • Perl version: 5.6.1
  • Web server & version: Apache 1.3.27
  • Server OS: RedHat

-- EstebanManchado - 19 Jun 2003

Damn. This is annoying. I have users who fill in personal details (such as telephone numbers) on their Main.homepage - I've already had to fudge it so that new users (who come into Main. WebHome) get redirected ti somewhere that is not permission restricted - this issue complicates things further.

-- MartinCleaver - 20 Jun 2003

I just want to make sure that nobody thinks I'm waiting for someone to fix this. I just wanted to know if this behaviour is the wanted one, in which case we'll have to move every TWiki topic to another one. If not, I will prepare a patch and attach here.

-- EstebanManchado - 23 Jun 2003

Answer

Sorry no one has answered you so far. I'm almost 100% sure the behavior you describe is not the desired behavior and your patch would be most welcome. But, I'd like to see a member of the core team confirm this.

Maybe we need a SupportStatus like CoreTeamAttentionRequired?

  • I thought that was called filing a bug? wink -- TWikiGuest - 28 Jun 2003_

-- RandyKramer - 26 Jun 2003

Here is a trivial patch for the problem: 

 *** Access.pm.orig      Mon Jul 21 18:35:21 2003
--- Access.pm   Mon Jul 21 18:35:29 2003
***************
*** 115,122 ****
      }
  
      my $webPrefix = "";
!     if( $theWebName ne $TWiki::webName && $theWebName ne $TWiki::twikiWebname && 
!         $theWebName ne $TWiki::mainWebname) {
          # Different Web to current one, but we assume read access to twiki and main webs to
          # save frequent loading of these preferences
          $webPrefix = "Web$theWebName.";
--- 115,121 ----
      }
  
      my $webPrefix = "";
!     if( $theWebName ne $TWiki::webName ) {
          # Different Web to current one, but we assume read access to twiki and main webs to
          # save frequent loading of these preferences
          $webPrefix = "Web$theWebName.";

If the patch is going to be applied, the comment above: 

# Different Web to current one, but we assume read access to twiki and main webs to
# save frequent loading of these preferences
would have to be changed (to delete the "but we assume.." part)

-- EstebanManchado - 21 Jul 2003

WebForm
SupportStatus AnsweredQuestions
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2003-08-30 - MichaelSparks
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.