
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Deleted: | ||||||||
| < < | ||||||||
| TWiki Access ControlRestricting read and write access to topics and webs, by Users and groups | ||||||||
| Line: 140 to 139 | ||||||||
| See "How TWiki evaluates ALLOW/DENY settings" below for more on how ALLOW and DENY interacts. | ||||||||
| Changed: | ||||||||
| < < | Controlling access to Attachments | |||||||
| > > | Securing File Attachments | |||||||
| Changed: | ||||||||
| < < | Attachments are referred to directly, and are not normally indirected via TWiki scripts. This means that the above instructions for access control will not apply to attachments. It is possible that someone may inadvertently publicise a URL that they expected to be access-controlled. | |||||||
| > > | By default, TWiki does not secure file attachments. Without making the following changes to the twiki.conf file, it is possible for anyone who has access to the server to gain access to an attachment if they know the attachment's fully qualified path, even though access to the topic associated with the attachment is secured. This is because attachments are referred to directly by Apache, and are not by default delivered via TWiki scripts. This means that the above instructions for controlling to topics do not apply to attachments unless you make the changes as described below. | |||||||
| Changed: | ||||||||
| < < | The easiest way to apply the same access control rules for attachments as apply to topics is to use the Apache mod_rewritemodule, and configure your webserver to redirect accesses to attachments to the TWikiviewfilescript. For example, | |||||||
| > > | An effective way to secure attachments is to apply the same access control settings to attachments as those applied to topics. This security enhancement can be accomplished by instructing the webserver via Apache's mod_rewritemodule to redirect accesses to attachments via  the TWikiviewfilescript, which honors the TWiki access controls settings to topics.
The preferred method to secure attachments is by editing thetwiki.conffile to include: | |||||||
| 
    ScriptAlias /twiki/bin/ /filesystem/path/to/twiki/bin/
    Alias /twiki/pub/       /filesystem/path/to/twiki/pub/
    RewriteEngine on | ||||||||
| Changed: | ||||||||
| < < | RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+TWiki/+.+ RewriteRule ^/+twiki/+pub/+([^/]+)/+((([^/]+)/+)+)(.+) /twiki/bin/viewfile/$1/$4?filename=$5 [L,PT] | |||||||
| > > | RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Sandbox)/+.+ RewriteRule ^/+twiki/+pub/+(.*)$ /twiki/bin/viewfile/$1 [L,PT] | |||||||
| Changed: | ||||||||
| < < | That way all the controls that apply to the topic also apply to attachments to the topic. Other types of webserver have similar support.
Note: Images embedded in topics will load much slower since each image will be delivered by the viewfilescript. | |||||||
| > > | Notes: 
 | |||||||
| Controlling who can manage top-level webs | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| TWiki Access Control | ||||||||
| Line: 34 to 34 | ||||||||
| Access control: Restrict access to content based on users and groups once a user is identified. | ||||||||
| Added: | ||||||||
| > > | ||||||||
| Users and GroupsAccess control is based on the familiar concept of Users and Groups. Users are defined by their WikiNames. They can then be organized in unlimited combinations by inclusion in one or more user Groups. For convenience, Groups can also be included in other Groups. | ||||||||
| Added: | ||||||||
| > > | ||||||||
| Managing UsersA user can create an account in TWikiRegistration. The following actions are performed: | ||||||||
| Line: 74 to 76 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | ||||||||
| Restricting AccessYou can define who is allowed to read or write to a web or a topic. Note that some plugins may not respect access permissions. | ||||||||
| Line: 84 to 87 | ||||||||
| Note that there is an important distinction between CHANGE access and RENAME access. A user can CHANGE a topic, but thanks to version control their changes cannot be lost (the history of the topic before the change is recorded). However if a topic or web is renamed, that history may be lost. Typically a site will only give RENAME access to administrators and content owners. | ||||||||
| Added: | ||||||||
| > > | ||||||||
| Controlling access to a WebYou can define restrictions on who is allowed to view a TWiki web. You can restrict access to certain webs to selected Users and Groups, by: | ||||||||
| Line: 108 to 112 | ||||||||
| Note: For Web level access rights Setting any of these settings to an empty value has the same effect as not setting them at all. Please note that the documentation of TWiki 4.0 and earlier versions of TWiki 4.1 did not reflect the actual implementation, e.g. an empty ALLOWWEBVIEW does not prevent anyone from viewing the web, and an an empty DENYWEBVIEW does not allow all to view the web. | ||||||||
| Added: | ||||||||
| > > | ||||||||
| Controlling access to a Topic
 | ||||||||
| Line: 134 to 139 | ||||||||
| See "How TWiki evaluates ALLOW/DENY settings" below for more on how ALLOW and DENY interacts. | ||||||||
| Added: | ||||||||
| > > | ||||||||
| Controlling access to AttachmentsAttachments are referred to directly, and are not normally indirected via TWiki scripts. This means that the above instructions for access control will not apply to attachments. It is possible that someone may inadvertently publicise a URL that they expected to be access-controlled. | ||||||||
| Line: 162 to 168 | ||||||||
| 
 ROOTCHANGEaccess to rename an existing top-level web. You just needWEBCHANGEin the web itself. | ||||||||
| Added: | ||||||||
| > > | ||||||||
| How TWiki evaluates ALLOW/DENY settingsWhen deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately. | ||||||||
| Line: 192 to 199 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | ||||||||
| Access Control quick recipesObfuscating Webs | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| TWiki Access Control | ||||||||
| Line: 128 to 128 | ||||||||
| The same rules apply to ALLOWTOPICCHANGE/DENYTOPICCHANGE and APPLYTOPICRENAME/DENYTOPICRENAME. Setting ALLOWTOPICCHANGE or ALLOWTOPICRENAME to en empty value means the same as not defining it. Setting DENYTOPICCHANGE or DENYTOPICRENAME to an empty value means that anyone can edit or rename the topic. | ||||||||
| Changed: | ||||||||
| < < |  The setting to an empty has caused confusion and great debate and it has been decided that the empty setting syntax will be replaced by something which is easier to understand in the 4.2 version of TWiki. A method to upgrade will be provided. Please read the release notes carefully when you upgrade. | |||||||
| > > |  If the same setting is defined multiple times the last one overrides the previous. They are not OR'ed together.  The setting to an empty has caused confusion and great debate and it has been decided that the empty setting syntax will be replaced by something which is easier to understand in a later version of TWiki. A method to upgrade will be provided. Please read the release notes carefully when you upgrade. | |||||||
| See "How TWiki evaluates ALLOW/DENY settings" below for more on how ALLOW and DENY interacts. | ||||||||
| Line: 181 to 183 | ||||||||
| 
 
 | ||||||||
| Added: | ||||||||
| > > | Access control and INCLUDEALLOWTOPICVIEW and ALLOWTOPICCHANGE only applies to the topic in which the settings are defined. If a topic A includes another topic B, topic A does not inherit the access rights of the included topic B. Examples: Topic A includes topic B
 | |||||||
| Access Control quick recipesObfuscating Webs | ||||||||
| Line: 228 to 239 | ||||||||
| Hide Control Settings | ||||||||
| Changed: | ||||||||
| < < |  Tip: To hide access control settings from normal browser viewing, you can put them into the topic-local settings. You can access those settings via the "More" screen, as explained in TWikiVariables. | |||||||
| > > |  Tip: To hide access control settings from normal browser viewing, you can put them into the topic preference settings by clicking the link Edit topic preference settingsunderMore topic actionsmenu. Preferences set in this manner are not visible in the topic text, but take effect nevertheless. Access control settings added as topic preference settings are stored in the topic meta data and they override settings defined in the topic text. | |||||||
| Alternatively, place them in HTML comment markers, but this exposes the access setting during ordinary editing. | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Deleted: | ||||||||
| < < | ||||||||
| Changed: | ||||||||
| < < | TWiki Access Control | |||||||
| > > | TWiki Access Control | |||||||
| Restricting read and write access to topics and webs, by Users and groups | ||||||||
| Line: 10 to 8 | ||||||||
|  Tip: TWiki:TWiki.TWikiAccessControlSupplement on TWiki.org has additional documentation on access control. | ||||||||
| Added: | ||||||||
| > > | ||||||||
| An Important Control Consideration | ||||||||
| Line: 17 to 17 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 
 | ||||||||
| Line: 43 to 43 | ||||||||
| A user can create an account in TWikiRegistration. The following actions are performed: 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | The default visitor name is TWikiGuest. This is the non-authenticated user. | |||||||
| > > | The default visitor name is TWikiGuest. This is the non-authenticated user. | |||||||
| Managing GroupsThe following describes the standard TWiki support for groups. Your local TWiki may have an alternate group mapping manager installed. Check with your TWiki administrator if you are in doubt. | ||||||||
| Changed: | ||||||||
| < < | Groups are defined by group topics located in the Mainweb. To create a new group, visit  TWikiGroups and enter the name of the new group ending inGroupinto the "new group" form field. This will create a new group topic with two important settings: | |||||||
| > > | Groups are defined by group topics located in the Mainweb. To create a new group, visit  TWikiGroups and enter the name of the new group ending inGroupinto the "new group" form field. This will create a new group topic with two important settings: | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| The ALLOWTOPICCHANGE setting defines who is allowed to change the group topic; it is a comma delimited list of users and groups. You typically want to restrict that to the members of the group itself, so it should contain the name of the topic. This prevents users not in the group from editing the topic to give themselves or others access. For example, for the KasabianGroup topic write: | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
|  Note: TWiki has strict formatting rules. Make sure you have three spaces, an asterisk, and an extra space in front of any access control rule. | ||||||||
| Line: 70 to 70 | ||||||||
| A number of TWiki functions (for example, renaming webs) are only available to administrators. Administrators are simply users who belong to the SuperAdminGroup. This is a standard user group, the name of which is defined by {SuperAdminGroup} setting in configure. The default name of this group is the TWikiAdminGroup. The system administrator may have chosen a different name for this group if your local TWiki uses an alternate group mapping manager but for simplicity we will use the default name TWikiAdminGroup in the rest of this topic. | ||||||||
| Changed: | ||||||||
| < < | You can create new administrators simply by adding them to the TWikiAdminGroup topic. For example, 
 | |||||||
| > > | You can create new administrators simply by adding them to the TWikiAdminGroup topic. For example, 
 | |||||||
| A member of the Super Admin Group has unrestricted access throughout the TWiki, so only trusted staff should be added to this group. Restricting AccessYou can define who is allowed to read or write to a web or a topic. Note that some plugins may not respect access permissions. | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 99 to 99 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | If your site allows hierarchical webs, then access to sub-webs is determined from the access controls of the parent web, plus the access controls in the sub-web. So, if the parent web has ALLOWWEBVIEWset, this will also apply to the subweb. | |||||||
| > > | If your site allows hierarchical webs, then access to sub-webs is determined from the access controls of the parent web, plus the access controls in the sub-web. So, if the parent web has ALLOWWEBVIEWset, this will also apply to the subweb. Also note that you will need to ensure that the parent web'sFINALPREFERENCESdoes not include the access control settings listed above. Otherwise you will not be able override the parent web's access control settings in sub-webs. | |||||||
| Creation and renaming of sub-webs is controlled by the WEBCHANGE setting on the parent web (or ROOTCHANGE for root webs). Renaming is additionally restricted by the setting of WEBRENAME in the web itself. | ||||||||
| Added: | ||||||||
| > > | Note:  If you restrict access to the Main, make sure to add the TWikiRegistrationAgentso that users can register. Example:
 | |||||||
| Note:  For Web level access rights Setting any of these settings to an empty value has the same effect as not setting them at all. Please note that the documentation of TWiki 4.0 and earlier versions of TWiki 4.1 did not reflect the actual implementation, e.g. an empty ALLOWWEBVIEW does not prevent anyone from viewing the web, and an an empty DENYWEBVIEW does not allow all to view the web. Controlling access to a Topic | ||||||||
| Line: 152 to 155 | ||||||||
| Controlling who can manage top-level websTop level webs are a special case, because they don't have a parent web with a WebPreferences. So there has to be a special control just for the root level. | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 ROOTCHANGEaccess to rename an existing top-level web. You just needWEBCHANGEin the web itself. | ||||||||
| Line: 189 to 192 | ||||||||
|  Note: Obfuscating a web without view access control is very insecure, as anyone who knows the URL can access the web. | ||||||||
| Added: | ||||||||
| > > | Restrict Access to Whole TWiki SiteFor a firewalled TWiki, e.g. an intranet wiki or extranet wiki, you want to allow only invited people to access your TWiki. In this case, enable user authentication with ApacheLogin and lock down access to the wholetwiki/binandtwiki/pubdirectories to all but valid users. In the Apache.htaccessfile or the appropriate.conffile, replace the<FilesMatch "(attach|edit|...section with this:
<FilesMatch ".*">
       require valid-user
</FilesMatch>
If needed, you can further restrict access to selected webs with ALLOWWEBVIEW and other access control settings.
Note: With this configuration, someone with access to the site needs to register new users. | |||||||
| Authenticate all Webs and Restrict Selected WebsUse the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs. Requires TWikiUserAuthentication to be enabled. | ||||||||
| Added: | ||||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 
 | |||||||
| Authenticate and Restrict Selected Webs Only | ||||||||
| Line: 205 to 224 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Hide Control Settings | ||||||||
| Line: 215 to 234 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < |    * Set DENYTOPICCHANGE = Main.SomeGroup | |||||||
| > > |    * Set DENYTOPICCHANGE = Main.SomeGroup | |||||||
| --> | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 17 to 17 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 
 | ||||||||
| Line: 51 to 51 | ||||||||
| Managing Groups | ||||||||
| Changed: | ||||||||
| < < | Groups are defined by group topics located in the Mainweb, such as the TWikiAdminGroup. To create a new group, visit  TWikiGroups and enter the name of the new group ending inGroupinto the "new group" form field. This will create a new group topic with two important settings: | |||||||
| > > | The following describes the standard TWiki support for groups. Your local TWiki may have an alternate group mapping manager installed. Check with your TWiki administrator if you are in doubt.
Groups are defined by group topics located in the Mainweb. To create a new group, visit  TWikiGroups and enter the name of the new group ending inGroupinto the "new group" form field. This will create a new group topic with two important settings: | |||||||
| 
 
 | ||||||||
| Changed: | ||||||||
| < < | The ALLOWTOPICCHANGE setting defines who is allowed to change the group topic; it is a comma delimited list of users and groups. You typically want to restrict that to the members of the group itself, so it should contain the name of the topic. This prevents users not in the group from editing the topic to give themselves or others access. For example, for the TWikiAdminGroup topic write: 
 | |||||||
| > > | The ALLOWTOPICCHANGE setting defines who is allowed to change the group topic; it is a comma delimited list of users and groups. You typically want to restrict that to the members of the group itself, so it should contain the name of the topic. This prevents users not in the group from editing the topic to give themselves or others access. For example, for the KasabianGroup topic write: 
 | |||||||
|  Note: TWiki has strict formatting rules. Make sure you have three spaces, an asterisk, and an extra space in front of any access control rule. The Super Admin Group | ||||||||
| Changed: | ||||||||
| < < | By mistyping a user or group name in the settings, it's possible to lock a topic so that no-one can edit it from a browser. To avoid this, add the WikiNames of registered administrators to the super admin group topic called TWikiAdminGroup. The name of this topic is defined by the {SuperAdminGroup} configure setting. Example group setting: | |||||||
| > > | A number of TWiki functions (for example, renaming webs) are only available to administrators. Administrators are simply users who belong to the SuperAdminGroup. This is a standard user group, the name of which is defined by {SuperAdminGroup} setting in configure. The default name of this group is the TWikiAdminGroup. The system administrator may have chosen a different name for this group if your local TWiki uses an alternate group mapping manager but for simplicity we will use the default name TWikiAdminGroup in the rest of this topic.
You can create new administrators simply by adding them to the TWikiAdminGroup topic. For example, | |||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | A member of the Super Admin Group has unrestricted access throughout the TWiki, so only trusted staff should be added to this group. | |||||||
| Restricting Access | ||||||||
| Line: 75 to 80 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | 
 | |||||||
| Controlling access to a Web | ||||||||
| Line: 88 to 96 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | Be careful with empty values for any of these. In older versions of TWiki, 
 
 | |||||||
| > > | If your site allows hierarchical webs, then access to sub-webs is determined from the access controls of the parent web, plus the access controls in the sub-web. So, if the parent web has ALLOWWEBVIEWset, this will also apply to the subweb.
Creation and renaming of sub-webs is controlled by the WEBCHANGE setting on the parent web (or ROOTCHANGE for root webs). Renaming is additionally restricted by the setting of WEBRENAME in the web itself.
Note:  For Web level access rights Setting any of these settings to an empty value has the same effect as not setting them at all. Please note that the documentation of TWiki 4.0 and earlier versions of TWiki 4.1 did not reflect the actual implementation, e.g. an empty ALLOWWEBVIEW does not prevent anyone from viewing the web, and an an empty DENYWEBVIEW does not allow all to view the web. | |||||||
| Controlling access to a Topic | ||||||||
| Line: 102 to 112 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | 
 | |||||||
| Remember when opening up access to specific topics within a restricted web that other topics in the web - for example, the WebLeftBar - may also be accessed when viewing the topics. The message you get when you are denied access should tell you what topic you were not permitted to access. | ||||||||
| Changed: | ||||||||
| < < | Be careful with empty values for any of these. In older versions of TWiki, 
 
 | |||||||
| > > | Be careful with empty values for any of these. 
 
  The setting to an empty has caused confusion and great debate and it has been decided that the empty setting syntax will be replaced by something which is easier to understand in the 4.2 version of TWiki. A method to upgrade will be provided. Please read the release notes carefully when you upgrade.
See "How TWiki evaluates ALLOW/DENY settings" below for more on how ALLOW and DENY interacts. | |||||||
| Controlling access to Attachments | ||||||||
| Line: 130 to 148 | ||||||||
| Note: Images embedded in topics will load much slower since each image will be delivered by the viewfilescript. | ||||||||
| Changed: | ||||||||
| < < | Controlling who can create top-level webs | |||||||
| > > | Controlling who can manage top-level webs | |||||||
| Top level webs are a special case, because they don't have a parent web with a WebPreferences. So there has to be a special control just for the root level. 
 | ||||||||
| Line: 139 to 159 | ||||||||
| How TWiki evaluates ALLOW/DENY settings | ||||||||
| Changed: | ||||||||
| < < | When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW and CHANGE access may be granted/denied separately. 
 | |||||||
| > > | When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately. 
 | |||||||
| 
 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 
 | |||||||
| > > | 
 | |||||||
| 
 
