Question

I have both view and viewauth in my .htaccess file. I was hoping to have a login page where the user can either supply a username and password, or go to the registration page and create a new login.

This is kinda hard when the registration page requires authentication. Any ideas on how to achieve what I want?

-- DanielMundy - 24 Jun 2003

Answer

Simply copy the HTML text of the registration page to a non-authenticated static HTML page.

From your entry page (also static, non-authenticated) you can add a "login" link pointing to TWiki's home.

-- PeterThoeny - 24 Jun 2003

Followup Question

Can you elaborate more on this? I found the registration script did not work when I copied the HTML text from ../data/TWiki/Registration.txt to another web page. Is that you meant? Or should the register script be run from somewhere else?

I am trying to use the TWiki for my course, and I want students to use their real names to register, but I don't want them visible to the whole world. Otherwise, I would be happy just creating a web for them and limiting access for that web. What would be simplest is use a separate password file to limit access via httpd.conf to the whole twiki directory, and then use TWiki access control to limit access to prefences pages and so forth. I can't figure out how to do this though. When I put authentication options for the twiki directory in httpd.conf, .htaccess kicks instead.

-- JohnNorvell - 10 Feb 2004

Followup Reply

I'll try to illustrate the setup at our site since I think it is quite similar to what you need. It's a public twiki installation but some of the webs have restricted read-access for certain groups of students/members only. This means that the view-script needs to be authenticated and the "normal" registration page cannot be viewed by a non-registered user. You can see a working version of this at http://lenz.uni-koblenz.de/twiki/ (index.html, register.html) - it is German only but probably helpful anyway.

• Let's assume the your twiki address is sth like "http://xx.yy.zz/twiki/"
  • This is the address you supply to your students (i.e. "Click on http://xx.yy.zz/twiki/ ...")
  • In our example this is: http://lenz.uni-koblenz.de/twiki/
• Usually, all requests for "http://xx.yy.zz/twiki/" are redirected (by the webserver, e.g. Apache) to "http://xx.yy.zz/twiki/bin/view". You have to delete (comment out) this redirect.
  • For Apache, this setting can be found in http.conf, it should look sth like this:

    <Directory "/srv/www/htdocs/twiki">
        #Redirect /twiki/index.html http://lenz.uni-koblenz.de/twiki/bin/view
        AuthUserFile /srv/www/htdocs/twiki/data/.htpasswd
        ErrorDocument 401 //twiki/bin/oops/TWiki/TWikiRegistration?template=o$
    </Directory>

• Notice the "#"-character in front of the "Redirect"-statement. It disables the redirection mechanism.

Your first change should be: Find the proper redirect-statement in http.conf and disable it by putting a "#"-character in front of it.

• Now, for all requests to "http://xx.yy.zz/twiki/" the webserver will look for a standard html-file in this directory. It is usually named "index.html" (though this can also be changed in http.conf).
  • You have to create an index.html file and put it in your twiki-directory.
  • In our case, when you go to http://lenz.uni-koblenz.de/twiki/ your browser displays our index.html file.
  • On this page you should include a link to a registration page, sth like

     To be able to use this wiki you need to <a href="http://xx.yy.zz./twiki/register.html/">register</a> first.

• This points users to a static register-page (no auth required).
  • All you need to do is create this page and put it in your twiki-directory.
  • To create it, you could simply go to the normal, authenticated registration page, click on "View Source", copy the HTML and paste it into you register.html file.

So this would be your second change: create index.html and register.html

The third (and last) change would be to include another link in index.html which points the user to the authenticated wiki proper, sth like:

     After registering, please <a href="http://xx.yy.zz./twiki/bin/view/">click here</a> to visit our wiki.

Hope this helps.

-- ChristianKohl - 25 Feb 2004

[Answer to John's last question above] Peter meant that you should:

1. Open the registration page in a browser
2. Use "View Source of HTML page" (a menu option in most browsers) to view the HTML
3. Copy this HTML into a new HTML page.

-- CrawfordCurrie - 03 Jul 2004

The following technique appears to work quite well:

• Create a parallel bin-reg folder with only the view script in it:

myserver (/var/www/twiki)# mkdir bin-reg
myserver (/var/www/twiki)# cd bin-reg
myserver (/var/www/twiki/bin-reg)# ln -s /var/www/twiki/bin/view .
myserver (/var/www/twiki/bin-reg)# ln -s /var/www/twiki/bin/setlib.cfg .
myserver (/var/www/twiki/bin-reg)# vi .htaccess
myserver (/var/www/twiki/bin-reg)# more .htaccess
SetHandler cgi-script

• Edit your Apache2 ssl.conf file.

Alias /twiki/bin/view/TWiki/TWikiRegistration "/var/www/twiki/bin-reg/view/TWiki/TWikiRegistration"
ScriptAlias /twiki/bin-reg/ "/var/www/twiki/bin/"

• Restart Apache2

How it works: The Alias redirects only views to the registration page to the special bin-reg folder. The ScriptAlias redirects all attempts to the bin-reg folder back to the Apache2 authenticated bin folder.

Any hints & tips regarding security loopholes very welcome!

-- SimonHardyFrancis - 30 Nov 2005

Yes, the above has a loophole! Anyone can now view any page on the wiki simply by going to the URL http://example.com/twiki/bin-reg/view/Webname/TopicName Registration is no longer required for viewing. All other functions (editing etc) are still protected, but the point here is to prevent viewing of any page except the registration page. I think this is best done by creating a static registration page as suggested previously.

Note that there is no security to be gained by denying viewing if you allow people to self-register. This is basically equivalent to allowing open access, except that you make people jump through a hoop first -- this has certain advantages, but security is not one of them.

-- BenWheeler - 20 Jul 2006

Other changes for your registration page

• Read PatternSkinCustomization for turning off leftbar/topbar (to simplify the page)

-- NathanBailey - 11 Jun 2006