Question
I'm trying to get access control set up, following the "Authenticate all Webs and Restrict Selected Webs" example in
TWikiAccessControl. When I open up a page it prompts for a password, and fails if I don't authenticate. I have a web I created called LTSA, and in LTSA.WebPreferences I put my username in the existing ALLOWWEBVIEW setting, like so:
* Users or groups who are not / are allowed to view / change / rename topics in the LTSA web: (See TWikiAccessControl)
* Set DENYWEBVIEW =
* Set ALLOWWEBVIEW = Main.DanielMundy
Now the problem is, once a user has authenticated, they can access the LTSA web. It doesn't even seem to matter if I add eg. Main.FredBob to DENYWEBVIEW, he can still view the LTSA web.
Is there something I have to do to make TWiki check my access control settings for a web? I have read through the documentation so many times and can't see what I've missed out.
I copied the latest version of testenv from cvs, and the output can be found at
http://linuxterminal.com/twiki/bin/testenv
Also attached is my lib/TWiki.cfg:
https://twiki.org/p/pub/Support/AccessControlSettingsDontTakeEffect/TWiki.cfg
I will gladly provide any more information that is needed.
- TWiki version: from readme.txt, "Version: 01 Feb 2003"
- Perl version: v5.6.0 built for i386-linux
- Web server & version: apache-1.3.27-1.7.2
- Server OS: Redhat Linux 7.3
- Web browser & version: mozilla 1.3, IE 5.0
- Client OS: Redhat Linux 7.3, Windows 98
--
DanielMundy - 12 Jun 2003
Answer
Is the user authenticated in view? See details in
TWikiUserAuthentication.
--
PeterThoeny - 14 Jun 2003
I think so. It does ask me for a password when I try to access any page of the wiki, as I have the following lines in
/var/www/html/twiki/bin/.htaccess:
<Files "view">
require valid-user
</Files>
--
DanielMundy - 16 Jun 2003
Are you and Main.FredBob in the
TWikiAdminGroup on your site? Admins can view all content regardless of the settings.
Regards,
Peter
--
PeterThoeny - 16 Jun 2003
Aaah! Thanks Peter, that was the problem.
One other thing though, when I take out view from .htaccess, so that only viewauth is authenticated, unauthenticated users can reach the page, even with
Set ALLOWWEBVIEW = Main.DanielMundy
Eg, it doesn't ask for authentication when I access
http://linuxterminal.com/twiki/bin/view/LTSA/WebHome, but it does ask when I access
http://linuxterminal.com/twiki/bin/viewauth/LTSA/WebHome. I was just wondering, at which point (if it works how I understand) does view redirect you to viewauth? Is there a configuration option I'm missing to enable this or something?
--
DanielMundy - 16 Jun 2003
You need to set the remember flag in TWiki.cfg. See details in
TWikiUserAuthentication.
--
PeterThoeny - 18 Jun 2003
I don't understand how this would affect my situation. (btw, I did already have the remember flag set (if you are indeed talking about the $doRememberRemoteUser flag in TWiki.cfg)). From my understanding, remember simply means that you only have to login once, as for all subsequent logins you are remembered by your IP.
When I type in the address, if I type bin/view it doesn't ask for a password, and if I use bin/viewauth, it does. This seems to easy for someone to bypass the security.
--
DanielMundy - 23 Jun 2003
Heh, I just noticed that because remember was set, even when I closed/reopened Mozilla to test (assuming that since mozilla didn't ask me to authenticate, I was now guest), that I was really logged in as my own user (which has admin rights).
Thanks for your patience
--
DanielMundy - 24 Jun 2003