 | ||||||||
| Deleted: | ||||||||
| < < | 
 | |||||||
| 
 Access Control quick recipes | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 66 to 66 | ||||||||
| The Super Admin Group | ||||||||
| Changed: | ||||||||
| < < | By mistyping a user or group name in the settings, it's possible to lock a topic so that no-one can edit it from a browser. To avoid this, add the WikiNames of registered administrators to the super admin group topic called TWikiAdminGroup. The name of this topic is defined by the {SuperAdminGroup} configure setting. Example group setting: | |||||||
| > > | By mistyping a user or group name in the settings, it's possible to lock a topic so that no-one can edit it from a browser. To avoid this, add the WikiNames of registered administrators to the super admin group topic called TWikiAdminGroup. The name of this topic is defined by the {SuperAdminGroup} configure setting. Example group setting: | |||||||
| 
 Restricting Access | ||||||||
| Line: 75 to 75 | ||||||||
| 
 | ||||||||
| Deleted: | ||||||||
| < < | 
 | |||||||
| Controlling access to a Web | ||||||||
| Changed: | ||||||||
| < < | You can define restrictions of who is allowed to view a TWiki web. You can restrict access to certain webs to selected Users and Groups, by: | |||||||
| > > | You can define restrictions on who is allowed to view a TWiki web. You can restrict access to certain webs to selected Users and Groups, by: | |||||||
| 
 | ||||||||
| Line: 91 to 88 | ||||||||
| 
 | ||||||||
| Deleted: | ||||||||
| < < | 
 | |||||||
| Be careful with empty values for any of these. In older versions of TWiki, 
 | ||||||||
| Line: 102 to 97 | ||||||||
| Controlling access to a Topic | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Deleted: | ||||||||
| < < | 
 | |||||||
| Remember when opening up access to specific topics within a restricted web that other topics in the web - for example, the WebLeftBar - may also be accessed when viewing the topics. The message you get when you are denied access should tell you what topic you were not permitted to access. | ||||||||
| Line: 131 to 124 | ||||||||
| RewriteEngine on RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+TWiki/+.+ RewriteRule ^/+twiki/+pub/+([^/]+)/+((([^/]+)/+)+)(.+) /twiki/bin/viewfile/$1/$4?filename=$5 [L,PT] | ||||||||
| Changed: | ||||||||
| < < | </verbatim | |||||||
| > > | ||||||||
| That way all the controls that apply to the topic also apply to attachments to the topic. Other types of webserver have similar support.
Note: Images embedded in topics will load much slower since each image will be delivered by the viewfilescript. | ||||||||
| Added: | ||||||||
| > > | Controlling who can create top-level websTop level webs are a special case, because they don't have a parent web with a WebPreferences. So there has to be a special control just for the root level.
 ROOTCHANGEaccess to rename an existing top-level web. You just needWEBCHANGEin the web itself. | |||||||
| How TWiki evaluates ALLOW/DENY settings | ||||||||
| Changed: | ||||||||
| < < | When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately. | |||||||
| > > | When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW and CHANGE access may be granted/denied separately. | |||||||
| 
 | ||||||||
| Line: 189 to 189 | ||||||||
| Hide Control Settings | ||||||||
| Changed: | ||||||||
| < < |  Tip: To hide access control settings from normal browser viewing, place them in HTML comment markers. | |||||||
| > > |  Tip: To hide access control settings from normal browser viewing, you can put them into the topic-local settings. You can access those settings via the "More" screen, as explained in TWikiVariables.
Alternatively, place them in HTML comment markers, but this exposes the access setting during ordinary editing. | |||||||
| 
 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 129 to 129 | ||||||||
| Alias /twiki/pub/ /filesystem/path/to/twiki/pub/ RewriteEngine on | ||||||||
| Changed: | ||||||||
| < < | RewriteRule ^/twiki/pub/TWiki/(.*)$ /twiki/pub/TWiki/$1 [L,PT] RewriteRule ^/twiki/pub/([^\/]+)/([^\/]+)/([^\/]+)$ /twiki/bin/viewfile/$1/$2?filename=$3 [L,PT] | |||||||
| > > | RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+TWiki/+.+ RewriteRule ^/+twiki/+pub/+([^/]+)/+((([^/]+)/+)+)(.+) /twiki/bin/viewfile/$1/$4?filename=$5 [L,PT] </verbatim | |||||||
| That way all the controls that apply to the topic also apply to attachments to the topic. Other types of webserver have similar support. | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 10 to 10 | ||||||||
|  Tip: TWiki:TWiki.TWikiAccessControlSupplement on TWiki.org has additional documentation on access control. | ||||||||
| Added: | ||||||||
| > > | ||||||||
| An Important Control ConsiderationOpen, freeform editing is the essence of WikiCulture - what makes TWiki different and often more effective than other collaboration tools. For that reason, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with great care - the more restrictions, the less Wiki in the mix. Experience shows that unrestricted write access works very well because: | ||||||||
| Line: 166 to 167 | ||||||||
| This setup can be useful to hide a new web until content its ready for deployment, or to hide view access restricted webs. | ||||||||
| Changed: | ||||||||
| < < |  Note: Obfuscating a web without view access control is very insecure, as anyone who knows the URL can access the web. | |||||||
| > > |  Note: Obfuscating a web without view access control is very insecure, as anyone who knows the URL can access the web. | |||||||
| Authenticate all Webs and Restrict Selected Webs | ||||||||
| Line: 176 to 177 | ||||||||
| 
 | ||||||||
| Deleted: | ||||||||
| < < | 
 | |||||||
| Authenticate and Restrict Selected Webs Only | ||||||||
| Line: 187 to 186 | ||||||||
| 
 | ||||||||
| Deleted: | ||||||||
| < < | 
 | |||||||
| Hide Control Settings | ||||||||
| Line: 1 to 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Line: 6 to 6 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Restricting read and write access to topics and webs, by Users and groups | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | TWikiAccessControl allows you restrict access to single topics and entire webs, by individual user and by user Groups, in three areas: view; edit & attach; and rename/move/delete. Access control, combined with TWikiUserAuthentication, lets you easily create and manage an extremely flexible, fine-grained privilege system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | TWiki Access Control allows you restrict access to single topics and entire webs, by individual user and by user Groups. Access control, combined with TWikiUserAuthentication, lets you easily create and manage an extremely flexible, fine-grained privilege system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | An Important Control Consideration | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > |  Tip: TWiki:TWiki.TWikiAccessControlSupplement on TWiki.org has additional documentation on access control. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Open, freeform editing is the essence of WikiCulture - what makes TWiki different and often more effective than other collaboration tools. For that reason, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with care - the more restrictions, the less Wiki in the mix. Experience shows that unrestricted write access works very well because: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | An Important Control Consideration | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Added: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Open, freeform editing is the essence of WikiCulture - what makes TWiki different and often more effective than other collaboration tools. For that reason, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with great care - the more restrictions, the less Wiki in the mix. Experience shows that unrestricted write access works very well because: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Line: 19 to 18 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Deleted: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| As a collaboration guideline: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Deleted: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Added: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Permissions settings of the webs on this TWiki site
 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Authentication vs. Access ControlAuthentication: Identifies who a user is based on a login procedure. See TWikiUserAuthentication. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Line: 38 to 40 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Managing UsersA user can create an account in TWikiRegistration. The following actions are performed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Deleted: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Users can be authenticated using Basic Authentication (htaccess) or SSL (secure server). In either case, TWikiUserAuthentication is required in order to track user identities, and use User and Group access control. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| The default visitor name is TWikiGuest. This is the non-authenticated user. Managing Groups | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Groups are defined by group topics created in the Mainweb, like the TWikiAdminGroup. To create a new group:
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Groups are defined by group topics located in the Mainweb, such as the TWikiAdminGroup. To create a new group, visit  TWikiGroups and enter the name of the new group ending inGroupinto the "new group" form field. This will create a new group topic with two important settings: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Deleted: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 Restricting Write AccessYou can define who is allowed to make changes to a web or a topic.Deny Editing by TopicDenying editing of a topic also restricts file attachment; both privileges are assigned together.
 
 
 
 Deny Editing by Web | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Restricting web-level editing blocks creating new topics, changing topics or attaching files. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | The GROUP setting is a comma-separated list of users and/or other groups. Example: 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | The ALLOWTOPICCHANGE setting defines who is allowed to change the group topic; it is a comma delimited list of users and groups. You typically want to restrict that to the members of the group itself, so it should contain the name of the topic. This prevents users not in the group from editing the topic to give themselves or others access. For example, for the TWikiAdminGroup topic write: 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | The same rules apply as for restricting topics, with these additions: 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > |  Note: TWiki has strict formatting rules. Make sure you have three spaces, an asterisk, and an extra space in front of any access control rule. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Restricting Rename Access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | The Super Admin Group | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | You can define who is allowed to rename, move or delete a topic, or rename a web. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | By mistyping a user or group name in the settings, it's possible to lock a topic so that no-one can edit it from a browser. To avoid this, add the WikiNames of registered administrators to the super admin group topic called TWikiAdminGroup. The name of this topic is defined by the {SuperAdminGroup} configure setting. Example group setting:
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Deny Renaming by Topic | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Restricting Access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | To allow a user to rename, move or delete a topic, they also need write (editing) permission. They also need write access to change references in referring topics. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | You can define who is allowed to read or write to a web or a topic. Note that some plugins may not respect access permissions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Controlling access to a Web | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | You can define restrictions of who is allowed to view a TWiki web. You can restrict access to certain webs to selected Users and Groups, by: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Deny Renaming by Web | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | 
 
