SID-00585: TWiki allows users to create new topic from a topic that does not have edit previlages

Status:	Answered	TWiki version:	4.3.0	Perl version:
Category:	CategoryAccessControl	Server OS:	Fedora Core 9	Last update:	16 years ago

Hi,

I used TWiki forms from a topic to create new topics using twikiInputField and twikiSubmit inputs. I could create the topics with input field, But I want certain set of users, userGropus only to create this topic from the form, So I gave the access to users and groups in topic settings using " * Set DENYTOPICCHANGE =" and " * Set ALLOWTOPICCHANGE =".

But the problem is the users who are in deny list are still able to create new topic from the topic. Once the topic is created they are unable to change the topic.

Can some one please help me on how to over come this issue? I do not want to denytopicview to the users, I want other users to be able to view the topic. I also do not want to have DENYTOPICCHANGE in web level as I want the users to be able to create other topics in same web. I just want access controls to be applicable to a topic and topics created from it subsequently. Kindly feel free to post comments in case the problem mentioned is not clear.

Below is the form I used to create new topic.

<form name='newStatusPage' action='%SCRIPTURLPATH{"save"}%/%WEB%/'> 
|  Enter Topic Name: | <input class="twikiInputField" id="abcNumber" type="text" name="topic" size="32" /> |
| &nbsp; |<input type="submit" class="twikiSubmit" value='%MAKETEXT{"Create New Topic"}%' />  | 
<input type="hidden" name="onlynewtopic" value="on" /> 
<input type="hidden" name="onlywikiname" value="on" /> 
<input type="hidden" name="templatetopic" value="SomeTemplate" />
<input type="hidden" name="topicparent" value="SomeTestParent" />
</form> 

Thanks in advance.

-- RaghuKiran - 2009-10-21

Discussion and Answer

Personally I shy away from DENY* settings and prefer ALLOW* settings.

You can define different access control for who can see/change the template topic (SomeTemplate in your case) and who can see/change new topics instantiated from that template topic.

1. To impose an access restriction in the template topic, enclose the settings in %NOP{ ... }% which gets removed after topic instantiation.

2. To impose a different access restriction in instantiated topic, escape the setting in the template topic, such as:

• Set %ALLOW%NOP%CHANGE% = SomeGroup

More at TWikiAccessControl, TWikiTemplates.

-- PeterThoeny - 2009-10-23

Hi Peter,

I think I did not mention my problem clearly in the above query. I want a certain group of people only to be allowed to create topics using custom forms. Below is what I did.

1. I created a template topic with proper access restrictions.(Access restrictions applied in more topic actions)

2. Have another topic with a simple form to create new topics. This action of creating topics has to be performed by only a certain set of people.

3. Now in the second topic(the one with form) every one is able to create topics. But they are unable to edit the newly created topics as access restrictions are in place now.

Coming to the point straight, I want only certain users to be able to access save script from a topic. From other topics it should be possible. Is this possible to achieve?

-- RaghuKiran - 2009-10-24

I intended to give you the technical background and did not take the time to investigate in details. Try restricting view access to the template topic. Let us know when you find out.

Alternatively, try also view access restriction of the page containing the HTML form to create new entries.

-- PeterThoeny - 2009-10-24

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- PeterThoeny - 2009-12-03

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.