• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

I've configured some webs in my TWiki installation to be accessed only by users from a particular group. Access restrictions are working perfectly when using view and edit script. But rdiff and changes scripts are able to get contents of WebHome page.

Server is:

  • Linux 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 i686 i386 GNU/Linux
  • This is perl, v5.8.0 built for i386-linux-thread-multi
    (with 1 registered patch, see perl -V for more detail)
    ...
    Locally applied patches:
    MAI---Line from A
Line 1 Line from B You don't give any information as to how you configured the access controls. Without details, it's impossible to check what you say. rdiff and changes scripts both observe access controlsNT18379
  • Apache/2.0.46 (Red Hat)

to reproduce:

Create a topic, SleightOfHand

Add Set DENYTOPICVIEW = YourWikiName

view the topic. You will be denied view. Now edit the url, and replace view with rdiff. Now you can see the most recent changes, even those done after the DENYTOPICVIEW was added.

This is a critical security issue, and must be fixed in the next available patch.

CC

Agreed.

Added to TWiki:Codev.KnownIssuesOfTWiki04x00x00.

-- SP

With Apache login the work around is to have this in the .htaccess or httpd.conf

<FilesMatch "^(logon|viewauth|rename|rdiffauth|rdiff|)$">
   require valid-user
</FilesMatch> 

Is there a similar work around possible for template auth?

KJL

That's not a workaround, as you may want to restrict view to a subset of named users, or to a group.

Fixed in SVN 9420. Please test! Even better, please generate a testcase!

CC

I suggest putting this to TWikiSecurityAlerts.

TWiki:Main.SergejZagursky

Closed with release of 4.0.2

KJL

ItemTemplate
Summary rdiff and changes scripts ignore access settings
ReportedBy TWiki:Main.SergejZagursky
Codebase

SVN Range TWikiRelease04x00x01
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins 10175 9420 9451 9452
TargetRelease patch
Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r11 - 2006-04-01 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback