Tags:
create new tag
view all tags

Feature Proposals » Allow or deny access to topic in addition to allowed or denied at the web level

Summary

Current State: Developer: Reason: Date: Concerns By: Bug Tracking: Proposed For:
MergedToCore HideyoImazu AcceptedBy7DayFeedbackPeriod 2016-12-09   TWikibug:Item7766 KampalaRelease

Detail

TopicSummary: Allow or deny access to topic in addition to allowed or denied at the web level
CurrentState: MergedToCore
CommittedDeveloper: HideyoImazu
ReasonForDecision: AcceptedBy7DayFeedbackPeriod
DateOfCommitment: 2016-12-09
ConcernRaisedBy:  
BugTracking: TWikibug:Item7766
OutstandingIssues:  
RelatedTopics:  
InterestedParties:  
ProposedFor: KampalaRelease
TWikiContributors:  

Edit Form

TopicSummary:
CurrentState:
CommittedDeveloper:
ReasonForDecision:
DateOfCommitment:   Format: YYYY-MM-DD
ConcernRaisedBy:
BugTracking:
OutstandingIssues:
RelatedTopics:
InterestedParties:
ProposedFor:
TWikiContributors:
 

Motivation

You may want to allow or deny access to a topic in addition to the users allowed or denied with ALLOWWEB* or DENYWEB*. It would be nice if a change to ALLOWEB* or DENYWEB* is reflected to the topic level restriction.

This is achievable if ALLOWWEB* or DENYWEB* consists only of a TWiki group. Let's assume the following line is there on WebPreferences. 

   * Set ALLOWWEBVIEW = AccessGroup
Then the following line on a topic makes the topic viewable to the users having web level access plus CronieGroup members. 
   * Set ALLOWTOPICVIEW = AccessGroup, CronieGroup

But this is not flexible. And there is no guarantee that something is not added to ALLOWWEBVIEW.

Description and Documentation

If ALLOWTOPIC* or DENYTOPIC* starts with +, it's treated as if the corresponding ALLOWWEB* or DENYWEB* is inserted there.

Examples

Let's say the following line is there on WebPreferences. 
   * Set ALLOWWEBVIEW = AccessGroup
Also assume that the topic ForCronies needs to be viewable by CroniesGroup in addition to AccessGroup. Then, ForCronies would have the following line. 
   * Set ALLOWTOPICVIEW = + CroniesGroup

Even if ALLOWWEBVIEW is changed, ForCronies topic is always viewable by the users allowed by ALLOWWEBVIEW plus GroniesGroup.

Maybe the above example is not so compelling. Think about a large organization having a lot of LDAP groups and there is a TWiki installation configured to be able to use LDAP groups. Let's assume LDAPGROUP:group-name is the way to specify an LDAP group for access control. Then you may have the line below on WebPreferences. 

   * Set ALLOWWEBVIEW = LDAPGROUP:team-tango, LDAPGROUP:team-foxtrot, LDAPGROUP:team-waltz
In that case, duplicating those three on ALLOWTOPICVIEW and put something in addition is cumbersome and may cause inconsistency in the future. Writing as follows is much cleaner. 
   * Set ALLOWTOPICVIEW = + LDAPGROUP:team-samba

Impact

WhatDoesItAffect: Auth

Implementation

-- Contributors: Hideyo Imazu - 2016-12-09

Discussion

Looks good to me!

-- Peter Thoeny - 2017-01-05

ChangeProposalForm
TopicClassification FeatureRequest
TopicSummary Allow or deny access to topic in addition to allowed or denied at the web level
CurrentState MergedToCore
CommittedDeveloper HideyoImazu
ReasonForDecision AcceptedBy7DayFeedbackPeriod
DateOfCommitment 2016-12-09
ConcernRaisedBy

BugTracking TWikibug:Item7766
OutstandingIssues

RelatedTopics

InterestedParties

ProposedFor KampalaRelease
TWikiContributors

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2017-01-23 - HideyoImazu
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.