Ho to reproduce bug:
- Use basic auth with sessions (as on twiki.org)
- There are two webs:
Open
web without restriction, Restricted
web with view access restriction
- The
Restricted
web has a FooBar
topic
- I am in the group to view
Restricted
web, in fact I can also be an admin
- Go to any topic in the
Open
web
- Type this in the Jump box:
Restricted.foo
- Issues:
- User is not prompted to login
- WebLeftbar is not shown, you get a "No permission to view WebLeftBar" error message
- No similar topics are found, e.g. link to
FooBar
is not shown
- Click on the
Open
web link in the breadcrumb
- Login is now requested as expected.
The bug seems to be that the old web is consulted at the time of jump instead of the web the user is jumping to.
--
PTh
Update: The issue seems to be with jump to same web as well. In above scenario, after authentication:
- Go to the
Restricted
web
- Type
foo
in Jump box
- Issues:
- WebLeftbar is not shown, you get a "No permission to view WebLeftBar" error message
- No similar topics are found, e.g. link to FooBar is not shown
The issue seems to be that the permission check is based on
TWiki.WebTopicViewTemplate instead of the current web.
--
PeterThoeny - 25 Jan 2007
If you are in the group to view the Restricted web, then I would not expect you to be asked to log in again, as you already have view access. So I assume that is a red herring, and in fact you are trying to do a Jump to an existing topic as another user (not a user currently authorised to view the Restricted web). In this event I would expect you to be told the web does not exist, as you would be unable to view WebPreferences, which is the requirement for a web to exist. When jumping to an existing topic that's what happens. However if you try a jump to a non-existant topic, then the correct behaviour should be the same viz. you should be told the web does not exist. I just tried that, and I am directed to the create topic screen, which is wrong.
I am unable to reproduce any problem with the access to WebLeftBar when authenticated in the web.
Setting this to confirmed, on the assumption that I guessed your meaning correctly.
Steps to reproduce:
- Create a web called "Secrets" with * Set ALLOWWEBVIEW = in WebPreferences (i.e. no-one is allowed to view the web)
- As a non-admin user, visit another web in TWiki.
- Type Secrets.NonExistantTopic in the Jump box (or edit the URL bar and set it there)
You will be prompted to create the topic, which is incorrect, as the web "does not exist" as far as you are concerned.
The offer to create a topic should not be made unless permission to access the web has been confirmed by a
webExists
check, and permission to view the web is granted.
CC
As I remember some testing done recently Peter has set the view script to be authenticated in the Apache config. This is not the correct way. You need to only authenticate viewauth.
--
TWiki:Main.KennethLavrsen
- 02 Feb 2007
My theory doesn't make sense, because you have to be in a context to log in before that access check is useful. In the absence of any other clarification or follow-up, I'm discarding this, as AFAICT it works as documented.
CC