Difference: TWikiAccessControl (11 vs. 12)

Revision 122001-08-31 - MikeMannix

 On this page: 
  An Important Control Consideration
   Permissions settings of the webs on this TWiki site
   Authentication vs. Access Control
   Users and Groups 
  Managing Users
   Managing Groups
   The Super Admin Group
 
   Restricting Access 
  Controlling access to a Web
   Controlling access to a Topic
   Allowing public access to specific topics in a restricted web
   Empty values in access control variables
   Securing File Attachments
   Controlling who can manage top-level webs
   How TWiki evaluates ALLOW/DENY settings
   Allowing web creation/deletion/rename by user mapping manager
 
   Forbid certain users to do certain actions by configuration
   User masquerading
   Dynamic access control 
  Example 1 - restriction based on topic name
   Example 2 - restriction based on form field
   Dynamic access control in accessing a different web's topic
   Topic level dynamic access control
   Dynamic access control and user masquerading
   Avoiding vulnerability
   Disabling dynamic access control
 
   Access control and INCLUDE
   Customizing "access denied" message
   Custom user/group notations
   Access Control quick recipes 
  Restrict Access to Whole TWiki Site
   Authenticate and Restrict Selected Webs Only
   Hide Control Settings
   Obfuscating Webs
   Read-only Skin Mode
 
   Configuring access control for topics of a certain name in all webs
  Set DENYWEBVIEW = < list of users and groups >
  Set ALLOWWEBVIEW = < list of users and groups >
-<
<
+ Read Access Restriction Notes
->
>
+ Read Restriction Known Issues
  The view restriction is not suitable for very sensitive content since there is a way to circumvent the read access restriction.
  Read access restriction only works if the view script is authenticated, that means that users need to log on also just to read topics. TWiki Installation has more on basic authentication based on the .htaccess file.
-<
<
+ There is a workaround if you prefer to to have unrestricted access to view topics located in normal webs, and to authenticate users only for webs where view restriction is enabled:
->
>
+ There is a workaround if you prefer to have unrestricted access to view topics located in normal webs, and to authenticate users only for webs where view restriction is enabled:
  Leave the view script non authenticated in the .htaccess file.
  Enable the $doRememberRemoteUser flag in wikicfg.pm as described in TWiki Authentication. TWiki will now remember the IP address of an authenticated user.
  Copy the view script to viewauth (or better, create a symbolic link)
  Add viewauth to the list of authenticated scripts in the .htaccess file.
-<
<
+ When a user accesses a web where you enabled view restriction, TWiki will redirect from the view script to the viewauth script once (this hapens only if the user has never edited a topic). Doing so will ask for authentication. The viewauth script shows the requested topic if the user could log on and if the user is authorized to see that web.
->
>
+ When a user accesses a web where you enabled view restriction, TWiki will redirect from the view script to the viewauth script once (this happens only if the user has never edited a topic). Doing so will ask for authentication. The viewauth script shows the requested topic if the user could log on and if the user is authorized to see that web.
  If you enable view restriction for a web, it is recommended to restrict search "all webs" from searching this web. Enable this restriction with the NOSEARCHALL variable in its WebPreferences, like: 
 Set NOSEARCHALL = on
 
  It is not recommended to restrict view access to individual topics since all content is searchable within a web.
-<
<
+ The view restriction is not suitable for very sensitive content since there is a way to circumvent the read access restriction.
-<
<
+ The SuperAdminGroup
->
>
+ The SuperAdminGroup
 The above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see UnchangeableTopicBug). To avoid this: 
 set the $superAdminGroup variable in TWiki.cfg to the name of a group of users that are always allowed to edit/view topics. E.g.:

View topic | History: r44 < r43 < r42 < r41 | More topic actions...

Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.TWikiAccessControl.