 
 Controlling access to a Topic
 
 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | You can define restrictions of who is allowed to rename a TWiki web. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Controlling access to Attachments | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Attachments are referred to directly, and are not normally indirected via TWiki scripts. This means that the above instructions for access control will not apply to attachments. It is possible that someone may inadvertently publicise a URL that they expected to be access-controlled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | The same rules apply as for topics, with these additions: 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | The easiest way to apply the same access control rules for attachments as apply to topics is to use the Apache mod_rewritemodule, and configure your webserver to redirect accesses to attachments to the TWikiviewfilescript. For example, | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Restricting Read Access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | ScriptAlias /twiki/bin/ /filesystem/path/to/twiki/bin/ Alias /twiki/pub/ /filesystem/path/to/twiki/pub/ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | You can define who is allowed to see a web. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | RewriteEngine on RewriteRule ^/twiki/pub/TWiki/(.*)$ /twiki/pub/TWiki/$1 [L,PT] RewriteRule ^/twiki/pub/([^\/]+)/([^\/]+)/([^\/]+)$ /twiki/bin/viewfile/$1/$2?filename=$3 [L,PT] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Deny Viewing by Topic | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | That way all the controls that apply to the topic also apply to attachments to the topic. Other types of webserver have similar support. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < |  Technically it is possible to restrict read access to an individual topic based on DENYTOPICVIEW/ALLOWTOPICVIEWpreferences variables, provided that the view script is authenticated. However this setup is not recommended since all content is searchable within a web - a search will turn up view restricted topics. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Note: Images embedded in topics will load much slower since each image will be delivered by the viewfilescript. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Deny Viewing by Web | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | How TWiki evaluates ALLOW/DENY settings | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | You can define restrictions of who is allowed to view a TWiki web. You can restrict access to certain webs to selected Users and Groups, by: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately. 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Access Control quick recipes | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Obfuscate Webs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Obfuscating Webs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | The idea is to keep a web hidden by not publishing its URL and by preventing the all webssearch option from accessing obfuscated webs. Do so by enabling theNOSEARCHALLvariable in WebPreferences: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Another way of hiding webs is to keep them hidden by not publishing the URL and by preventing the all webssearch option from accessing obfuscated webs. Do so by enabling theNOSEARCHALLvariable in WebPreferences: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | This setup can be useful to hide a new web until content its ready for deployment. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | This setup can be useful to hide a new web until content its ready for deployment, or to hide view access restricted webs. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < |  Obfuscating webs is insecure, as anyone who knows the URL can access the web. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > |  Note: Obfuscating a web without view access control is very insecure, as anyone who knows the URL can access the web. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Authenticate all Webs and Restrict Selected Webs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Authenticate all Webs and Restrict Selected Webs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs. Requires TWikiUserAuthentication to be enabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Line: 160 to 178 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Deleted: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
  This method only works if the viewscript is authenticated, which means that all Users have to login, even for read-only access. (An open guest account, like TWikiGuest, can get around this, allowing anyone to login to a common account with, for example, view-only access for public webs.) TWikiInstallationGuide has more on Basic Authentication, using the.htaccessfile. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Authenticate and Restricting Selected Webs Only | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Authenticate and Restrict Selected Webs Only | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs. Requires TWikiUserAuthentication to be enabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Line: 174 to 189 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Deleted: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | When a user accesses a web where you enabled view restriction, TWiki will redirect from the viewscript to theviewauthscript once (this happens only if the user has never edited a topic). Doing so will ask for authentication. Theviewauthscript shows the requested topic if the user could log on and if the user is authorized to see that web. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Hide Control Settings | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < |  Authenticating webs is not very secure, as there is a way to circumvent the read access restriction. It can be useful in certain situations - for example, to simplify site organization and clutter, by hiding low traffic webs - but is not recommended for securing sensitive content. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > |  Tip: To hide access control settings from normal browser viewing, place them in HTML comment markers. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | Hiding Control Settings To hide access control settings from normal browser viewing, place them in comment markers.
<style="background-color:#f5f5f5"> <!--   * Set DENYTOPICCHANGE = Main.SomeGroup-->The SuperAdminGroupBy mistyping a user or group name in the ALLOWTOPICCHANGE setting, it's possible to lock a topic so that no-one can edit it from a browser. To avoid this, you can create Web-based superusers:
 $superAdminGroup = "TWikiAdminGroup"; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | 
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Deleted: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < < | 
 -- TWiki:Main.MikeMannix - 12 May 2002 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Added: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| > > | Related Topics: AdminDocumentationCategory, TWikiUserAuthentication, TWiki:TWiki.TWikiAccessControlSupplement -- Contributors: TWiki:Main.PeterThoeny, TWiki:Main.MikeMannix, TWiki:Main.CrawfordCurrie | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 205 to 205 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | -- PeterThoeny - 04 May 2002 -- MikeMannix - 12 May 2002 | |||||||
| > > | -- TWiki:Main.PeterThoeny - 04 May 2002 -- TWiki:Main.MikeMannix - 12 May 2002 | |||||||
| Added: | ||||||||
| > > | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 25 to 25 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | Authentication vs. Access ControlAuthentication: Identifies who a user is based on a login procedure. See TWikiUserAuthentication. Access control: Restrict access to content based on users and groups once a user is identified. | |||||||
| Users and GroupsAccess control is based on the familiar concept of Users and Groups. Users are defined by their WikiNames. They can then be organized in unlimited combinations by inclusion in one or more user Groups. For convenience, Groups can also be included in other Groups. | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 31 to 31 | ||||||||
| Managing Users | ||||||||
| Changed: | ||||||||
| < < | A user is created with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest. | |||||||
| > > | A user can create an account in TWikiRegistration. The following actions are performed: | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Managing Groups | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 144 to 144 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 157 to 158 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 170 to 172 | ||||||||
| Hiding Control Settings | ||||||||
| Changed: | ||||||||
| < < | 
 <!-- | |||||||
| > > |  To hide access control settings from normal browser viewing, place them in comment markers.
<style="background-color:#f5f5f5"> <!--   * Set DENYTOPICCHANGE = Main.SomeGroup--> | |||||||
| The SuperAdminGroup | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 112 to 112 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Restricting Web Access | |||||||
| > > | Restricting Read Access | |||||||
| Changed: | ||||||||
| < < | You can prevent selected Users and Groups from accessing certain webs, by hiding them using restricting read access, or by requiring login. There are two basic methods, one simple, using standard preferences variables to hide a web, but offering low security, and a secure log-in approach that is currently a workaround, involving some minor script and filesystem modification. | |||||||
| > > | You can define who is allowed to see a web. | |||||||
| Changed: | ||||||||
| < < | Create Hidden Webs | |||||||
| > > | Deny Viewing by Topic | |||||||
| Changed: | ||||||||
| < < | You can prevent selected Users and Groups from viewing certain TWiki webs by setting one or both of these variables in each web's WebPreferences topic: | |||||||
| > > |  Technically it is possible to restrict read access to an individual topic based on DENYTOPICVIEW/ALLOWTOPICVIEWpreferences variables, provided that the view script is authenticated. However this setup is not recommended since all content is searchable within a web - a search will turn up view restricted topics.Deny Viewing by WebYou can define restrictions of who is allowed to view a TWiki web. You can restrict access to certain webs to selected Users and Groups, by:
 Obfuscate WebsThe idea is to keep a web hidden by not publishing its URL and by preventing theall webssearch option from accessing obfuscated webs. Do so by enabling theNOSEARCHALLvariable in WebPreferences:
  Obfuscating webs is insecure, as anyone who knows the URL can access the web. Authenticate all Webs and Restrict Selected WebsUse the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs:
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < |  If keeping a hidden web out of general use is a consideration, you can prevent the all webssearch option from accessing hidden webs, by enabling theNOSEARCHALLvariable in WebPreferences: | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < |  Hiding webs is not very secure, as there is a way to circumvent the read access restriction. It can be useful in certain situations - for example, to simplify site organization and clutter, by hiding low traffic webs - but is not recommended for securing sensitive content. (See the next section for a more secure approach.) | |||||||
| > > |  This method only works if the viewscript is authenticated, which means that all Users have to login, even for read-only access. (An open guest account, like TWikiGuest, can get around this, allowing anyone to login to a common account with, for example, view-only access for public webs.) TWikiInstallationGuide has more on Basic Authentication, using the.htaccessfile. | |||||||
| Changed: | ||||||||
| < < | Create Authenticated Access By Web | |||||||
| > > | Authenticate and Restricting Selected Webs Only | |||||||
| Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs: | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 viewscript to theviewauthscript once (this happens only if the user has never edited a topic). Doing so will ask for authentication. Theviewauthscript shows the requested topic if the user could log on and if the user is authorized to see that web. Authenticating webs is not very secure, as there is a way to circumvent the read access restriction. It can be useful in certain situations - for example, to simplify site organization and clutter, by hiding low traffic webs - but is not recommended for securing sensitive content. | |||||||
| Deleted: | ||||||||
| < < | 
 | |||||||
| Hiding Control Settings | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| TWiki Access Control | ||||||||
| Changed: | ||||||||
| < < | Restricting read and write access to topics and webs, by users and groups | |||||||
| > > | Restricting read and write access to topics and webs, by Users and groups | |||||||
| Changed: | ||||||||
| < < | TWikiAccessControl allows you restrict access to single topics and entire webs, by individual user and by user groups, in three main areas: view; edit & attach; and rename/move/delete. These controls, combined with TWikiUserAuthentication, let you easily create and manage an extremely flexible, fine-grained privilege system. | |||||||
| > > | TWikiAccessControl allows you restrict access to single topics and entire webs, by individual user and by user Groups, in three areas: view; edit & attach; and rename/move/delete. Access control, combined with TWikiUserAuthentication, lets you easily create and manage an extremely flexible, fine-grained privilege system. | |||||||
| An Important Control Consideration | ||||||||
| Changed: | ||||||||
| < < | Open, freeform editing is the essence of the WikiCulture - it's what makes TWiki different and often more effective than other collaboration tools. So, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with care. Experience shows that unrestricted write access works very well because: | |||||||
| > > | Open, freeform editing is the essence of WikiCulture - what makes TWiki different and often more effective than other collaboration tools. For that reason, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with care - the more restrictions, the less Wiki in the mix. Experience shows that unrestricted write access works very well because: | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | As a collaboration guideline: | |||||||
| > > | As a collaboration guideline: | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Users and Groups | ||||||||
| Changed: | ||||||||
| < < | Access control is based on users and groups. Users are defined by their WikiNames, an then organized in unlimited combinations under different user groups. | |||||||
| > > | Access control is based on the familiar concept of Users and Groups. Users are defined by their WikiNames. They can then be organized in unlimited combinations by inclusion in one or more user Groups. For convenience, Groups can also be included in other Groups. | |||||||
| Managing Users | ||||||||
| Changed: | ||||||||
| < < | A user is created by with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest. | |||||||
| > > | A user is created with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest. | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Managing Groups | ||||||||
| Changed: | ||||||||
| < < | Groups are defined by group topics in the Mainweb, like the TWikiAdminGroup. To create a new group:
 | |||||||
| > > | Groups are defined by group topics created in the Mainweb, like the TWikiAdminGroup. To create a new group:
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 
 | |||||||
| > > | 
 | |||||||
| 
 Restricting Write Access | ||||||||
| Line: 59 to 57 | ||||||||
| Denying editing of a topic also restricts file attachment; both privileges are assigned together. 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 
 | ||||||||
| Line: 75 to 73 | ||||||||
| Restricting web-level editing blocks creating new topics, changing topics or attaching files. 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| The same rules apply as for restricting topics, with these additions: 
 | ||||||||
| Line: 91 to 89 | ||||||||
| To allow a user to rename, move or delete a topic, they also need write (editing) permission.  They also need write access to change references in referring topics. 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 
 | ||||||||
| Line: 107 to 105 | ||||||||
| You can define restrictions of who is allowed to rename a TWiki web. 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| The same rules apply as for topics, with these additions: 
 | ||||||||
| Line: 116 to 114 | ||||||||
| Restricting Web Access | ||||||||
| Changed: | ||||||||
| < < | You can prevent selected users and groups from accessing certain webs, by hiding them using restricting read access, or by requiring login. There are two basic methods, one simple, using standard preferences variables to hide a web, but offering low security, and a secure log-in approach that is currently a workaround, involving some minor script and filesystem modification. | |||||||
| > > | You can prevent selected Users and Groups from accessing certain webs, by hiding them using restricting read access, or by requiring login. There are two basic methods, one simple, using standard preferences variables to hide a web, but offering low security, and a secure log-in approach that is currently a workaround, involving some minor script and filesystem modification. | |||||||
| Create Hidden Webs | ||||||||
| Changed: | ||||||||
| < < | You can prevent selected users and groups from viewing certain TWiki webs by setting one or both of these variables in each web's WebPreferences topic: 
 | |||||||
| > > | You can prevent selected Users and Groups from viewing certain TWiki webs by setting one or both of these variables in each web's WebPreferences topic: 
 | |||||||
|  If keeping a hidden web out of general use is a consideration, you can prevent the all webssearch option from accessing hidden webs, by enabling theNOSEARCHALLvariable in WebPreferences:
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
|  Hiding webs is not very secure, as there is a way to circumvent the read access restriction. It can be useful in certain situations - for example, to simplify site organization and clutter, by hiding low traffic webs - but is not recommended for securing sensitive content. (See the next section for a more secure approach.) | ||||||||
| Line: 142 to 140 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Hiding Control Settings
 <!-- | ||||||||
| Changed: | ||||||||
| < < | Set DENYTOPICCHANGE = Main.SomeGroup | |||||||
| > > | 
 | |||||||
| --> | ||||||||
| Line: 157 to 155 | ||||||||
| The SuperAdminGroupBy mistyping a user or group name in the ALLOWTOPICCHANGE setting, it's possible to lock a topic so that no-one can edit it from a browser. To avoid this, you can create Web-based superusers: | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| $superAdminGroup = "TWikiAdminGroup"; | ||||||||
| Line: 165 to 163 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | -- MikeMannix - 01 Apr 2002 -- PeterThoeny - 04 May 2002 | |||||||
| > > | -- PeterThoeny - 04 May 2002 -- MikeMannix - 12 May 2002 | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 17 to 17 | ||||||||
| 
 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 38 to 38 | ||||||||
| Managing Groups | ||||||||
| Changed: | ||||||||
| < < | Groups are defined by group topics in the Mainweb, like the TWikiAdminGroup. To start a new group:
 
 
 | |||||||
| > > | Groups are defined by group topics in the Mainweb, like the TWikiAdminGroup. To create a new group:
 
 | |||||||
| Restricting Write Access | ||||||||
| Line: 59 to 59 | ||||||||
| Denying editing of a topic also restricts file attachment; both privileges are assigned together. 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 73 to 75 | ||||||||
| Restricting web-level editing blocks creating new topics, changing topics or attaching files. 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| The same rules apply as for restricting topics, with these additions: 
 | ||||||||
| Line: 89 to 91 | ||||||||
| To allow a user to rename, move or delete a topic, they also need write (editing) permission.  They also need write access to change references in referring topics. 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 103 to 107 | ||||||||
| You can define restrictions of who is allowed to rename a TWiki web. 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| The same rules apply as for topics, with these additions: 
 | ||||||||
| Line: 117 to 121 | ||||||||
| Create Hidden WebsYou can prevent selected users and groups from viewing certain TWiki webs by setting one or both of these variables in each web's WebPreferences topic: | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
|  If keeping a hidden web out of general use is a consideration, you can prevent the all webssearch option from accessing hidden webs, by enabling theNOSEARCHALLvariable in WebPreferences: | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 129 to 133 | ||||||||
| Create Authenticated Access By Web | ||||||||
| Changed: | ||||||||
| < < |  THIS SECTION CONTAINS WORKAROUNDS. Perhaps unconventional for official documentation, but practical, the following method for extending TWiki functionality involves modifying core TWiki, making it essentially not a feature but a hack. Still, it is officially TWiki developer-approved and documented, and will no doubt be included in some form in an upcoming edition of TWiki. 
To selectively restrict web access with the security of Basic Authentication, there is a reliable workaround that involves some straightforward code modification: 
 Example of viewing script 
 | |||||||
| > > | Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs: | |||||||
| 
 | ||||||||
| Line: 173 to 138 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 Hiding Control Settings | ||||||||
| Line: 199 to 165 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | -- MikeMannix - 01 Apr 2002 | |||||||
| > > | -- MikeMannix - 01 Apr 2002 -- PeterThoeny - 04 May 2002 | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 57 to 57 | ||||||||
| Deny Editing by Topic | ||||||||
| Changed: | ||||||||
| < < | Denying editing of a topic also restricts attaching files to it; both privileges are assigned together. | |||||||
| > > | Denying editing of a topic also restricts file attachment; both privileges are assigned together. | |||||||
| 
 | ||||||||
| Line: 119 to 119 | ||||||||
| You can prevent selected users and groups from viewing certain TWiki webs by setting one or both of these variables in each web's WebPreferences topic: 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > |  If keeping a hidden web out of general use is a consideration, you can prevent the all webssearch option from accessing hidden webs, by enabling theNOSEARCHALLvariable in WebPreferences: | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
  Hiding webs is not very secure, as there is a way to circumvent the read access restriction. It can be useful in certain situations - for example, to simplify site organization and clutter, by hiding low traffic webs - but is not recommended for securing sensitive content. (See the next section for a more secure approach.) | |||||||
| Create Authenticated Access By Web | ||||||||
| Changed: | ||||||||
| < < | To selectively restrict web access with the security of Basic Authentication, there is a reliable workaround that involves some straightforward code modification: | |||||||
| > > |  THIS SECTION CONTAINS WORKAROUNDS. Perhaps unconventional for official documentation, but practical, the following method for extending TWiki functionality involves modifying core TWiki, making it essentially not a feature but a hack. Still, it is officially TWiki developer-approved and documented, and will no doubt be included in some form in an upcoming edition of TWiki. 
To selectively restrict web access with the security of Basic Authentication, there is a reliable workaround that involves some straightforward code modification: | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | ||||||||
| > > | ||||||||
| Example of viewing script redirect#!/usr/bin/perl -w | ||||||||
| Line: 162 to 166 | ||||||||
| EOF | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | A SECOND OPTION: A less reliable workaround that also requires code changes is available to provide the same unrestricted viewing access, with authentication required only on selected webs: | |||||||
| > > | A SECOND OPTION: A less reliable workaround that doesn't involve code changes, but does require renaming a script, can provide the same generally unrestricted viewing access, with authentication only on selected webs: | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 184 to 190 | ||||||||
| The SuperAdminGroup | ||||||||
| Changed: | ||||||||
| < < | By mistyping a user or group name in the ALLOWTOPICCHANGE setting, it's possible to lock a topic so that it no-one can edit it from a browser. To avoid this: 
 | |||||||
| > > | By mistyping a user or group name in the ALLOWTOPICCHANGE setting, it's possible to lock a topic so that no-one can edit it from a browser. To avoid this, you can create Web-based superusers: 
 | |||||||
| $superAdminGroup = "TWikiAdminGroup"; | ||||||||
| Line: 193 to 199 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | -- MikeMannix - 20 Mar 2002 | |||||||
| > > | -- MikeMannix - 01 Apr 2002 | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 6 to 6 | ||||||||
| Restricting read and write access to topics and webs, by users and groups | ||||||||
| Deleted: | ||||||||
| < < | Overview | |||||||
| TWikiAccessControl allows you restrict access to single topics and entire webs, by individual user and by user groups, in three main areas: view; edit & attach; and rename/move/delete. These controls, combined with TWikiUserAuthentication, let you easily create and manage an extremely flexible, fine-grained privilege system. An Important Control Consideration | ||||||||
| Line: 29 to 27 | ||||||||
| Users and Groups | ||||||||
| Changed: | ||||||||
| < < | Access control is based on users and groups. Users are defined by their WikiNames, an then organized into unlimited combinations under different user groups. | |||||||
| > > | Access control is based on users and groups. Users are defined by their WikiNames, an then organized in unlimited combinations under different user groups. | |||||||
| Managing Users | ||||||||
| Line: 112 to 110 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Restricting Read Access | |||||||
| > > | Restricting Web Access | |||||||
| Changed: | ||||||||
| < < | You can define restrictions of who is allowed to view a TWiki web. | |||||||
| > > | You can prevent selected users and groups from accessing certain webs, by hiding them using restricting read access, or by requiring login. There are two basic methods, one simple, using standard preferences variables to hide a web, but offering low security, and a secure log-in approach that is currently a workaround, involving some minor script and filesystem modification. | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | Create Hidden WebsYou can prevent selected users and groups from viewing certain TWiki webs by setting one or both of these variables in each web's WebPreferences topic: | |||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | 
 Create Authenticated Access By Web | |||||||
| Changed: | ||||||||
| < < | Known Issues | |||||||
| > > | To selectively restrict web access with the security of Basic Authentication, there is a reliable workaround that involves some straightforward code modification: 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | Example of viewing script | |||||||
| Changed: | ||||||||
| < < | Selective Unrestricted Web Access | |||||||
| > > | chdir '..';
# Adjust SCRIPT and PATH_INFO variables to account for the changed directory
my $web = $ENV{SCRIPT_NAME};
$web	 =~ s#^.*/view(/[^/]*).*$#$1#; # isolate the path element after "view"
$ENV{PATH_TRANSLATED} =~ s#(/[^/]*)$#$web$1#;
$ENV{PATH_INFO}		 =~ s#(/[^/]*)$#$web$1#;
$ENV{SCRIPT_NAME}	  =~ s#/view$web#/view#;
$ENV{SCRIPT_FILENAME} =~ s#/view$web#/view#;
# open (LOG, '>>/tmp/redirect.log');
# print LOG join ("\n", scalar localtime (time ()), %ENV);
# close LOG;
exec ('/usr/bin/perl', '-wT', 'view.orig') or
print <<EOF;
Content-type: text/plain
Error executing /cgi-bin/view.orig: $?
Click the BACK button in your browser and contact webmaster\@bcs-oops.org.
EOF 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | A SECOND OPTION: A less reliable workaround that also requires code changes is available to provide the same unrestricted viewing access, with authentication required only on selected webs: | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 158 to 193 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | -- MikeMannix - 02 Dec 2001 | |||||||
| > > | -- MikeMannix - 20 Mar 2002 | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 41 to 41 | ||||||||
| Managing GroupsGroups are defined by group topics in theMainweb, like the TWikiAdminGroup. To start a new group: | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Restricting Write Access | ||||||||
| Line: 135 to 137 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | Hiding Control Settings
 <!-- | |||||||
| The SuperAdminGroup | ||||||||
| Line: 147 to 158 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | -- PeterThoeny - 16 Mar 2001 -- AndreaSterbini - 11 Apr 2001 | |||||||
| > > | -- MikeMannix - 02 Dec 2001 | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Deleted: | ||||||||
| < < | Warning: Can't find topic TWiki.UtilTempDocNote | |||||||
| Line: 142 to 140 | ||||||||
| By mistyping a user or group name in the ALLOWTOPICCHANGE setting, it's possible to lock a topic so that it no-one can edit it from a browser. To avoid this: 
 | ||||||||
| Changed: | ||||||||
| < < | ||||||||
| > > | ||||||||
| $superAdminGroup = "TWikiAdminGroup"; 
 | ||||||||
| Changed: | ||||||||
| < < | -- PeterThoeny - 16 Mar 2001 -- AndreaSterbini - 11 Apr 2001 Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | |||||||
| > > | -- PeterThoeny - 16 Mar 2001 -- AndreaSterbini - 11 Apr 2001 | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Warning: Can't find topic TWiki.UtilTempDocNote | ||||||||
| Line: 10 to 10 | ||||||||
| Overview | ||||||||
| Changed: | ||||||||
| < < | TWikiAccessControl allows you restrict access to single topics and entire webs, by individual user and by user groups, in three main areas: view; edit & attach; and rename/move/delete. These controls, combined with TWikiUserAuthentication, let you easily create and manage an extremely flexible, fine-grained privilege system. | |||||||
| > > | TWikiAccessControl allows you restrict access to single topics and entire webs, by individual user and by user groups, in three main areas: view; edit & attach; and rename/move/delete. These controls, combined with TWikiUserAuthentication, let you easily create and manage an extremely flexible, fine-grained privilege system. | |||||||
| An Important Control Consideration | ||||||||
| Changed: | ||||||||
| < < | Open, freeform editing is the essence of the WikiCulture - it's what makes TWiki different and often more effective than other collaboration tools. So, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with care. Experience shows that unrestricted write access works very well because: | |||||||
| > > | Open, freeform editing is the essence of the WikiCulture - it's what makes TWiki different and often more effective than other collaboration tools. So, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with care. Experience shows that unrestricted write access works very well because: | |||||||
| 
 
 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 35 to 35 | ||||||||
| Managing Users | ||||||||
| Changed: | ||||||||
| < < | A user is created by with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest. | |||||||
| > > | A user is created by with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest. | |||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Managing Groups | ||||||||
| Line: 123 to 123 | ||||||||
| Known Issues
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Selective Unrestricted Web Access
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Added: | ||||||||
| > > | Warning: Can't find topic TWiki.UtilTempDocNote | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Changed: | ||||||||
| < < | TWiki Access Control | |||||||
| > > | TWiki Access Control | |||||||
| Restricting read and write access to topics and webs, by users and groups | ||||||||
| Changed: | ||||||||
| < < | Overview | |||||||
| > > | Overview | |||||||
| TWikiAccessControl allows you restrict access to single topics and entire webs, by individual user and by user groups, in three main areas: view; edit & attach; and rename/move/delete. These controls, combined with TWikiUserAuthentication, let you easily create and manage an extremely flexible, fine-grained privilege system. | ||||||||
| Changed: | ||||||||
| < < | An Important Control Consideration | |||||||
| > > | An Important Control Consideration | |||||||
| Open, freeform editing is the essence of the WikiCulture - it's what makes TWiki different and often more effective than other collaboration tools. So, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with care. Experience shows that unrestricted write access works very well because: | ||||||||
| Line: 27 to 27 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Users and Groups | |||||||
| > > | Users and Groups | |||||||
| Access control is based on users and groups. Users are defined by their WikiNames, an then organized into unlimited combinations under different user groups. | ||||||||
| Changed: | ||||||||
| < < | Managing Users | |||||||
| > > | Managing Users | |||||||
| A user is created by with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest. 
 | ||||||||
| Changed: | ||||||||
| < < | Managing Groups | |||||||
| > > | Managing Groups | |||||||
| Groups are defined by group topics in the Mainweb, like the TWikiAdminGroup. To start a new group:
 | ||||||||
| Line: 51 to 51 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Restricting Write Access | |||||||
| > > | Restricting Write Access | |||||||
| You can define who is allowed to make changes to a web or a topic. | ||||||||
| Changed: | ||||||||
| < < | Deny Editing by Topic | |||||||
| > > | Deny Editing by Topic | |||||||
| Denying editing of a topic also restricts attaching files to it; both privileges are assigned together. 
 | ||||||||
| Line: 68 to 68 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Deny Editing by Web | |||||||
| > > | Deny Editing by Web | |||||||
| Restricting web-level editing blocks creating new topics, changing topics or attaching files. | ||||||||
| Line: 80 to 80 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Restricting Rename Access | |||||||
| > > | Restricting Rename Access | |||||||
| You can define who is allowed to rename, move or delete a topic, or rename a web. | ||||||||
| Changed: | ||||||||
| < < | Deny Renaming by Topic | |||||||
| > > | Deny Renaming by Topic | |||||||
| To allow a user to rename, move or delete a topic, they also need write (editing) permission. They also need write access to change references in referring topics. | ||||||||
| Line: 98 to 98 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Deny Renaming by Web | |||||||
| > > | Deny Renaming by Web | |||||||
| You can define restrictions of who is allowed to rename a TWiki web. | ||||||||
| Line: 110 to 110 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Restricting Read Access | |||||||
| > > | Restricting Read Access | |||||||
| You can define restrictions of who is allowed to view a TWiki web. | ||||||||
| Line: 118 to 118 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Known Issues | |||||||
| > > | Known Issues | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Selective Unrestricted Web Access | |||||||
| > > | Selective Unrestricted Web Access | |||||||
| 
 | ||||||||
| Line: 136 to 136 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | The SuperAdminGroup | |||||||
| > > | The SuperAdminGroup | |||||||
| By mistyping a user or group name in the ALLOWTOPICCHANGE setting, it's possible to lock a topic so that it no-one can edit it from a browser. To avoid this: 
 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 8 to 8 | ||||||||
| Overview | ||||||||
| Changed: | ||||||||
| < < | TWiki allows you to define restrictions of who is allowed to view a TWiki web, make changes to topics or attach files. | |||||||
| > > | TWikiAccessControl allows you restrict access to single topics and entire webs, by individual user and by user groups, in three main areas: view; edit & attach; and rename/move/delete. These controls, combined with TWikiUserAuthentication, let you easily create and manage an extremely flexible, fine-grained privilege system. An Important Control ConsiderationOpen, freeform editing is the essence of the WikiCulture - it's what makes TWiki different and often more effective than other collaboration tools. So, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with care. Experience shows that unrestricted write access works very well because: | |||||||
| Deleted: | ||||||||
| < < | IMPORTANT NOTE: Think twice before restricting read or write access to a web or a topic, because an open system where everybody can contribute is the essence of the WikiCulture. Experience shows that unrestricted write access works very well because: | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 
 | |||||||
| Users and Groups | ||||||||
| Changed: | ||||||||
| < < | Access control is based on users and groups. | |||||||
| > > | Access control is based on users and groups. Users are defined by their WikiNames, an then organized into unlimited combinations under different user groups. | |||||||
| Managing Users | ||||||||
| Changed: | ||||||||
| < < | A user is created by with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest. 
 | |||||||
| > > | A user is created by with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest. 
 | |||||||
| Managing Groups | ||||||||
| Changed: | ||||||||
| < < | Groups are defined by group topics in the Main web, like the TWikiAdminGroup. 
 | |||||||
| > > | Groups are defined by group topics in the Mainweb, like the TWikiAdminGroup. To start a new group:
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 
 | |||||||
| Restricting Write Access | ||||||||
| Changed: | ||||||||
| < < | Deny Editing by Topic | |||||||
| > > | You can define who is allowed to make changes to a web or a topic. | |||||||
| Changed: | ||||||||
| < < | You can define restrictions of who is allowed to make changes to a topic or attach files to it. | |||||||
| > > | Deny Editing by Topic | |||||||
| Changed: | ||||||||
| < < | Define one or both of these variables in a topic, preferably at the end of the topic: | |||||||
| > > | Denying editing of a topic also restricts attaching files to it; both privileges are assigned together. 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | DENYTOPICCHANGE defines users or groups that are not allowed to make changes to the topic. It is a comma delimited list of users and groups. Example:     * Set DENYTOPICCHANGE = Main.SomeBadBoy, Main.SomeBadGirl, Main.SomeHackerGroup | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | ALLOWTOPICCHANGE defines users or groups that are allowed to make changes to the topic. It is a comma delimited list of users and groups. Example:     * Set ALLOWTOPICCHANGE = Main.SomeGoodGuy, Main.SomeGoodGirl, Main.TWikiAdminGroup | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | DENYTOPICCHANGE is evaluated before ALLOWTOPICCHANGE. Access is denied if the authenticated person is in the DENYTOPICCHANGE list, or not in the ALLOWTOPICCHANGE list. Access is granted in case DENYTOPICCHANGE and ALLOWTOPICCHANGE is not defined. | |||||||
| > > | 
 | |||||||
| Deny Editing by Web | ||||||||
| Changed: | ||||||||
| < < | You can define restrictions of who is allowed to make changes to a TWiki web. This includes creating new topics, changing topics or attaching files. | |||||||
| > > | Restricting web-level editing blocks creating new topics, changing topics or attaching files. | |||||||
| Changed: | ||||||||
| < < | Define one or both of these variable in the WebPreferences topic: | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | The same rules apply like the one for Access Control for Individual Topics; with these additions: | |||||||
| > > | The same rules apply as for restricting topics, with these additions: | |||||||
| 
 Restricting Rename Access | ||||||||
| Changed: | ||||||||
| < < | ||||||||
| > > | You can define who is allowed to rename, move or delete a topic, or rename a web. | |||||||
| Deny Renaming by Topic | ||||||||
| Changed: | ||||||||
| < < | You can define restrictions of who is allowed to rename a topic. Note that users need this permission in addition to the CHANGE permission in order to rename a topic. They also need CHANGE access to change references in referring topics. | |||||||
| > > | To allow a user to rename, move or delete a topic, they also need write (editing) permission. They also need write access to change references in referring topics. | |||||||
| Changed: | ||||||||
| < < | Define one or both of these variables in a topic, preferably at the end of the topic: | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | DENYTOPICCRENAME defines users or groups that are not allowed to rename the topic. It is a comma delimited list of users and groups. Example:     * Set DENYTOPICRENAME = Main.SomeBadBoy, Main.SomeBadGirl, Main.SomeHackerGroup | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | ALLOWTOPICRENAME defines users or groups that are allowed to rename the topic. It is a comma delimited list of users and groups. Example:     * Set ALLOWTOPICRENAME = Main.SomeGoodGuy, Main.SomeGoodGirl, Main.TWikiAdminGroup | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | DENYTOPICRENAME is evaluated before ALLOWTOPICRENAME. Access is denied if the authenticated person is in the DENYTOPICRENAME list, or not in the ALLOWTOPICRENAME list. Access is granted in case DENYTOPICRENAME and ALLOWTOPICRENAME is not defined. | |||||||
| > > | 
 | |||||||
| Deny Renaming by Web | ||||||||
| Changed: | ||||||||
| < < | You can define restrictions of who is allowed to do renames for a TWiki web. | |||||||
| > > | You can define restrictions of who is allowed to rename a TWiki web. | |||||||
| Changed: | ||||||||
| < < | Define one or both of these variable in the WebPreferences topic: | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | The same rules apply like the one for Access Control for Individual Topics; with these additions: | |||||||
| > > | The same rules apply as for topics, with these additions: | |||||||
| 
 | ||||||||
| Line: 101 to 114 | ||||||||
| You can define restrictions of who is allowed to view a TWiki web. | ||||||||
| Changed: | ||||||||
| < < | Define one or both of these variable in the WebPreferences topic: | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 113 to 126 | ||||||||
| Selective Unrestricted Web Access
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 125 to 138 | ||||||||
| The SuperAdminGroup | ||||||||
| Changed: | ||||||||
| < < | The above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see UnchangeableTopicBug for more detail). To avoid this: 
 | |||||||
| > > | By mistyping a user or group name in the ALLOWTOPICCHANGE setting, it's possible to lock a topic so that it no-one can edit it from a browser. To avoid this: 
 | |||||||
| $superAdminGroup = "TWikiAdminGroup"; | ||||||||
| Added: | ||||||||
| > > | ||||||||
| 
 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 122 to 122 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | ||||||||
| The SuperAdminGroupThe above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see UnchangeableTopicBug for more detail). To avoid this: | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| On this page:  
 TWiki Access Control | ||||||||
| Added: | ||||||||
| > > | Restricting read and write access to topics and webs, by users and groups Overview | |||||||
| TWiki allows you to define restrictions of who is allowed to view a TWiki web, make changes to topics or attach files. IMPORTANT NOTE: Think twice before restricting read or write access to a web or a topic, because an open system where everybody can contribute is the essence of the WikiCulture. Experience shows that unrestricted write access works very well because: | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Users and GroupsAccess control is based on users and groups. | ||||||||
| Changed: | ||||||||
| < < | Users are defined by the user topics in the Main web, i.e. TWikiGuest 
 | |||||||
| > > | Managing UsersA user is created by with the TWikiRegistration form. The process generates a topic in the Main web in the new user's WikiName. The default visitor name is TWikiGuest.
 Managing Groups | |||||||
| Changed: | ||||||||
| < < | Groups are defined by group topics in the Main web, i.e. TWikiAdminGroup 
 | |||||||
| > > | Groups are defined by group topics in the Main web, like the TWikiAdminGroup. 
 | |||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | Restricting Write Access | |||||||
| Changed: | ||||||||
| < < | Write Access Restriction by Topic | |||||||
| > > | Deny Editing by Topic | |||||||
| You can define restrictions of who is allowed to make changes to a topic or attach files to it. | ||||||||
| Line: 42 to 55 | ||||||||
| DENYTOPICCHANGE is evaluated before ALLOWTOPICCHANGE. Access is denied if the authenticated person is in the DENYTOPICCHANGE list, or not in the ALLOWTOPICCHANGE list. Access is granted in case DENYTOPICCHANGE and ALLOWTOPICCHANGE is not defined. | ||||||||
| Changed: | ||||||||
| < < | Write Access Restriction by Web | |||||||
| > > | Deny Editing by Web | |||||||
| You can define restrictions of who is allowed to make changes to a TWiki web. This includes creating new topics, changing topics or attaching files. | ||||||||
| Line: 54 to 67 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Rename Access Restriction by Topic | |||||||
| > > | Restricting Rename AccessDeny Renaming by Topic | |||||||
| You can define restrictions of who is allowed to rename a topic. Note that users need this permission in addition to the CHANGE permission in order to rename a topic. They also need CHANGE access to change references in referring topics. | ||||||||
| Line: 68 to 85 | ||||||||
| DENYTOPICRENAME is evaluated before ALLOWTOPICRENAME. Access is denied if the authenticated person is in the DENYTOPICRENAME list, or not in the ALLOWTOPICRENAME list. Access is granted in case DENYTOPICRENAME and ALLOWTOPICRENAME is not defined. | ||||||||
| Changed: | ||||||||
| < < | Rename Access Restriction by Web | |||||||
| > > | Deny Renaming by Web | |||||||
| You can define restrictions of who is allowed to do renames for a TWiki web. | ||||||||
| Line: 80 to 97 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Read Access Restriction by Web | |||||||
| > > | Restricting Read Access | |||||||
| You can define restrictions of who is allowed to view a TWiki web. | ||||||||
| Line: 88 to 105 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Read Restriction Known Issues | |||||||
| > > | Known Issues | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 Selective Unrestricted Web Access | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| The SuperAdminGroup | ||||||||
| Changed: | ||||||||
| < < | The above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see UnchangeableTopicBug). To avoid this: 
 | |||||||
| > > | The above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see UnchangeableTopicBug for more detail). To avoid this: 
 | |||||||
| $superAdminGroup = "TWikiAdminGroup"; | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| -- PeterThoeny - 16 Mar 2001 -- AndreaSterbini - 11 Apr 2001 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Line: 88 to 88 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Read Access Restriction Notes | |||||||
| > > | Read Restriction Known Issues | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Deleted: | ||||||||
| < < | 
 | |||||||
| Changed: | ||||||||
| < < | The SuperAdminGroup | |||||||
| > > | The SuperAdminGroup | |||||||
| The above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see UnchangeableTopicBug). To avoid this: 
 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Added: | ||||||||
| > > | ||||||||
| TWiki Access ControlTWiki allows you to define restrictions of who is allowed to view a TWiki web, make changes to topics or attach files. | ||||||||
| Line: 25 to 28 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Write Access Restriction for Individual Topics | |||||||
| > > | Write Access Restriction by Topic | |||||||
| You can define restrictions of who is allowed to make changes to a topic or attach files to it. | ||||||||
| Line: 39 to 42 | ||||||||
| DENYTOPICCHANGE is evaluated before ALLOWTOPICCHANGE. Access is denied if the authenticated person is in the DENYTOPICCHANGE list, or not in the ALLOWTOPICCHANGE list. Access is granted in case DENYTOPICCHANGE and ALLOWTOPICCHANGE is not defined. | ||||||||
| Changed: | ||||||||
| < < | Write Access Restriction for a Whole TWiki Web | |||||||
| > > | Write Access Restriction by Web | |||||||
| You can define restrictions of who is allowed to make changes to a TWiki web. This includes creating new topics, changing topics or attaching files. | ||||||||
| Line: 51 to 54 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Rename Access Restriction for Individual Topics | |||||||
| > > | Rename Access Restriction by Topic | |||||||
| You can define restrictions of who is allowed to rename a topic. Note that users need this permission in addition to the CHANGE permission in order to rename a topic. They also need CHANGE access to change references in referring topics. | ||||||||
| Line: 65 to 68 | ||||||||
| DENYTOPICRENAME is evaluated before ALLOWTOPICRENAME. Access is denied if the authenticated person is in the DENYTOPICRENAME list, or not in the ALLOWTOPICRENAME list. Access is granted in case DENYTOPICRENAME and ALLOWTOPICRENAME is not defined. | ||||||||
| Changed: | ||||||||
| < < | Rename Access Restriction for a Whole TWiki Web | |||||||
| > > | Rename Access Restriction by Web | |||||||
| You can define restrictions of who is allowed to do renames for a TWiki web. | ||||||||
| Line: 77 to 80 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Read Access Restriction for a Whole TWiki Web | |||||||
| > > | Read Access Restriction by Web | |||||||
| You can define restrictions of who is allowed to view a TWiki web. | ||||||||
| Line: 85 to 88 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Notes for read access restriction: | |||||||
| > > | Read Access Restriction Notes | |||||||
| 
 | ||||||||
| Line: 99 to 103 | ||||||||
| 
 | ||||||||
| Deleted: | ||||||||
| < < | -- PeterThoeny - 16 Mar 2001 | |||||||
| Changed: | ||||||||
| < < | NOTE: | |||||||
| > > | The SuperAdminGroup | |||||||
| The above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see UnchangeableTopicBug). To avoid this: 
 | ||||||||
| Line: 110 to 113 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | -- PeterThoeny - 16 Mar 2001 | |||||||
| -- AndreaSterbini - 11 Apr 2001 | ||||||||
| Changed: | ||||||||
| < < | ||||||||
| > > | ||||||||
| Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| TWiki Access ControlTWiki allows you to define restrictions of who is allowed to view a TWiki web, make changes to topics or attach files. | ||||||||
| Line: 99 to 99 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | -- PeterThoeny - 16 Mar 2001 | |||||||
| Changed: | ||||||||
| < < | Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | |||||||
| > > | NOTE: | |||||||
| Changed: | ||||||||
| < < | -- PeterThoeny - 16 Mar 2001 | |||||||
| > > | The above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see UnchangeableTopicBug). To avoid this: 
 $superAdminGroup = "TWikiAdminGroup"; 
 Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| TWiki Access ControlTWiki allows you to define restrictions of who is allowed to view a TWiki web, make changes to topics or attach files. | ||||||||
| Line: 50 to 51 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | Rename Access Restriction for Individual TopicsYou can define restrictions of who is allowed to rename a topic. Note that users need this permission in addition to the CHANGE permission in order to rename a topic. They also need CHANGE access to change references in referring topics. Define one or both of these variables in a topic, preferably at the end of the topic:
     * Set DENYTOPICRENAME = Main.SomeBadBoy, Main.SomeBadGirl, Main.SomeHackerGroupALLOWTOPICRENAME defines users or groups that are allowed to rename the topic. It is a comma delimited list of users and groups. Example:    * Set ALLOWTOPICRENAME = Main.SomeGoodGuy, Main.SomeGoodGirl, Main.TWikiAdminGroupDENYTOPICRENAME is evaluated before ALLOWTOPICRENAME. Access is denied if the authenticated person is in the DENYTOPICRENAME list, or not in the ALLOWTOPICRENAME list. Access is granted in case DENYTOPICRENAME and ALLOWTOPICRENAME is not defined.Rename Access Restriction for a Whole TWiki WebYou can define restrictions of who is allowed to do renames for a TWiki web. Define one or both of these variable in the WebPreferences topic:
 
 | |||||||
| Read Access Restriction for a Whole TWiki WebYou can define restrictions of who is allowed to view a TWiki web. | ||||||||
| Line: 65 to 65 | ||||||||
|---|---|---|---|---|---|---|---|---|
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Added: | ||||||||
| > > | TWiki Access Control | |||||||
| TWiki allows you to define restrictions of who is allowed to view a TWiki web, make changes to topics or attach files. IMPORTANT NOTE: Think twice before restricting read or write access to a web or a topic, because an open system where everybody can contribute is the essence of the WikiCulture. Experience shows that unrestricted write access works very well because: | ||||||||
| Line: 6 to 8 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Users and Groups | |||||||
| > > | Users and Groups | |||||||
| Access control is based on users and groups. | ||||||||
| Line: 22 to 24 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Write Access Restriction for Individual Topics | |||||||
| > > | Write Access Restriction for Individual Topics | |||||||
| You can define restrictions of who is allowed to make changes to a topic or attach files to it. | ||||||||
| Line: 36 to 38 | ||||||||
| DENYTOPICCHANGE is evaluated before ALLOWTOPICCHANGE. Access is denied if the authenticated person is in the DENYTOPICCHANGE list, or not in the ALLOWTOPICCHANGE list. Access is granted in case DENYTOPICCHANGE and ALLOWTOPICCHANGE is not defined. | ||||||||
| Changed: | ||||||||
| < < | Write Access Restriction for a Whole TWiki Web | |||||||
| > > | Write Access Restriction for a Whole TWiki Web | |||||||
| You can define restrictions of who is allowed to make changes to a TWiki web. This includes creating new topics, changing topics or attaching files. | ||||||||
| Line: 48 to 50 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Read Access Restriction for a Whole TWiki Web | |||||||
| > > | Read Access Restriction for a Whole TWiki Web | |||||||
| You can define restrictions of who is allowed to view a TWiki web. | ||||||||
| Line: 73 to 75 | ||||||||
| Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | ||||||||
| Changed: | ||||||||
| < < | -- PeterThoeny - 20 Jan 2001 | |||||||
| > > | -- PeterThoeny - 16 Mar 2001 | |||||||
| Line: 57 to 57 | ||||||||
|---|---|---|---|---|---|---|---|---|
| 
 | ||||||||
| Added: | ||||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 57 to 57 | ||||||||
|---|---|---|---|---|---|---|---|---|
| 
 | ||||||||
| Added: | ||||||||
| > > | 
 | |||||||
| 
 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Changed: | ||||||||
| < < | TWiki allows to define some restrictions of who is allowed to make changes and attach files to topics. | |||||||
| > > | TWiki allows you to define restrictions of who is allowed to view a TWiki web, make changes to topics or attach files. | |||||||
| Changed: | ||||||||
| < < | IMPORTANT NOTE: Think twice before restricting write access to a web or a topic, because an open system where everybody can contribute is the essence of the WikiCulture. Experience shows that unrestricted write access works very well because: | |||||||
| > > | IMPORTANT NOTE: Think twice before restricting read or write access to a web or a topic, because an open system where everybody can contribute is the essence of the WikiCulture. Experience shows that unrestricted write access works very well because: | |||||||
| 
 | ||||||||
| Line: 22 to 22 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Access Control for Individual Topics | |||||||
| > > | Write Access Restriction for Individual Topics | |||||||
| Changed: | ||||||||
| < < | You can define some restrictions of who is allowed to make changes and attach files to a topic. | |||||||
| > > | You can define restrictions of who is allowed to make changes to a topic or attach files to it. | |||||||
| Define one or both of these variables in a topic, preferably at the end of the topic: 
 | ||||||||
| Line: 36 to 36 | ||||||||
| DENYTOPICCHANGE is evaluated before ALLOWTOPICCHANGE. Access is denied if the authenticated person is in the DENYTOPICCHANGE list, or not in the ALLOWTOPICCHANGE list. Access is granted in case DENYTOPICCHANGE and ALLOWTOPICCHANGE is not defined. | ||||||||
| Changed: | ||||||||
| < < | Access Control per TWiki Web | |||||||
| > > | Write Access Restriction for a Whole TWiki Web | |||||||
| Changed: | ||||||||
| < < | You can define some restrictions of who is allowed to make changes and attach files to topics or create new topics in a TWiki web. | |||||||
| > > | You can define restrictions of who is allowed to make changes to a TWiki web. This includes creating new topics, changing topics or attaching files. | |||||||
| Define one or both of these variable in the WebPreferences topic: 
 | ||||||||
| Line: 48 to 48 | ||||||||
| 
 | ||||||||
| Added: | ||||||||
| > > | Read Access Restriction for a Whole TWiki Web
You can define restrictions of who is allowed to view a TWiki web.
Define one or both of these variable in the WebPreferences topic: 
 
