Tags:
create new tag
view all tags

Question

Ok, using the ALLOWWEBVIEW thing along with a quick hack (see SearchCanBypassAllowWebView) I think I have a reasonable solution for having partial visibility. BUT I want it such that TWiki will force users to switch to SSL links when going to restricted webs. Does TWiki know whether the script executed from a http:// URL or a https:// one? if so I guess I could create a new attribute (REQUIRESECURE) and then check for it and re-direct in all the scripts. Thoughts?

  • TWiki version:
  • Web server:
  • Server OS:
  • Web browser:
  • Client OS:

-- MattWalsh - 05 Sep 2002

Answer

Not sure if this is an answer, but TWiki.TWikiAccessControl shows you how to force a login for not yet authenticated users based on a viewauth redirect. In your case you could hack the script to redirect to https instead?

At runtime you could determine the protocol based on the $TWiki::urlHost variable or the SCRIPT_URI env variable.

-- PeterThoeny - 07 Sep 2002

Followup

Ok, I inserted this simple code in my view script, right in the beginning of the 'main' function. I'm using the setup as described in TWikiAccessControl where I symlink viewauth to view 

 # MattWalsh: Force restricted webs (those that use viewauth) to use
 #             SSL (https://)
    my $myScriptName = $ENV{'SCRIPT_FILENAME'};
    if ($theUrl =~ m/^http:\/\// and $myScriptName =~ m/viewauth$/) {
        $theUrl =~ s!^http://!https://!;
        TWiki::redirect( $query , "$theUrl/$webName/$topic" );
    }

Now this isn't perfect, as the edit and other scripts are still not foolproof. But, assuming someone always starts with the view script, only an intentional changing of the URL back to http:// should cause a problem.

Depending on whether anyone else finds this useful, one might want to include this in the TWikiAccessControl. Personally, I feel like if you restrict a web from view access, it should also be hidden via SSL.

Followup

For my personal use, I want a more complex behaviour, that I describe in UseSSLforAuthenticatedAccess.

-- LouisGranboulan - 25 Jun 2004

WebForm
SupportStatus AnsweredQuestions
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2004-06-25 - LouisGranboulan
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.