Difference: TWikiAccessControl (42 vs. 43)

Revision 432015-03-30 - TWikiContributor

Line: 1 to 1
 

TWiki Access Control

Line: 226 to 226
 If it returns true, TWiki goes ahead and create the web without checking access control variables. Please read AllowWebCreateByUserMappingManager for more details.
Added:
>
>

Forbid certain users to do certain actions by configuration

You may have an unruly registered users (e.g. a crawler program) who don't follow the rules while you don't have control over such users. And the web application container in which TWiki is installed may be managed by somebody else and you don't have tight and quick control.

To cope with such situations, certain users can be forbidden certain scripts by setting {ForbidUserAction}. A good example is worth more than a lengthy explanation, so here it is: 

$TWiki::cfg{ForbidUserAction} = '
    AggresiveCrawler: edit, oops, search;
    ReadOnlyUser:     !view, viewfile;
    TotallyForbidden: !nothing;
';
In this example:
  • AggresiveCrawler is forbidden edit, oops, and search scripts.
  • ReadOnlyUser is permitted view and viewfile but forbidden the others.
    • If a script list is preceded by !, only the listed scripts are permitted for the user. ! at the beginning of the list negates the list.
  • TotallyForbidden is forbidden all actions.
    Here's the logic. There is no script named nothing, which means all scripts don't match "nothing", hence all scripts are forbidden.
And here are some rules:
  • Spaces, tabs, new lines are ignored
  • It consists of semicolon separated list of per-user specifications
  • A specification consists of a user name, colon, and a comma separated list of scripts
  • A user name needs to be in the canonical form. In most cases the canonical user name is the same as the wiki name. But if you are using non-standard user mapping, the canonical user name of a user is different from the wiki name.
 

User masquerading

There are cases where it's handy to access TWiki on behalf of somebody else retaining a trace of your real identity rather than completely becoming a different user.

Line: 378 to 405
  You can have custom user/group notations such as USER:userid and LDAPGROUP:group-name and use them for access control. For example: 


Changed: 
<
<		 
    

  •  Set ALLOWWEBCHANGE = UID:buzz, LDAPGROUP:foo-bar

 
>
>		 
    

  •  Set ALLOWWEBCHANGE = USER:buzz, LDAPGROUP:foo-bar

 
 
In a large organization, TWiki may need to depend on user and group data provided by its infrastructure.
Custom user/group notations are handy in such situations though it's not trivial to implement.




View topic | History:  r44 < r43 < r42 < r41 | More topic actions...








 


 This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. 
 Ideas, requests, problems regarding ARC TWiki? Send feedback 
 Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.TWikiAccessControl.