 | |||||||
| Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | ||||||||
| Changed: | ||||||||
| < < | -- PeterThoeny - 28 Oct 2000 | |||||||
| > > | -- PeterThoeny - 20 Jan 2001 | |||||||
| Line: 40 to 40 | ||||||||
|---|---|---|---|---|---|---|---|---|
| You can define some restrictions of who is allowed to make changes and attach files to topics or create new topics in a TWiki web. | ||||||||
| Changed: | ||||||||
| < < | Define one or both of these variable in the WebPreferences topic: | |||||||
| > > | Define one or both of these variable in the WebPreferences topic: | |||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | 
 | |||||||
| > > | 
 | |||||||
| Changed: | ||||||||
| < < | Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | |||||||
| > > | Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | |||||||
| -- PeterThoeny - 28 Oct 2000 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| TWiki allows to define some restrictions of who is allowed to make changes and attach files to topics. | ||||||||
| Changed: | ||||||||
| < < | IMPORTANT NOTE: Is is recommended to use the access control feature only if absolutely necessary because it goes against the free WikiCulture, where everybody is invited to contribute to any topic. | |||||||
| > > | IMPORTANT NOTE: Think twice before restricting write access to a web or a topic, because an open system where everybody can contribute is the essence of the WikiCulture. Experience shows that unrestricted write access works very well because: 
 | |||||||
| Users and Groups | ||||||||
| Line: 44 to 48 | ||||||||
| 
 | ||||||||
| Changed: | ||||||||
| < < | Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup | |||||||
| > > | Related topics: TWikiPreferences, WebPreferences (in every web), TWikiAdminGroup, TWikiGroups | |||||||
| -- PeterThoeny - 28 Oct 2000 | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Added: | ||||||||
| > > | TWiki allows to define some restrictions of who is allowed to make changes and attach files to topics.
IMPORTANT NOTE: Is is recommended to use the access control feature only if absolutely necessary because it goes against the free WikiCulture, where everybody is invited to contribute to any topic.
Users and Groups
Access control is based on users and groups.
Users are defined by the user topics in the Main web, i.e. TWikiGuest 
 
 
     * Set DENYTOPICCHANGE = Main.SomeBadBoy, Main.SomeBadGirl, Main.SomeHackerGroupALLOWTOPICCHANGE defines users or groups that are allowed to make changes to the topic. It is a comma delimited list of users and groups. Example:    * Set ALLOWTOPICCHANGE = Main.SomeGoodGuy, Main.SomeGoodGirl, Main.TWikiAdminGroupDENYTOPICCHANGE is evaluated before ALLOWTOPICCHANGE. Access is denied if the authenticated person is in the DENYTOPICCHANGE list, or not in the ALLOWTOPICCHANGE list. Access is granted in case DENYTOPICCHANGE and ALLOWTOPICCHANGE is not defined.
Access Control per TWiki Web
You can define some restrictions of who is allowed to make changes and attach files to topics or create new topics in a TWiki web.
Define one or both of these variable in the WebPreferences topic:
 
 | |||||||
 Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.