After upgrading to the latest TWiki release, we were verifying several access control features for an internal project. Looking at TWiki:TWiki.TWikiAccessControl
, we saw that "setting
ALLOWTOPIC to empty denies access to everyone except admins"
. However, this does not seem to be the case.
Here is a test case
showing the issue.
For now we worked around this issue by inserting
to achieve the desired results; I would hence suppose this issue is not very urgent.
But is this more of a bug in the engine (they are supposed to be honored) or that in the documentation (blank
are not actually honored)? The documentation and actual results are pretty different.
- 07 Apr 2007
There was a big fight over this, which was resolved (against my better judgment) by changing the documentation to fit the (IMHO broken) code.
Because it was a security issue it was done on the quiet, so sorry, no bug numbers to refer you to. But you have identified the correct workaround.
Clint a good advice is to always read the release note (TWikiReleaseNotes04x01.html in the twiki root and also a topic TWikiReleaseNotes04x01
in the TWiki web) when you install a new version of TWiki. It is very clearly stated there.
- 26 Apr 2007