Bug: Read Permissions sometimes ignored

As noted in DisableCrossWebIncludes restricted read access on Webs can be circumvented using book view in searches and using cross Web include.

Test case

See DisableCrossWebIncludes

Environment

-- JohnTalintyre - 18 Sep 2002

Follow up

I thought this was important to fix given the focus on Intranets. Whilst most aspects of a Wiki require common read and write, you do find within a company that security restrictions are desired in some cases. Given the TWiki has such capabilities it is important that they work completely.

Fix record

Read restrictions are now checked in the low level case in Store.pm that reads topics. Note that it is assumed that the TWiki and Main Webs can be read by anyone. If there is some restricted content in the requested topic the view script used to switch viewauth if present. This now happens if any topic being read has restrictions. Note that with the SessionPlugin, once a user is logged in their identity is remembered (until browser closed) and so redirect to viewauth may not be required.

If authenication doesn't give access text will be present when viewing the including topic, indicating that the included topic couldn't be read. The above also applies to use of book view in search, although there is no searchauth script to re-direct to.

Note that:

• Search can still show the names of topics
• Attachments are still public - since they are made available directly by the Web server, a different mechanism is required.

-- JohnTalintyre - 18 Sep 2002