Follow-up from
TWiki:Codev/FlexibleReturnFromEdit:
In TWiki 4.1, the save script supports a
redirectto
parameter to redirect to a URL, if enabled with
{AllowRedirectUrl}
config flag.
New small enhancements for TWiki 4.1:
- In save, support
OtherTopic
and Web.OtherTopic
redirects, not depending on {AllowRedirectUrl}
config flag - DONE
- Pass
redirectto
parameter from edit to preview & save - NOT DONE - follow-up in Item3316
--
PTh
IMHO this is extremely confusing for users. As an author of public TWiki applications, I don't want to have to consider whether the
{AllowRedirectToUrl}
flag is enabled or not in my application, so I almost certainly won't use it. I want to be able to write TWiki applications
now that can make used of redirection, and that requires the
redirectto=topic
support. Redirection to arbitrary URLs is known to be a security hole. Let's make a decision here, please, folks. Either allow redirect to arbitrary URLs, and accept the security consequences, or restrict redirection
now to target only topics in the TWiki. It's trivial to implement either way. All that's required is a
decision.
Regrading to Requirement, as this has to be sorted out before 4.1 is released.
CC
If security is involved the syntax must be unambiguous. The different syntax is justified and serves a goal: developers must consciously choose either method. So I agree with Crawford.
AC
I made a concious decision not to rename
{AllowRedirectToUrl}
. The flag is called
{AllowRedirectToUrl}
(e.g.
URL), not
{AllowRedirect}
or
{AllowRedirectTo}
which would imply any redirect. At the current state of implementation, redirect only works for URLs, not web.topics, so it is an all or nothing flag.
Once we implement the trivial web.topic support, the rule applies only to URLs, not web.topics. That is application developers can cound on a
redirectto=SomeTopic
to work (once we implement the feature), regardless of the state of
{AllowRedirectToUrl}
.
Because of feature freeze we cannot add the web.topic feature to 4.1. However, this is a trivial change, personally, I would not see an issue if we add the web.topic support to 4.1.
So, we should add the web.topic redirect if Crawford feels strongly that the redirect should work now, regardless of configure flag.
For now, I added a more explicit note in TWiki.spec on danger of redirects to URLs. Once we add the web.topic support, the note should be enhanced to state that Web.OtherTopic redirects work regardless of the
{AllowRedirectToUrl}
flag.
--
PTh
I just checked in this:
- In save, support OtherTopic and OtherTopic redirects, not depending on {AllowRedirectUrl} config flag
--
PTh
This needs to wait for TWiki 4.2:
- Pass
redirectto
parameter from edit to preview & save
follow-up in
Item3316
--
PTh
I changed the release target to minor.
CC
4.1.0 released
KJL