Bug: Personal Sidebar should check user against owner

Summary: A topic for User A should not be pre-filled, by default, from a template personalized for User B.

One of my company's users just created a personal sidebar (pattern skin). Unfortunately, while he thought he was creating his own sidebar he really created it for TWikiGuest. I haave woorked around future ssuch problems by explicitly editing the TWikiGuest sidebar so this error will not happen aagain. However, that's a workaround. The problem should not have occurred.

I'm not going to argue that a user should not be able to edit the TWikiGuest sidebar. I know that many embrace this ability as central to Wiki Culture. However, in this particular case I think we have a loophole.

TWiki does not, normally, consider the concept of "ownership". The exception is home pages which, in theory, "belong" to a given registered user. The Personal Sidebar page falls into this category.

Watch the steps:

1) Access TWiki. Unless you have a cookie, you will be TWikiGuest. Nothing on the page will tell you that. There is no "Welcome Guest" message, no login link, no clues.

2) Click "Create personal sidebar". The link is to the file/topic TWikiGuestLeftBar. (You don't notice this :-/

3) You get an authentication dialog, into which you type your own ID and password

4) Here is where things diverge from the expected. The bug appears at this point

5) The page is pre-filled with potentially useful content. For example, if I had just authenticated myself as VickiBrown, the page will contain:

   * *My links*
   * [[Main.VickiBrown][My home page]]
   * <a href="%SCRIPTURL%/search%SCRIPTSUFFIX%/Codev/?search=InterestedParties.*VickiBrown&amp;regex=on"...
 mo$day$hours$minutes$seconds"}%">edit</a></div>

So we see the bug. I am editing the TWikiGuest sidebar but the helpful content is VickiBrown. I expect the content to be for myself and I overlook the filename. I think this is my sidebar. I am given several strong hints that this is my sidebar and no compelling reasons to think it isn't.

The Unix analogy would be to run

    vi ~/.bashrc

So... what can we do. We could check that the user who just authenticated matches the username variable that was used to create the topic in the first place. VickiBrown = TWikiGuest

We could insert a different template if the user doesn't match the "owner" of the topic. The template could even put up some helpful commentary "You are VickiBrown. You are editing the personal sidebar for TWikiGuest"

Note that I'm NOT saying that user A should not be able to edit the sidebar for TWikiGuest (or user B for that matter).l I'm only saying that this should not haappen without the explicit understanding on the part of user A that this is not, in fact, his own sidebar!

A topic for User A should not be pre-filled, by default, from a template personalized for User B.

Test case

Environment

-- VickiBrown - 17 Dec 2004

Follow up

You're right Vicki, this is a bug. Thanks for explaining it so clearly. I cleaned up the guest left bar on twiki.org a few weeks ago. At the time I thought it was just someone messing about. Now I see that it was completely innocent. (I've not created a personal bar myself so haven't gone through the process.).

-- MattWilkie - 19 Dec 2004

I'm not sure if this is the same thing...but I have a similar problem. For me, the link always shows up as TWikiGuestLeftBar, because TWikiGuest always equals TWikiGuest. My site requires login for edits, and it (or apache) remembers the login after the first edit, but TWiki doesn't seem to know who is logged in, except during edits. During an edit, if I write TWikiGuest during the edit preview it will become DavidGrant. So anyways, the "Create personal sidebar" link always resolves to creating a TWiki Guest menu, and even the menu that all the users see ends up being the TWikiGuest menu. This is because TWikiGuest = TWikiGuest always for me. Maybe this is a separate issue.

-- DavidGrant - 15 Jan 2005

Fix record