I've configured some webs in my TWiki installation to be accessed only by users from a particular group. Access restrictions are working perfectly when using view and edit script. But rdiff and changes scripts are able to get contents of
WebHome page.
Server is:
- Linux 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 i686 i386 GNU/Linux
- This is perl, v5.8.0 built for i386-linux-thread-multi
(with 1 registered patch, see perl -V for more detail)
...
Locally applied patches:
MAI---Line from A
Line 1
Line from B
You don't give any information as to how you configured the access controls. Without details, it's impossible to check what you say. rdiff and changes scripts both observe access controlsNT18379
to reproduce:
Create a topic,
SleightOfHand
Add Set DENYTOPICVIEW =
YourWikiName
view the topic. You will be denied view. Now edit the url, and replace view with rdiff. Now you can see the most recent changes, even those done after the DENYTOPICVIEW was added.
This is a critical security issue, and must be fixed in the next available patch.
CC
Agreed.
Added to
TWiki:Codev.KnownIssuesOfTWiki04x00x00.
--
SP
With Apache login the work around is to have this in the .htaccess or httpd.conf
<FilesMatch "^(logon|viewauth|rename|rdiffauth|rdiff|)$">
require valid-user
</FilesMatch>
Is there a similar work around possible for template auth?
KJL
That's not a workaround, as you may want to restrict view to a subset of named users, or to a group.
Fixed in SVN 9420. Please test! Even better, please generate a testcase!
CC
I suggest putting this to
TWikiSecurityAlerts.
TWiki:Main.SergejZagursky
Closed with release of 4.0.2
KJL