• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5193: WebTopicList doesn't honor access right when it lists topics

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal No Action Required   n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

WebTopicList doesn't honor access right on topics when it lists them while others like WebChanges do. For example, if you deny view access on one topic for one user, this user will still see the topic title in the index list. IMHO this is not very consistent with the other behaviour. Is this a bug or is it by design ?

Regards,

Eric

-- TWiki:Main/EricCharikane - 03 Jan 2008

Note that there is a significant performance hit if TWiki has to open and parse every topic for access rights just to produce a list of topics.

I would be careful to make such a change. Should lack of acces rights mean that you cannot even see the topic in a list? I would like to challenge this need. Maybe in future when TWiki gets a storage scheme where access rights are in a database type such a requirement can be met. But I would hate to see the %TOPICLIST% become slow as hell in a web with 10000s of topics. Naturally you should not be able to see the content of a protected topic but I would like to challenge if it also has to be hidden in lists that can only show the topic name and no content.

-- TWiki:Main.KennethLavrsen - 03 Jan 2008

It's by design. Think of it like a directory structure; if you can access the web (directory), you can access a listing of the topics (files/subdirs) by name, even though you may not be able to access their contents. WebChangesrequires access to the contents of the topic, and not just the name.

No action.

CC

I agree that it is undesirable, and it is very inconsistent with SEARCH which filters out topics you don't have permission to see. Topics are supposed to have intention-revealing names, yet regardless of permissions, concepts are given away if their topic names are listed.

I close this on my systems by undefining "sub _IF" in TWiki.pm. Not ideal, but effective where it matters. Users can get listing behaviour respectful of permissions using SEARCH.

-- TWiki:Main.MartinCleaver - 05 Mar 2008

ItemTemplate
Summary WebTopicList doesn't honor access right when it lists topics
ReportedBy TWiki:Main.EricCharikane
Codebase 4.2.0
SVN Range TWiki-4.3.0, Sun, 30 Dec 2007, build 16120
AppliesTo Engine
Component

Priority Normal
CurrentState No Action Required
WaitingFor

Checkins

TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2008-03-05 - MartinCleaver
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback