SID-00071: Using a database for access permissions

Status:	Answered	TWiki version:	4.1.2	Perl version:	5.008008 (cygwin)
Category:	CategoryAccessControl	Server OS:	Windows2003	Last update:	17 years ago

I have a database (MSSQL) which contains a table of usernames. I tried to use a database query in the Set ALLOWTOPICVIEW definition to grant view permissions like this:

<three spaces>* Set ALLOWTOPICVIEW = %DATABASE_SQL{description="Users" sql="SELECT * from Userdb" format="Main.$User, "}%

which gives me an output:

<three spaces>* Set ALLOWTOPICVIEW = Main.chengappa, Main.otheruser

but the users get an 'access denied' message. I guess that the permissions are read from the text before the page is rendered and hence my method does not take effect. But is there a way to give permissions using the database ?

-- ChengappaCB - 31 Jan 2009

Discussion and Answer

You are right, permissions are checked before external variables are expanded.

I guess the proper approach is to write custom login/password/usermapping managers.

-- PeterThoeny - 01 Feb 2009

Twiki is being used in my office and hence I have made some changes to integrate the Windows domain login. The users are not asked for any username/password. Till now, I have been manually adding users to groups (groups have different permissions on different topics) but it is becoming increasingly difficult to manage a large (and increasing) number of users. I thought this would get solved if I could use the user database

Any ideas on this would be very much welcome.

-- ChengappaCB - 02 Feb 2009

Is there an LDAP interface to your database? If so you could use the LdapContrib, and in TWiki use groups defined in LDAP.

(BTW, you can use any text in the question title, no need for a cryptic WikiWord.)

-- PeterThoeny - 02 Feb 2009

There is no LDAP interface but I am looking at using the Ldapcontrib to see if something can be done.

In the meanwhile, I would like to keep the question opn for some days to see if someone shows a light at the end of the tunnel

-- ChengappaCB - 02 Feb 2009

I found that I could use the (Windows) Domain Controller as the LDAP server. Thanks to your suggestion, I am now able to get LDAP to authenticate the users and use the LDAP groups in place of creating groups manually (and adding users manually!).

I made it work on Windows with cygwin and nearly pulled out all my hair by the time I got it working. If I write a mini manual on how to get it working, where do I publish it ?

-- ChengappaCB - 06 Feb 2009

I am glad you found a working solution! Thank you for the offer to share your solution. Please post a supplemental document at TWikiUserAuthenticationSupplement or TWikiAccessControlSupplement.

-- PeterThoeny - 06 Feb 2009

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.