From: <Cra...@nt...> - 2005-11-04 12:05:27
|
Author: CrawfordCurrie Date: 2005-11-04 04:03:29 -0800 (Fri, 04 Nov 2005) New Revision: 7293 Modified: twiki/branches/DEVELOP/data/TWiki/TWikiAccessControl.txt twiki/branches/DEVELOP/data/TWiki/TWikiUserAuthentication.txt twiki/branches/DEVELOP/data/TWiki/TWikiVariablesNtoZ.txt twiki/branches/DEVELOP/tools/MANIFEST twiki/branches/DEVELOP/tools/build.pl Log: Item515: added auth versions of scripts to release. Plugins using these scripts in undocumented ways really needed to be recoded to be a bit smarter. Modified: twiki/branches/DEVELOP/data/TWiki/TWikiAccessControl.txt =================================================================== --- twiki/branches/DEVELOP/data/TWiki/TWikiAccessControl.txt 2005-11-04 10:58:34 UTC (rev 7292) +++ twiki/branches/DEVELOP/data/TWiki/TWikiAccessControl.txt 2005-11-04 12:03:29 UTC (rev 7293) @@ -161,7 +161,7 @@ ---+++ Authenticate all Webs and Restrict Selected Webs -Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs: +Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs. Requires TWikiUserAuthentication to be enabled. 1. *Restrict* view access to selected Users and Groups. Set one or both of these variables in its %WEBPREFSTOPIC% topic: * ==Set <nop>DENYWEBVIEW = < list of Users and Groups >== @@ -169,13 +169,10 @@ * __Note:__ =DENYWEBVIEW= is evaluated before =ALLOWWEBVIEW=. Access is denied if the authenticated person is in the =DENYWEBVIEW= list, or not in the =ALLOWWEBVIEW= list. Access is granted in case =DENYWEBVIEW= and =ALLOWWEBVIEW= is not defined. 1. *Hide* the web from an "all webs" search. Enable this restriction with the ==NOSEARCHALL== variable in its %WEBPREFSTOPIC% topic: * ==Set <nop>NOSEARCHALL = on== - 1. *Add* ==view== to the list of authenticated scripts in the =.htaccess= file. -%H% This method only works if the ==view== script is authenticated, which means that all Users have to login, even for read-only access. (An open guest account, like %MAINWEB%.TWikiGuest, can get around this, allowing anyone to login to a common account with, for example, view-only access for public webs.) TWikiInstallationGuide has more on Basic Authentication, using the ==.htaccess== file. - ---+++ Authenticate and Restrict Selected Webs Only -Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs: +Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs. Requires TWikiUserAuthentication to be enabled. 1. *Restrict* view access to selected Users and Groups. Set one or both of these variables in its %WEBPREFSTOPIC% topic: * ==Set <nop>DENYWEBVIEW = < list of Users and Groups >== @@ -183,15 +180,7 @@ * __Note:__ =DENYWEBVIEW= is evaluated before =ALLOWWEBVIEW=. Access is denied if the authenticated person is in the =DENYWEBVIEW= list, or not in the =ALLOWWEBVIEW= list. Access is granted in case =DENYWEBVIEW= and =ALLOWWEBVIEW= is not defined. 1. *Hide* the web from an "all webs" search. Enable this restriction with the ==NOSEARCHALL== variable in its %WEBPREFSTOPIC% topic: * ==Set <nop>NOSEARCHALL = on== - 1. *Enable* =={RememberUserIPAddress}== in [[%SCRIPTURL%/configure%SCRIPTSUFFIX%]] as described in TWikiUserAuthentication. <nop>%WIKITOOLNAME% will now remember the IP address of an authenticated user. - 1. *Copy* the ==view== script to ==viewauth== (or better, create a symbolic link) - 1. *Add* ==viewauth== to the list of authenticated scripts in the =.htaccess= file. The ==view== script should not be listed in the =.htaccess= file. -When a user accesses a web where you enabled view restriction, <nop>%WIKITOOLNAME% will redirect from the =view= script to the =viewauth= script once (this happens only if the user has never edited a topic). Doing so will ask for authentication. The =viewauth= script shows the requested topic if the user could log on and if the user is authorized to see that web. - -%X% *Authenticating webs is not very secure*, as there is a way to circumvent the read access restriction. It can be useful in certain situations - for example, to simplify site organization and clutter, by hiding low traffic webs - but is not recommended for securing sensitive