doesn't honor access right on topics when it lists them while others like WebChanges
do. For example, if you deny view access on one topic for one user, this user will still see the topic title in the index list. IMHO this is not very consistent with the other behaviour. Is this a bug or is it by design ?
- 03 Jan 2008
Note that there is a significant performance hit if TWiki has to open and parse every topic for access rights just to produce a list of topics.
I would be careful to make such a change. Should lack of acces rights mean that you cannot even see the topic in a list? I would like to challenge this need. Maybe in future when TWiki gets a storage scheme where access rights are in a database type such a requirement can be met. But I would hate to see the %TOPICLIST% become slow as hell in a web with 10000s of topics. Naturally you should not be able to see the content of a protected topic but I would like to challenge if it also has to be hidden in lists that can only show the topic name and no content.
- 03 Jan 2008
It's by design. Think of it like a directory structure; if you can access the web (directory), you can access a listing of the topics (files/subdirs) by name, even though you may not be able to access their
access to the contents of the topic, and not just the name.
I agree that it is undesirable, and it is very inconsistent with SEARCH which filters out topics you don't have permission to see. Topics are supposed to have intention-revealing names, yet regardless of permissions, concepts are given away if their topic names are listed.
I close this on my systems by undefining "sub _IF" in TWiki.pm. Not ideal, but effective where it matters. Users can get listing behaviour respectful of permissions using SEARCH.
- 05 Mar 2008