Tags:
create new tag
view all tags

Question

We have a number of webs on a single server. The problem is that some of these are limited to a certain set of people (yes, I know that's against Wiki philosoply but sometimes there are business reasons).

Since the delete topic function from all the webs use the same Trash web, anyone can browse it and get to sensitive information. The question is how to close this security breach? Any suggestions?

Environment

TWiki version: TWikiRelease02Sep2004
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS:  
Web server:  
Perl version:  
Client OS:  
Web Browser:  
Categories: Installation, Permissions, Authentication, Security, Authorisation

-- PankajPant - 13 Oct 2005

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Simple solution: Lock down the Trash web by setting ALLOWTOPICVIEW to the TWikiAdminGroup (in Trash.WebPreferences)

-- PeterThoeny - 13 Oct 2005

Did you mean ALLOWWEBVIEW?

And would that still let people continue to delete topics? It would be OK for only the admins to be able to "undelete".

Thanks.

-- PankajPant - 13 Oct 2005

Sorry, yes, ALLOWWEBVIEW.

Yes to the second question.

-- PeterThoeny - 13 Oct 2005

This doesn't work. The text of the topic after the move gets replaced by "No permission to read topic Trash.Topic - perhaps you need to log in?".

I tracked it down to Store::renameTopic, which calls Store::readTopicRaw in order to modify the "moved" metadata. Howwever, since the user does not have permissions to view the topic, the above text gets returned.

-- PankajPant - 24 Oct 2005

This is fixed in the DakarRelease.

-- PeterThoeny - 14 Nov 2005

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2005-11-14 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.