Some time ago Peter mentioned that the
Search does now check permission. Other points have been debated elsewhere. -- JohnTalintyre - 27 Sep 2001
Which permissions does search now check? Where else has this been debated? On a test topic I set both ALLOWTOPICVIEW and ALLOWTOPICEDIT and it still shows up in this search. Searched: supercalifragilistic -- GrantBow - 13 Jan 2003 Grant, I think the "No permission to read this topic" is the secure behavior as (originally) intended. Previous versions of TWiki would actually show text from the topic even if the topic was secured from view. You do have a good point though about even showing topics that match certain searches. -- JohnCavanaugh - 14 Jan 2003 John, am I missing something or did you just describe what is happening right now on the current twiki.org? You can even see where I set the ALLOWTOPICVIEW to only me. If it was fixed it obviously isn't fixed at this particular moment. -- GrantBow - 14 Jan 2003 Grant and John, both of you are right. Grant can see the topic text because he is authentciated and he has the right to see the topic; and John gets the "No permission" text because he has no permissions to see the topic. This is the new spec. Grant, to test this out restart your browser and log in as TWikiGuest, guest. TWiki.org is set to remember users by IP address when you view a topic, that is, the view script knows who you are even though the script is not under basic authentication. As John points out, SearchShouldExcludeViewProtectedTopics could be a logical enhancement. Once done, the ALLOWTOPICVIEW can be documented (it is not because it is not very secure.) -- PeterThoeny - 14 Jan 2003 Oops, sorry about that John. Of course my test will work for me.
I think documenting and perfecting this feature will be critical for a real Intranet that holds sensitive data like HR, legal, etc.
-- GrantBow - 15 Jan 2003
view security in TWiki was not complete. For example, view permissions on a topic are ignored when searching. Some thoughts on this:
- We should obey view restrictions in search - summaries should not be shown, but neither should a topic be listed if the user doesn't have access to it.
- The
renamescript uses the == variable and makes sure user is logged in, so checks can be done correctly. However, at other time the user is likely to be logged in as guest, so how do we give them option to login? If they've already logged in, it's a shame we don't know this if we're just viewing. At DrKW we deal with this by maintaining session information (in our case using a session cookie). - Do a security check currently means the full topic must be loaded, as
Set SETALLOWTOPICVIEWcould be anywhere in the topic - might be worth instead having it as META information at the top of the topic. See FormTemplateFutureIdeas.
Search does now check permission. Other points have been debated elsewhere. -- JohnTalintyre - 27 Sep 2001
Which permissions does search now check? Where else has this been debated? On a test topic I set both ALLOWTOPICVIEW and ALLOWTOPICEDIT and it still shows up in this search. Searched: supercalifragilistic -- GrantBow - 13 Jan 2003 Grant, I think the "No permission to read this topic" is the secure behavior as (originally) intended. Previous versions of TWiki would actually show text from the topic even if the topic was secured from view. You do have a good point though about even showing topics that match certain searches. -- JohnCavanaugh - 14 Jan 2003 John, am I missing something or did you just describe what is happening right now on the current twiki.org? You can even see where I set the ALLOWTOPICVIEW to only me. If it was fixed it obviously isn't fixed at this particular moment. -- GrantBow - 14 Jan 2003 Grant and John, both of you are right. Grant can see the topic text because he is authentciated and he has the right to see the topic; and John gets the "No permission" text because he has no permissions to see the topic. This is the new spec. Grant, to test this out restart your browser and log in as TWikiGuest, guest. TWiki.org is set to remember users by IP address when you view a topic, that is, the view script knows who you are even though the script is not under basic authentication. As John points out, SearchShouldExcludeViewProtectedTopics could be a logical enhancement. Once done, the ALLOWTOPICVIEW can be documented (it is not because it is not very secure.) -- PeterThoeny - 14 Jan 2003 Oops, sorry about that John. Of course my test will work for me.
I think documenting and perfecting this feature will be critical for a real Intranet that holds sensitive data like HR, legal, etc.
-- GrantBow - 15 Jan 2003 
Topic revision: r8 - 2004-01-01 - SvenDowideit
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.