After upgrading to the latest TWiki release, we were verifying several access control features for an internal project. Looking at
TWiki:TWiki.TWikiAccessControl
, we saw that
"setting ALLOWTOPIC
to empty denies access to everyone except admins". However, this does not seem to be the case.
Here is a test case showing the issue.
For now we worked around this issue by inserting
NobodyGroup
in
ALLOWTOPICVIEW/CHANGE/RENAME
to achieve the desired results; I would hence suppose this issue is not very urgent.
But is this more of a bug in the engine (they are supposed to be honored) or that in the documentation (blank
ALLOWTOPICs
are not actually honored)? The documentation and actual results are pretty different.
--
TWiki:Main/ClintMarkGono
- 07 Apr 2007
There was a big fight over this, which was resolved (against my better judgment) by changing the documentation to fit the (IMHO broken) code.
Because it was a security issue it was done on the quiet, so sorry, no bug numbers to refer you to. But you have identified the correct workaround.
CC
Clint a good advice is to always read the release note (TWikiReleaseNotes04x01.html in the twiki root and also a topic
TWikiReleaseNotes04x01 in the TWiki web) when you install a new version of TWiki. It is very clearly stated there.
--
TWiki:Main.KennethLavrsen
- 26 Apr 2007