From e5186b761f1d4a94cd94ecc6890468d0579683e0 Mon Sep 17 00:00:00 2001 From: MikeMannix Date: Fri, 31 Aug 2001 12:18:50 +0000 Subject: none --- TWiki/TWikiAccessControl.mdwn | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/TWiki/TWikiAccessControl.mdwn b/TWiki/TWikiAccessControl.mdwn index 7b007175..88b1d931 100644 --- a/TWiki/TWikiAccessControl.mdwn +++ b/TWiki/TWikiAccessControl.mdwn @@ -94,22 +94,21 @@ Define one or both of these variable in the %WEBPREFSTOPIC% topic: * Set DENYWEBVIEW = < list of users and groups > * Set ALLOWWEBVIEW = < list of users and groups > -#### Read Access Restriction Notes +### Read Restriction Known Issues * The view restriction is not suitable for very sensitive content since there is a way to circumvent the read access restriction. * Read access restriction only works if the view script is authenticated, that means that users need to log on also just to read topics. [TWiki Installation](TWikiDocumentation#installation) has more on basic authentication based on the `.htaccess` file. -* There is a workaround if you prefer to to have unrestricted access to view topics located in normal webs, and to authenticate users only for webs where view restriction is enabled: +* There is a workaround if you prefer to have unrestricted access to view topics located in normal webs, and to authenticate users only for webs where view restriction is enabled: * Leave the `view` script non authenticated in the `.htaccess` file. * Enable the `$doRememberRemoteUser` flag in `wikicfg.pm` as described in [TWiki Authentication](TWikiDocumentation#authentication). %WIKITOOLNAME% will now remember the IP address of an authenticated user. * Copy the `view` script to `viewauth` (or better, create a symbolic link) * Add `viewauth` to the list of authenticated scripts in the .htaccess file. - * When a user accesses a web where you enabled view restriction, %WIKITOOLNAME% will redirect from the `view` script to the `viewauth` script once (this hapens only if the user has never edited a topic). Doing so will ask for authentication. The `viewauth` script shows the requested topic if the user could log on and if the user is authorized to see that web. + * When a user accesses a web where you enabled view restriction, %WIKITOOLNAME% will redirect from the `view` script to the `viewauth` script once (this happens only if the user has never edited a topic). Doing so will ask for authentication. The `viewauth` script shows the requested topic if the user could log on and if the user is authorized to see that web. * If you enable view restriction for a web, it is recommended to restrict search "all webs" from searching this web. Enable this restriction with the `NOSEARCHALL` variable in its [[WebPreferences]], like: * Set NOSEARCHALL = on * It is not recommended to restrict view access to individual topics since all content is searchable **_within_** a web. -* The view restriction is not suitable for very sensitive content since there is a way to circumvent the read access restriction. -### The [[SuperAdminGroup]] +### The SuperAdminGroup The above schema can lock completely a topic in case of a typing error of the ALLOWTOPICCHANGE setting (see [UnchangeableTopicBug](http://www.twiki.org/cgi-bin/view/Codev/UnchangeableTopicBug)). To avoid this: -- cgit v1.2.3