• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Follow-up from TWiki:Codev/FlexibleReturnFromEdit:

In TWiki 4.1, the save script supports a redirectto parameter to redirect to a URL, if enabled with {AllowRedirectUrl} config flag.

New small enhancements for TWiki 4.1:

  • In save, support OtherTopic and Web.OtherTopic redirects, not depending on {AllowRedirectUrl} config flag - DONE
  • Pass redirectto parameter from edit to preview & save - NOT DONE - follow-up in Item3316

-- PTh

IMHO this is extremely confusing for users. As an author of public TWiki applications, I don't want to have to consider whether the {AllowRedirectToUrl} flag is enabled or not in my application, so I almost certainly won't use it. I want to be able to write TWiki applications now that can make used of redirection, and that requires the redirectto=topic support. Redirection to arbitrary URLs is known to be a security hole. Let's make a decision here, please, folks. Either allow redirect to arbitrary URLs, and accept the security consequences, or restrict redirection now to target only topics in the TWiki. It's trivial to implement either way. All that's required is a decision.

Regrading to Requirement, as this has to be sorted out before 4.1 is released.

CC


If security is involved the syntax must be unambiguous. The different syntax is justified and serves a goal: developers must consciously choose either method. So I agree with Crawford.

AC

I made a concious decision not to rename {AllowRedirectToUrl}. The flag is called {AllowRedirectToUrl} (e.g. URL), not {AllowRedirect} or {AllowRedirectTo} which would imply any redirect. At the current state of implementation, redirect only works for URLs, not web.topics, so it is an all or nothing flag.

Once we implement the trivial web.topic support, the rule applies only to URLs, not web.topics. That is application developers can cound on a redirectto=SomeTopic to work (once we implement the feature), regardless of the state of {AllowRedirectToUrl}.

Because of feature freeze we cannot add the web.topic feature to 4.1. However, this is a trivial change, personally, I would not see an issue if we add the web.topic support to 4.1.

So, we should add the web.topic redirect if Crawford feels strongly that the redirect should work now, regardless of configure flag.

For now, I added a more explicit note in TWiki.spec on danger of redirects to URLs. Once we add the web.topic support, the note should be enhanced to state that Web.OtherTopic redirects work regardless of the {AllowRedirectToUrl} flag.

-- PTh

I just checked in this:

  • In save, support OtherTopic and OtherTopic redirects, not depending on {AllowRedirectUrl} config flag

-- PTh

This needs to wait for TWiki 4.2:

  • Pass redirectto parameter from edit to preview & save

follow-up in Item3316

-- PTh

I changed the release target to minor.

CC

4.1.0 released

KJL

ItemTemplate
Summary Support web.topics in redirectto parameter
ReportedBy TWiki:Main.PeterThoeny
Codebase ~twiki4
SVN Range TWiki-4.1, Thu, 14 Dec 2006, build 12269
AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins 12290 12297
TargetRelease minor
Edit | Attach | Watch | Print version | History: r14 < r13 < r12 < r11 < r10 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r14 - 2007-01-16 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback