• Use basic auth with sessions (as on twiki.org)
• There are two webs: Open web without restriction, Restricted web with view access restriction
• The Restricted web has a FooBar topic
• I am in the group to view Restricted web, in fact I can also be an admin
• Go to any topic in the Open web
• Type this in the Jump box: Restricted.foo
• Issues:
  • User is not prompted to login
  • WebLeftbar is not shown, you get a "No permission to view WebLeftBar" error message
  • No similar topics are found, e.g. link to FooBar is not shown
• Click on the Open web link in the breadcrumb
  • Login is now requested as expected.

The bug seems to be that the old web is consulted at the time of jump instead of the web the user is jumping to.

-- PTh

Update: The issue seems to be with jump to same web as well. In above scenario, after authentication:

• Go to the Restricted web
• Type foo in Jump box
• Issues:
  • WebLeftbar is not shown, you get a "No permission to view WebLeftBar" error message
  • No similar topics are found, e.g. link to FooBar is not shown

The issue seems to be that the permission check is based on TWiki.WebTopicViewTemplate instead of the current web.

-- PeterThoeny - 25 Jan 2007

If you are in the group to view the Restricted web, then I would not expect you to be asked to log in again, as you already have view access. So I assume that is a red herring, and in fact you are trying to do a Jump to an existing topic as another user (not a user currently authorised to view the Restricted web). In this event I would expect you to be told the web does not exist, as you would be unable to view WebPreferences, which is the requirement for a web to exist. When jumping to an existing topic that's what happens. However if you try a jump to a non-existant topic, then the correct behaviour should be the same viz. you should be told the web does not exist. I just tried that, and I am directed to the create topic screen, which is wrong.

I am unable to reproduce any problem with the access to WebLeftBar when authenticated in the web.

Setting this to confirmed, on the assumption that I guessed your meaning correctly.

Steps to reproduce:

1. Create a web called "Secrets" with * Set ALLOWWEBVIEW = in WebPreferences (i.e. no-one is allowed to view the web)
2. As a non-admin user, visit another web in TWiki.
3. Type Secrets.NonExistantTopic in the Jump box (or edit the URL bar and set it there)

The offer to create a topic should not be made unless permission to access the web has been confirmed by a webExists check, and permission to view the web is granted.

CC

As I remember some testing done recently Peter has set the view script to be authenticated in the Apache config. This is not the correct way. You need to only authenticate viewauth.

-- TWiki:Main.KennethLavrsen - 02 Feb 2007

My theory doesn't make sense, because you have to be in a context to log in before that access check is useful. In the absence of any other clarification or follow-up, I'm discarding this, as AFAICT it works as documented.

CC