Feature Proposals » Allow or deny access to topic in addition to allowed or denied at the web level

Summary

Current State: Developer: Reason: Date: Concerns By: Bug Tracking: Proposed For:
MergedToCore HideyoImazu AcceptedBy7DayFeedbackPeriod 2016年12月09日 TWikibug:Item7766 KampalaRelease

Edit Form

CurrentState:
ReasonForDecision:
DateOfCommitment: Format: YYYY-MM-DD
ProposedFor:

Motivation

You may want to allow or deny access to a topic in addition to the users allowed or denied with ALLOWWEB* or DENYWEB*. It would be nice if a change to ALLOWEB* or DENYWEB* is reflected to the topic level restriction.

This is achievable if ALLOWWEB* or DENYWEB* consists only of a TWiki group. Let's assume the following line is there on WebPreferences.

 * Set ALLOWWEBVIEW = AccessGroup
Then the following line on a topic makes the topic viewable to the users having web level access plus CronieGroup members.
 * Set ALLOWTOPICVIEW = AccessGroup, CronieGroup

But this is not flexible. And there is no guarantee that something is not added to ALLOWWEBVIEW.

Description and Documentation

If ALLOWTOPIC* or DENYTOPIC* starts with +, it's treated as if the corresponding ALLOWWEB* or DENYWEB* is inserted there.

Examples

Let's say the following line is there on WebPreferences.
 * Set ALLOWWEBVIEW = AccessGroup
Also assume that the topic ForCronies needs to be viewable by CroniesGroup in addition to AccessGroup. Then, ForCronies would have the following line.
 * Set ALLOWTOPICVIEW = + CroniesGroup

Even if ALLOWWEBVIEW is changed, ForCronies topic is always viewable by the users allowed by ALLOWWEBVIEW plus GroniesGroup.

Maybe the above example is not so compelling. Think about a large organization having a lot of LDAP groups and there is a TWiki installation configured to be able to use LDAP groups. Let's assume LDAPGROUP:group-name is the way to specify an LDAP group for access control. Then you may have the line below on WebPreferences.

 * Set ALLOWWEBVIEW = LDAPGROUP:team-tango, LDAPGROUP:team-foxtrot, LDAPGROUP:team-waltz
In that case, duplicating those three on ALLOWTOPICVIEW and put something in addition is cumbersome and may cause inconsistency in the future. Writing as follows is much cleaner.
 * Set ALLOWTOPICVIEW = + LDAPGROUP:team-samba

Impact

Implementation

-- Contributors: Hideyo Imazu - 2016年12月09日

Discussion

Looks good to me!

-- Peter Thoeny - 2017年01月05日

Edit | Attach | (削除) Watch (削除ここまで) | Print version | History : r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2017年01月23日 - HideyoImazu
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.

AltStyle によって変換されたページ (->オリジナル) /