content. - - ---+++ Hide Control Settings %T% To hide access control settings from normal browser viewing, place them in comment markers. @@ -205,4 +194,3 @@ %STOPINCLUDE% __Related Topics:__ AdminDocumentationCategory - Modified: twiki/branches/DEVELOP/data/TWiki/TWikiUserAuthentication.txt =================================================================== --- twiki/branches/DEVELOP/data/TWiki/TWikiUserAuthentication.txt 2005-11-04 10:58:34 UTC (rev 7292) +++ twiki/branches/DEVELOP/data/TWiki/TWikiUserAuthentication.txt 2005-11-04 12:03:29 UTC (rev 7293) @@ -145,6 +145,12 @@ * The ChangePassword form ( ==TWiki/ChangePassword== ): * The ResetPassword form ( ==TWiki/ResetPassword== ): +#IndividualScripts +---++ Controlling access to individual scripts +You may want to add or remove scripts from the list of scripts that require authentication. The method for doing this is different for each of Template Login and Apache Login. + * For Template Login, update the {AuthScripts} list using =configure= + * For Apache Login, add/remove the script from = +.htaccess= #HowTo ---++ How to choose an authentication method Modified: twiki/branches/DEVELOP/data/TWiki/TWikiVariablesNtoZ.txt =================================================================== --- twiki/branches/DEVELOP/data/TWiki/TWikiVariablesNtoZ.txt 2005-11-04 10:58:34 UTC (rev 7292) +++ twiki/branches/DEVELOP/data/TWiki/TWikiVariablesNtoZ.txt 2005-11-04 12:03:29 UTC (rev 7293) @@ -297,9 +297,9 @@ | =encode="url"= | Encode special characters for URL parameter use, like a double quote into =%22= | no encoding | | =multiple="on"= %BR% =multiple="[<nop>[$item]]"= | If set, gets all selected elements of a =<select multiple="multiple">= tag. A format can be specified, with =$item= indicating the element, e.g. =multiple="Option: $item"= | first element | | =separator=", "= | Separator between multiple selections. Only relevant if multiple is specified | ="\n"= (new line) | - * Example: =%<nop>URLPARAM{"skin"}%= returns =print= for a =.../view/%WEB%/%TOPIC%?skin=print= URL. [[%SCRIPTURL%/viewauth%SCRIPTSUFFIX%/%WEB%/%TOPIC%?skin=print#VarURLPARAM][Test this]]: %URLPARAM{"skin"}% + * Example: =%<nop>URLPARAM{"skin"}%= returns =print= for a =.../view/%WEB%/%TOPIC%?skin=print= URL. * %X% Note: When used in a template topic, this variable will be expanded when the template is used to create a new topic. See TWikiTemplates#TemplateTopicsVars for details. - * %X% Note: There is a risk that this variable could be misused for cross-scripting. + * %X% Note: There is a risk that this variable could be misused for cross-site scripting. * Related: [[#VarSEARCH][SEARCH]], FormattedSearch, [[#VarQUERYSTRING][QUERYSTRING]] #VarUSERNAME Modified: twiki/branches/DEVELOP/tools/MANIFEST =================================================================== --- twiki/branches/DEVELOP/tools/MANIFEST 2005-11-04 10:58:34 UTC (rev 7292) +++ twiki/branches/DEVELOP/tools/MANIFEST 2005-11-04 12:03:29 UTC (rev 7293) @@ -12,6 +12,7 @@ bin/passwd 0550 bin/preview 0550 bin/rdiff 0550 +bin/rdiffauth 0550 bin/register 0550 bin/rename 0550 bin/resetpasswd 0550 @@ -23,6 +24,7 @@ bin/twiki 0550 bin/upload 0550 bin/view 0550 +bin/viewauth 0550 bin/viewfile 0550 bin/logos/favicon.ico 0660 bin/logos/info.gif 0660 Modified: twiki/branches/DEVELOP/tools/build.pl =================================================================== --- twiki/branches/DEVELOP/tools/build.pl 2005-11-04 10:58:34 UTC (rev 7292) +++ twiki/branches/DEVELOP/tools/build.pl 2005-11-04 12:03:29 UTC (rev 7293) @@ -50,6 +50,11 @@ $this->cp( $this->{basedir}.'/AUTHORS', $this->{basedir}.'/pub/Main/TWikiContributor/AUTHORS' ); + for my $script qw( view rdiff ) { + $this->cp( $this->{basedir}."/bin/$script", + $this->{basedir}."/bin/${script}auth" ); + } + print `cd ../bin ; ./view TWiki.TWikiDocumentation skin plain | ../tools/fix_local_links.pl > ../TWikiDocumentation.html 2> /dev/null`; print `cd ../bin ; ./view TWiki.TWikiHistory skin plain > ../TWikiHistory.html 2> /dev/null`; print `cd ../bin ; ./view TWiki.DakarReleaseNotes skin plain > ../DakarReleaseNotes.html 2> /dev/null`; |