SID-02462: How to allow write access but not read access to a topic

Status:	Answered	TWiki version:	6.1.0	Perl version:	5
Category:	CategoryApplications	Server OS:	CC7	Last update:	5 years ago

Hello

I am trying to create a form such that a user can write a comment into a results topic but is not allowed to view all the results in the results topic.

The goal is to keep all comments anonymous

I have created a template using the comment plugin that saves just the date and the comment but if I block view access to the result topic then the comment plugin no longer works as the user does not have access.

I could use a form to save all results to separate topics but I hope this wont be necessary.

Anyone had experience with this?

Thanks for any feedback

-- Peter Jones - 2020-12-14

Discussion and Answer

I checked, indeed, the CommentPlugin has a TWiki::Func::checkAccessPermission() to enforce write permission, as it should.

You could write a AnonymousFeedbackPlugin that does not check write permission, and uses a TWiki::Func::readTopicText(), modify, TWiki::Func::saveTopicText() sequence. That save function can optionally ignore write permissions. Note that anonymity is not given because the revision info contains the person info.

A better approach is that the AnonymousFeedbackPlugin stores the feedback in the plugin's working directory as a file, using a TWiki::Func::getWorkArea(), TWiki::Func::readFile(), append, TWiki::Func::saveFile() sequence. That protects the anonymity as long as the plugin does not log activity. Save could be done with a REST call using Ajax.

Alternatively your feedback form could have an action to point to the topic itself (view), and have an input field named afcomment for the comment, and a hidden field named afaction with value save. On submit an embedded %ANONYMOUSFEEDBACK{ "bike-shed-color" action="%URLPARAM{afaction}%" comment=%URLPARAM{afcomment}% }% variable would take the action to save the topic. The "bike-shed-color" would be used as the name of the poll.

A %ANONYMOUSFEEDBACK{ "bike-shed-color" }% variable would return all feedback on the bike shed color poll. It could be protected that only members of a certain group can get the result.

-- Peter Thoeny - 2020-12-15

I vaguely recall that I wanted to do a similar thing some years ago...

The simple approach is to use CommentPlugin with the parameters type=return (so that it returns to the page with the comment form) and target=ResultsPage (so that the comment goes to the topic ResultsPage). However, it doesn't work to deny read access to ResultsPage as desired: Apparently somewhere in the process there's a check for read access permission as well (at least that's what my recent experiment suggests). So this works to hide the results page a bit, but doesn't make it inaccessible.

I guess one could whip something up to set target=ResultsPageXXXXXXXXXX and allow read access for the creator of these topic. This still needs fiddling with the template, though. The "true" results page would then be a search over this set of pages. More important, every author would see his own comments in the same search, which I think is nice.

-- Harald Jörg - 2020-12-16

Harald has a good idea, essentially to create a TWikiApplication. Each form submit creates a new topic, e.g. one topic per comment. TWiki allows creating a topic and setting access control at the same time. If the new topic is view access restricted to the person submitting the form, the person can see a report listing all his/her comments, and nobody else besides TWiki admins can see them.

-- Peter Thoeny - 2020-12-17

Possibly the (older) PollPlugin fits your needs?

-- Peter Thoeny - 2020-12-20

I created a AnonymousFeedbackPluginDev brainstorming idea topic, let's follow up there.

-- Peter Thoeny - 2020-12-20

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.