Tags:
create new tag
, view all tags

Unknown REMOTE_USER should resolve to TWikiGuest

I have a TWiki site which is authenticated by our corporate (proprietary) apache auth module. This module sets REMOTE_USER with our intranet name. I would like to prohibit editing of topics within a web by setting DENYWEBCHANGE = TWikiGuest. What I would like to happen is when someone is authenticated but has not registered, %WIKIUSERNAME% would be set to TWikiGuest. Instead, what happens is it is set to Main.<REMOTE_USER>. This breaks the DENYWEBCHANGE setting.

The fix seems trivial. Here is the inlined Diff: 

*** /homes/mbigby/TWiki.pm      Fri Nov  7 19:00:00 2003
--- lib/TWiki.pm        Fri Nov  7 18:08:22 2003
***************
*** 720,725 ****
--- 720,727 ----
      $remoteUser =~ /(.*)/;
      $remoteUser = $1;  # untaint variable

+     $remoteUser = $defaultUserName unless defined $userToWikiList{$remoteUser};
+
      my $remoteAddr = $ENV{'REMOTE_ADDR'} || "";

      if( ( ! $doRememberRemoteUser ) || ( ! $remoteAddr ) ) {

TWiki version: TWikiRelease01Feb2003
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS: FreeBSD
Web server: apache
Perl version: 5.005
Client OS:  
Web Browser:  

-- MichaelBigby - 08 Nov 2003

Thanks for posting this. I changed it from a BugReport to a FeatureEnhancementRequest since this is the current spec.

Before your patch can be applied we need to investigate if it works at a site like TWiki.org where users are authenticated by their WikiName.

That probably needs to be configurable. At my work we have the policy to allow only authenticated posts; we have a TWikiApplication where we get feedback from employees and we do not request them to be registered TWiki users.

-- PeterThoeny - 08 Nov 2003

I think this ought to be default. I have for a long, long while (until today) wondered why my logs show bogus non-wikiname entries. (Perhaps the logs can be made to show the remote user as well - this is useful information).

-- MartinCleaver - 08 Nov 2003

the option to use the non-wiki name corresponds with the option to use the $remoteusername (see RemoteUserPasswords)

-- SvenDowideit - 01 Jan 2004

If I do the legwork to make this a configurable option, can I get a commitment to get feature into a scheduled release? DakarRelease perhaps?

-- MichaelBigby - 17 Feb 2004

WebForm
TopicClassification FeatureEnhancementRequest
TopicSummary

InterestedParties SvenDowideit, MichaelBigby, WillNorris
AssignedTo

AssignedToCore

ScheduledFor

RelatedTopics TWikiAuthenticationDev, RemoteUserPasswords
SpecProgress

ImplProgress

DocProgress

Edit | Attach | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r9 - 2004-05-20 - PeterThoeny
 

Twitter Delicious Facebook Digg Google Bookmarks E-mail LinkedIn Reddit StumbleUpon    
  • Download TWiki
TWiki logo Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.