Tags:
create new tag
view all tags

Question

I'm trying to get access control set up, following the "Authenticate all Webs and Restrict Selected Webs" example in TWikiAccessControl. When I open up a page it prompts for a password, and fails if I don't authenticate. I have a web I created called LTSA, and in LTSA.WebPreferences I put my username in the existing ALLOWWEBVIEW setting, like so:

   * Users or groups who are not / are allowed to view / change / rename topics in the LTSA web: (See TWikiAccessControl)
      * Set DENYWEBVIEW = 
      * Set ALLOWWEBVIEW = Main.DanielMundy

Now the problem is, once a user has authenticated, they can access the LTSA web. It doesn't even seem to matter if I add eg. Main.FredBob to DENYWEBVIEW, he can still view the LTSA web.

Is there something I have to do to make TWiki check my access control settings for a web? I have read through the documentation so many times and can't see what I've missed out.

I copied the latest version of testenv from cvs, and the output can be found at http://linuxterminal.com/twiki/bin/testenv

Also attached is my lib/TWiki.cfg: https://twiki.org/p/pub/Support/AccessControlSettingsDontTakeEffect/TWiki.cfg

I will gladly provide any more information that is needed.

  • TWiki version: from readme.txt, "Version: 01 Feb 2003"
  • Perl version: v5.6.0 built for i386-linux
  • Web server & version: apache-1.3.27-1.7.2
  • Server OS: Redhat Linux 7.3
  • Web browser & version: mozilla 1.3, IE 5.0
  • Client OS: Redhat Linux 7.3, Windows 98

-- DanielMundy - 12 Jun 2003

Answer

Is the user authenticated in view? See details in TWikiUserAuthentication.

-- PeterThoeny - 14 Jun 2003

I think so. It does ask me for a password when I try to access any page of the wiki, as I have the following lines in /var/www/html/twiki/bin/.htaccess:

<Files "view">
       require valid-user
</Files>

-- DanielMundy - 16 Jun 2003

Are you and Main.FredBob in the TWikiAdminGroup on your site? Admins can view all content regardless of the settings.

Regards, Peter

-- PeterThoeny - 16 Jun 2003

Aaah! Thanks Peter, that was the problem.

One other thing though, when I take out view from .htaccess, so that only viewauth is authenticated, unauthenticated users can reach the page, even with

Set ALLOWWEBVIEW = Main.DanielMundy

Eg, it doesn't ask for authentication when I access http://linuxterminal.com/twiki/bin/view/LTSA/WebHome, but it does ask when I access http://linuxterminal.com/twiki/bin/viewauth/LTSA/WebHome. I was just wondering, at which point (if it works how I understand) does view redirect you to viewauth? Is there a configuration option I'm missing to enable this or something?

-- DanielMundy - 16 Jun 2003

You need to set the remember flag in TWiki.cfg. See details in TWikiUserAuthentication.

-- PeterThoeny - 18 Jun 2003

I don't understand how this would affect my situation. (btw, I did already have the remember flag set (if you are indeed talking about the $doRememberRemoteUser flag in TWiki.cfg)). From my understanding, remember simply means that you only have to login once, as for all subsequent logins you are remembered by your IP.

When I type in the address, if I type bin/view it doesn't ask for a password, and if I use bin/viewauth, it does. This seems to easy for someone to bypass the security.

-- DanielMundy - 23 Jun 2003

Heh, I just noticed that because remember was set, even when I closed/reopened Mozilla to test (assuming that since mozilla didn't ask me to authenticate, I was now guest), that I was really logged in as my own user (which has admin rights).

Thanks for your patience smile

-- DanielMundy - 24 Jun 2003

Topic attachments
I Attachment History Action Size Date Who Comment
Texttxt .htaccess.txt r1 manage 1.6 K 2003-06-16 - 00:55 UnknownUser  
Unknown file formatcfg TWiki.cfg r1 manage 20.8 K 2003-06-12 - 06:10 UnknownUser  
Unknown file formatext htaccess r1 manage 1.6 K 2003-06-16 - 01:01 UnknownUser  
Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2003-06-24 - DanielMundy
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.