Tags:
stale_content1Add my vote for this tag create new tag
, view all tags

Module name TWiki::Access AccessDotPm
Location TWIKIROOT/lib/TWiki/Access.pm
Summary To provide access checking
Primary Author PeterThoeny
CVS history CVS:lib/TWiki/Access.pm
CVS alpha CVSget:lib/TWiki/Access.pm
Contributing authors (see CVS History)
Is Class NO
First Release to be filled out
File Hierarchy
  TWIKIROOT
  lib
  TWiki
  Access.pm

Purpose

  • To provide methods for the CgiScripts to check whether a user is permitted to change something.
  • NB Plugins should use the equivalent interface in FuncDotPm
  • provides an API to access the information in TWikiGroups - though the Name of the topic seems to be configurable too

Used by

This module is primarily used by the CgiScripts

Important parameters

Actions TOPIC WEB  
  DENY ALLOW DENY ALLOW Notes
CHANGE DENYTOPICCHANGE ALLOWTOPICCHANGE DENYWEBCHANGE ALLOWEBCHANGE  
VIEW DENYTOPICVIEW ALLOWTOPICVIEW DENYWEBVIEW ALLOWEBVIEW  
RENAME DENYTOPICRENAME ALLOWTOPICRENAME DENYWEBRENAME ALLOWEBRENAME  
MANAGE         ? what's this?
VOTE DENYTOPICVOTE ALLOWTOPICVOTE - - PollPlugin
HISTORY DENYTOPICHISTORY ALLOWTOPICHISTORY - - proposed
VIEWRAW DENYTOPICVIEWRAW ALLOWTOPICVIEWRAW - - proposed

Please see CodevDocumentationProject and CodevDocumentationProjectDev for comments on the format of these pages.

Note: Below documentation is extracted from the currently installed TWiki::Access Perl module, which is done by the PerlDocPlugin

%PERLDOC{"TWiki::Access"}%

Contributors:
-- MartinCleaver - 23 Jun 2002
-- PeterThoeny - 01 Feb 2004

Discussions

Calls from bin 

testwiki$ grep checkAccessPermission bin/*
bin/attach:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, "", $topic, $webName ) ) {
bin/edit:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $text, $topic, $webName ) ) {
bin/edit.orig:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $text, $topic, $webName ) ) {
bin/editsection:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $text, $topic, $webName ) ) {
bin/mailtotwiki:        if (! TWiki::Func::checkAccessPermission('CHANGE',
bin/manage:    unless( &TWiki::Access::checkAccessPermission( "manage", $wikiUserName, "",
bin/megarename:             if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $scantext,
bin/megarename:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $ret, $oldTopic, $oldWeb ) ) {

bin/passwd:        #if( &TWiki::Access::checkAccessPermission( "change", "Main.TWikiGuest", "", $wikiName, $TWiki::mainWebname )) {
bin/poll:    if( ! &TWiki::Func::checkAccessPermission( "vote", $wikiUserName, "", $topic, $webName ) ) {
bin/rdiff:    my $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $wikiUserName, "", $topic, $webName );
bin/rename:             if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $scantext,
bin/rename:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, $ret, $oldTopic, $oldWeb ) ) {
bin/rename:    if( ! &TWiki::Access::checkAccessPermission( "rename", $wikiUserName, $ret, $oldTopic, $oldWeb ) ) {
bin/save:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, "", $topic, $webName ) ) {
bin/savecomment:    if( ! &TWiki::Access::checkAccessPermission( "post", $wikiUserName, "", $topic, $webName ) ) {
bin/savemulti:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, "", $topic, $webName ) ) {
bin/upload:    if( ! &TWiki::Access::checkAccessPermission( "change", $wikiUserName, "", $topic, $webName ) ) {
bin/view:    my $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $wikiUserName, $text, $topic, $webName );
bin/viewauth:    my $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $wikiUserName, $text, $topic, $webName );

Calls from lib 

testwiki$ grep checkAccessPermission lib/TWiki/*
lib/TWiki/Search.pm:                $topicAllowView{ $tempVal } = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $tempVal, $thisWebName );
lib/TWiki/Search.pm:                $topicAllowView{ $tempVal } = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $tempVal, $thisWebName );
lib/TWiki/Search.pm:                $topicAllowView{ $tempVal } = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $tempVal, $thisWebName );
lib/TWiki/Search.pm:                $allowView = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $topic, $thisWebName );
lib/TWiki/Search.pm:                my $changeAccessOK = &TWiki::Access::checkAccessPermission( "change", $TWiki::wikiUserName, $text, $topic, $thisWebName );
lib/TWiki/Store.pm:        $viewAccessOK = &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $text, $theTopic, $theWeb );

Issues

userIsInGroup should be declared a Public method or not used in scripts.

A grep of the source tree indicates that checkAccessPermission() is the most used method.

However, userIsInGroup() is used in

  • bin/edit
  • bin/preview
  • bin/save
  • bin/savemulti

The vector of public methods in the code should be updated to reflect this. -- which code? In access.pm? I see this as saying that userIsInGroup is public [ MartinCleaver 22 Oct 2003 ]

Also consider if userIsInGroup() should be substituted and made private. -- why? and with what?

-- AntonAylward - 10 May 2003

userIsInGroup should be made recursive

By making isUserInGroup check recursively we would enable a group to be a member of a group. I think this simple modification could help manage large installations.

check access for VIEWTOPICRAW and VIEWTOPICHISTORY need to be added

I set up a poll on my system that was supposed to be anonymous. Of course, it isn't because everyone can see the history. So doing a 'Diffs' (Page history) is different to a view and IMO they should be treated differently.

There are many reasons that you'd want to prevent someone from seeing the raw view (e.g. for polls). I think this could also be usefully extended.

-- MartinCleaver - 22 Oct 2003

Added %PERLDOC{...}% to pull the doc from the TWiki.pm Perl module. Removed PublicMethods and PrivateMethods section since they are no longer needed.

-- PeterThoeny - 01 Feb 2004

Set parent topic to CodevDocumentationProject.

-- WalterMundt - 01 Feb 2004

It looks like I am going to need support for more AccessControlFunctions (initially for DeleteAccount, later for TWiki interface to manage groups).

  • getGroupsUserIsIn
  • removeUserFromGroup
  • addUserToGroup
  • getAllGroups

PROBLEM!! - how do i get a list of all the groups in a TWiki? in a reasonable amount of time? at the moment I have to do a SEARCH for Set GROUPS frown yeuch

Search: Set GROUP =

ChinamericaGroup DevelopBranchGroup EmmaAngelGroup SaccAdminGroup SecurityTeamSupportGroup TWikiAdminGroup TWikiCommunityGroup MochiloncoGroup Sandbox.NVSGroup AutomaticallyPutNewUsersIntoGroup CantAddMyLoginNameToTWikiAdminGroup HowToEmailAGroup RenderListforGroup

-- SvenDowideit - 15 Feb 2004

BasicForm
TopicClassification TWikiDevDoc
TopicSummary TWiki::Access managing access control to view and change topics
InterestedParties MartinCleaver
RelatedTopics TWikiRoot, CodevDocumentationProject, CodevDocumentationProjectDev
Edit | Attach | Print version | History: r15 < r14 < r13 < r12 < r11 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r15 - 2006-05-01 - SamHasler
 

Twitter Delicious Facebook Digg Google Bookmarks E-mail LinkedIn Reddit StumbleUpon    
  • Download TWiki
TWiki logo Powered by PerlIdeas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.