• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5602: Web Rename not following ALLOWWEBRENAME Preference

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine WebPreferences Urgent Closed   patch 4.2.1

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

I've encountered a problem with the permission setting for renaming webs. Under the ManagingWebs topic in the standard TWiki web, there is the following statement:

"You may only rename a web if you have permissions to rename all the topics within that web, including any topics in that web's subwebs. You will also need permissions to update any topics containing references to that web."

So I attempted to limit web rename rights to the TWikiAdminGroup by creating a new web and setting ALLOWWEBRENAME to TWikiAdminGroup. Nevertheless, as a non-admin user, I was then able to rename the new web both by changing it from a root-level web to a sub-web of another root-level web, and by simply changing the web name at the root level.

In the process, TWiki did present me with the following warning:

There are problems with renaming this web:

1.You are denied access to the following topics in the web: Test2/WebAtom Test2/WebChanges Test2/WebCreateNewTopic Test2/WebHome Test2/WebIndex Test2/WebLeftBar Test2/WebNotify Test2/WebPreferences Test2/WebRss Test2/WebSearch Test2/WebSearchAdvanced Test2/WebStatistics Test2/WebTopicList

2. The following topics are locked for edit, and cannot be moved: (none)

3. The following topics refer to topics in this web, but you are denied access to them: (none)

4. The following topics refer to topics in this web, but are being edited: (none)

Continue and try to rename web?

But I could still click "Continue and try to rename web?" and then go through with renaming it as described above. Before posting this bug report, I verified the following:

- I was in fact logged in as a non-admin user by looking at the log files from the shell.

- ALLOWROOTCHANGE set to TWikiAdminGroup in TWikiPreferences.

- Authentication being used is Template Login.

-- TWiki:Main/GarySprague - 05 May 2008

Discussion

cf. Codev:GeorgetownReleaseMeeting2008x05x12:

  • documentation issue: "ALLOWWEBRENAME" in fact grants permissions to rename topics in a web.
  • How to protect webs from getting renamed? This bug item should probably be split up (documentation update could be released with 4.2.1, access tests and code changes (if needed) will likely take more time...)

-- TWiki:Main.MarkusUeberall - 12 May 2008

Judging from a quick read of the web renaming code, there is currently no way to prevent a web from being renamed. IMHO it should follow the same rules as topics, so should follow the constraints of the container. In the case of a subweb, that means respecting the setting of ALLOWWEBRENAME on the parent web (which is defined as controlling the renaming of "things" in that web) and ALLOWROOTRENAME for root webs. I believe this is a trivial fix, which should be implemented for 4.2.1.

BTW for history's sake, the interpretation of ALLOWWEBRENAME as controlling contained topics (the contents of the container) is something that has existed since the early days of TWiki i.e. well before 4.0 came on the scene, so changing the interpretation is probably a bad idea at this stage. The application of it to subwebs was merged from MegaTWiki. ALLOWCONTENTRENAME (and matching ALLOWCONTENTVIEW and ALLOWCONTENTCHANGE) might have been a better choice, but by the time subwebs were invented it was already too late.

Confirmed.

-- TWiki:Main.CrawfordCurrie - 13 May 2008

Correct analysis.

-- TWiki:Main.PeterThoeny - 04 Jun 2008

For the short term, I simply edited the oops message so that it doesn't give the user the option of "Continue and rename anyway?", but instead offers them a link to "Return to WebHome." Is there any other way users could get around this without knowing all of the URL parameters needed to execute the confirm rename?

-- TWiki:Main.GarySprague - 05 Jun 2008

Crawford are you following up on what you call a trivial fix so we can close this security issue in 4.2.1?

-- TWiki:Main.KennethLavrsen - 18 Jun 2008

I have started working on this one and progressing well.

-- KennethLavrsen - 01 Jul 2008

I have fixed this. It was a little more than trivial - at least for me.

But I think we have a reasonably safe renaming of webs now.

I have added this docu to ManagingWebs

Permissions

You may only rename a web if you have the following permissions

  • You must be allowed to rename and changes topics in the web you want to rename
  • You must be allowed to rename topics in the parent web of the web you want to rename
  • If the parent web is the root you must be allowed to both rename and create webs in the root web as defined by ALLOWROOTCHANGE and ALLOWROOTRENAME (defined in TWiki.TWikiPreferences)
  • If you move the web to another parent web you must be allowed to create and change topics in the new parent web.

When you rename a web TWiki will try and update all links that refer to the old web. You should note that links only get updated in topics that you are allowed to edit. If you use access rights in the TWiki installation it is generally best to let an administrator rename webs to avoid too many broken links.

-- KennethLavrsen - 02 Jul 2008

ItemTemplate
Summary Web Rename not following ALLOWWEBRENAME Preference
ReportedBy TWiki:Main.GarySprague
Codebase 4.2.0
SVN Range TWiki-5.0.0, Sun, 04 May 2008, build 16770
AppliesTo Engine
Component WebPreferences
Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:16957 TWikirev:16958 TWikirev:16964 TWikirev:16965
TargetRelease patch
ReleasedIn 4.2.1
Edit | Attach | Watch | Print version | History: r14 < r13 < r12 < r11 < r10 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r14 - 2008-08-04 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback