Menu
▾
▴
[TWiki-Dev] [SVN] HideyoImazu r30298 - in twiki/trunk/core: data/TWiki lib/TWiki lib/TWiki/UI
|
From: <de...@de...> - 2017-01-25 03:29:43
|
Author: HideyoImazu Date: 2017-01-25 03:28:55 +0000 (Wed, 25 Jan 2017) New Revision: 30298 Trac url: http://develop.twiki.org/trac/changeset/30298 Modified: twiki/trunk/core/data/TWiki/AllowWebCreateByUserMappingManager.txt twiki/trunk/core/data/TWiki/LargeSite.txt twiki/trunk/core/data/TWiki/TWikiAccessControl.txt twiki/trunk/core/data/TWiki/UserSubwebs.txt twiki/trunk/core/lib/TWiki/UI/Manage.pm twiki/trunk/core/lib/TWiki/Users.pm Log: Item7768: TWiki::Users::canRenameWeb() for symmetry with TWiki::Users::canCreateWeb() Modified: twiki/trunk/core/data/TWiki/AllowWebCreateByUserMappingManager.txt =================================================================== --- twiki/trunk/core/data/TWiki/AllowWebCreateByUserMappingManager.txt 2017-01-13 00:51:51 UTC (rev 30297) +++ twiki/trunk/core/data/TWiki/AllowWebCreateByUserMappingManager.txt 2017-01-25 03:28:55 UTC (rev 30298) @@ -1,44 +1,29 @@ -%META:TOPICINFO{author="TWikiContributor" date="1350633267" format="1.1" version="$Rev$"}% ----+!! Allowing Web Creation by the User Mapping Manager +%META:TOPICINFO{author="TWikiContributor" date="1485159724" format="1.1" version="$Rev$"}% +---+!! Allowing Web Creation, Deletion, & Rename by the User Mapping Manager ---++ Motivation -There are cases where DENYROOTCHANGE, ALLOWROOTCHANGE, DENYWEBCHANGE, and ALLOWWEBCHANGE are not capable enough to implement web creation permission you want. -For example, you may want to allow a user to create a certain subweb of the web Foo while you don't want to allow to create topics on the web Foo. -To cope with such cases, a method in the user mapping manager is called to check the web creation is allowed before checking the access control variables. +There are cases where DENYROOTCHANGE, ALLOWROOTCHANGE, DENYWEBCHANGE, and ALLOWWEBCHANGE are not capable enough to implement web creation/deletion/rename permission you want. +Here are some of those situations. ----+++ A large TWiki site in a large organization employing UserSubwebs +---+++ Making top level web creation and deletion self-service -Let's assume: - * It's about a large organization having 50,000 users in its LDAP. User IDs, real names, email addresses, etc. are in the LDAP - * It has an intranet single sign-on mechanism leveraging the LDAP data - * Everybody in the organization may edit topics on a TWiki site having 5,000 webs - * The TWiki site authenticate users with the intranet single sign-on mechanism - * UserSubwebs is in use -Implication: - * Requiring user registration on the TWiki site for editing doesn't make a lot of sense. Because all user account data is already in LDAP, which is supposed to be referred to if needed. - * Users need to be forbidden to create topics on the Main web. Otherwise, it accumulates a lot of clutters in the long run. - * Users need to be able to create/delete their personal web on their own - * *Here needs the capability* +Usually, to create and delete a top level web, you need to be allowed by ALLOWROOTCHANGE and DENYROOTCHANGE. +On a large TWiki site, it's desirable to make top level web creation and deletion self-service. ----+++ UsingMultipleDisks and /pub/... rewritten to /cgi-bin/viewfiles/... +---+++ Allowing users to create and delete their own UserSubwebs -Let's assume: - * There is a TWiki site employing UsingMultipleDisks - * The HTTP server housing TWiki needs to rewrite /pub/... to /cgi-bin/viewfile/... so that all attachments are obtainable by /pub/... path without symbolic links -Implication: - * The rewriting rule doesn't rewrite /pub/TWiki/... and /pub/Public/... so that files there can be retrieved directly (=quickly) from the HTTP server without going through TWiki. - * For every top level web W, there can be Public/W subweb. The owner of the web W can create Public/W if they like. - Web owners must not be able to create topics in the Public web or a subweb different from the unrelated to web names the user owns - * *Here needs the capability* +In a large orgnization having thousands or more users, the Main web needs to restrict topic creation to prevent random topics to accumulate. +Instead, UserSubwebs are desirable for content accountability. +This means that, on the Main web, users are not allowed to create topics but are allowed to create and delete the subweb of their wiki name. ---++ How it works When a new web is created, the =canCreateWeb($cUID, $web)= method of the user mapping manager is called if the method exists. -If the method returns true, TWiki goes ahead and create the web without checking DENYROOTCHANGE and ALLOWROOTCHANGE (for a top level web) or DENYWEBCHANGE and ALLOWWEBCHANGE (of the parent of a subweb). -If the method does not exist or the method returns false, web creation is permitted as usual based on ROOTCHANGE or ALLOWWEBCHANGE. +If the method returns true, the web is created without checking DENYROOTCHANGE and ALLOWROOTCHANGE (for a top level web) or DENYWEBCHANGE and ALLOWWEBCHANGE (of the parent of a subweb). +If the method does not exist or the method returns false, web creation is permitted as usual based on *ROOTCHANGE or *WEBCHANGE. -Maybe needless to say, the method would be written as follows. +The method would be written as follows. <verbatim> sub canCreateWeb { my( $this, $cUID, $web ) = @_; @@ -46,4 +31,9 @@ } </verbatim> -__Related Topics:__ AdminDocumentationCategory, TWikiAccessControl, UserSubwebs +Similarly, when a web is renamed, the =canRenameWeb($cUID, $oldWeb, $newWeb)= method of the user mapping manager is called if the method exist. +If it returns true, permission check on the parent web is omitted. +If the method does not exist or the method returns false, permission check on the parent web is conducted as usual. +Then, permission check on the rename destination takes place. + +__Related Topics:__ AdminDocumentationCategory, TWikiAccessControl, LargeSite, UserSubwebs Modified: twiki/trunk/core/data/TWiki/LargeSite.txt =================================================================== --- twiki/trunk/core/data/TWiki/LargeSite.txt 2017-01-13 00:51:51 UTC (rev 30297) +++ twiki/trunk/core/data/TWiki/LargeSite.txt 2017-01-25 03:28:55 UTC (rev 30298) @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1424854881" format="1.1" version="$Rev$"}% +%META:TOPICINFO{author="TWikiContributor" date="1485159244" format="1.1" version="$Rev$"}% ---+!! Managing a Large Site There is no limitation with the number of webs and users a TWiki site can have. @@ -39,10 +39,10 @@ To minimize TWiki admins intervention, you can make webs autonomous following the instruction on AutonomousWebs. This does not decrease the number of questions from web owners, but TWiki admins can hand off web administrative responsibility to the web owner that way. ----+++ Self-service web creation +---+++ Self-service web creation/deletion/rename -Usually, only Main.TWikiAdminGroup members can create new webs, which may generate a good amount of TWiki admin work. -By properly implementing =canCreateWeb()= of the user mapping handler your TWiki installation use, you can make web creation self-service. +Usually, only Main.TWikiAdminGroup members can create/delete/rename top level webs, which may generate a good amount of TWiki admin work. +By properly implementing =canCreateWeb($cUID, $web)= and =canRenameWeb($cUID, $oldWeb, $newWeb)= of the user mapping handler your TWiki installation use, you can make top level web creation/deletion/rename self-service. Assuming your TWiki configuration requires web metadata when a new web is created, if you make web creation self-service, you need to make it possible to create metadata of a new web in MetadataRepository. Modified: twiki/trunk/core/data/TWiki/TWikiAccessControl.txt =================================================================== --- twiki/trunk/core/data/TWiki/TWikiAccessControl.txt 2017-01-13 00:51:51 UTC (rev 30297) +++ twiki/trunk/core/data/TWiki/TWikiAccessControl.txt 2017-01-25 03:28:55 UTC (rev 30298) @@ -223,11 +223,12 @@ * everyone else will be *DENIED* 1 If you got this far, access is *PERMITTED* ----+++ Allowing web creation by user mapping manager +---+++ Allowing web creation/deletion/rename by user mapping manager -There are cases where DENYROOTCHANGE, ALLOWROOTCHANGE, DENYWEBCHANGE, and ALLOWWEBCHANGE, and DENYWEBCHANGE are not capable enough to implement web creation permission you want. -To cope with such cases, when a new web is created, the =canCreateWeb($cUID, $web)= method of the user mapping manager is called if the method exists. +There are cases where DENYROOTCHANGE, ALLOWROOTCHANGE, DENYWEBCHANGE, and ALLOWWEBCHANGE, and DENYWEBCHANGE are not capable enough to implement web creation and rename permissions you want. +To cope with such cases, when a new web is created, the =canCreateWeb($cUID, $web)= method of the user mapping manager is called if it exists. If it returns true, TWiki goes ahead and create the web without checking access control variables. +Similarly, when a web is renamed (deletion is a form of rename), the =canRenameWeb($cUID, $oldWeb, $newWeb)= method of the user mapping manager is called if it exists. Please read AllowWebCreateByUserMappingManager for more details. ---++ Forbid certain users to do certain actions by configuration Modified: twiki/trunk/core/data/TWiki/UserSubwebs.txt =================================================================== --- twiki/trunk/core/data/TWiki/UserSubwebs.txt 2017-01-13 00:51:51 UTC (rev 30297) +++ twiki/trunk/core/data/TWiki/UserSubwebs.txt 2017-01-25 03:28:55 UTC (rev 30298) @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1424756282" format="1.1" version="$Rev$"}% +%META:TOPICINFO{author="TWikiContributor" date="1485158914" format="1.1" version="$Rev$"}% ---+!! User Subwebs TWiki provides each user with their own topic having their information and configuration. You may want to provide each user with a subweb Main/FirstLast having a topic having the user's information and configuration. @@ -46,10 +46,12 @@ You can specify the topic name containing user preferences by =$TWiki::cfg{UserSubwebs}{UserPrefsTopicName}=, which is !WebHome by default. ----+++ Customize web creation permission -If all of the following are true, you need to have an appropriate canCreateWeb object method in the user mapping manager class. +---+++ Customize web creation/deletion/rename permission +If all of the following are true, you need to have an appropriate =canCreateWeb($cUID, $web)= object method in the user mapping manager class. * Your TWiki doesn't have user registration * You lock down the %USERSWEB% web for tidyness * You want to have users create their subwebs on their own +At the same time, you should have an appropriate =canRenameWeb($cUID, $oldWeb, $newWeb)= object method in the user mapping manager class to have users delete/rename their subwebs on their own. + __Related Topics:__ AdminDocumentationCategory, SubwebAndTopicNames, AllowWebCreateByUserMappingManager, LargeSite Modified: twiki/trunk/core/lib/TWiki/UI/Manage.pm =================================================================== --- twiki/trunk/core/lib/TWiki/UI/Manage.pm 2017-01-13 00:51:51 UTC (rev 30297) +++ twiki/trunk/core/lib/TWiki/UI/Manage.pm 2017-01-25 03:28:55 UTC (rev 30298) @@ -625,13 +625,16 @@ # If the user is not allowed to rename anything in the parent web - stop here # This also ensures we check root webs for ALLOWROOTRENAME and DENYROOTRENAME - TWiki::UI::checkAccess( $session, $oldParentWeb || undef, undef, - 'RENAME', $session->{user} ); + unless ( $session->{users}->canRenameWeb($oldWeb, $newWeb) ) { + TWiki::UI::checkAccess( $session, $oldParentWeb || undef, undef, + 'RENAME', $session->{user} ); - # If old web is a root web then also stop if ALLOW/DENYROOTCHANGE prevents access - if ( !$oldParentWeb ) { - TWiki::UI::checkAccess( $session, $oldParentWeb || undef, undef, - 'CHANGE', $session->{user} ); + # If old web is a root web then also stop if ALLOW/DENYROOTCHANGE + # prevents access + if ( !$oldParentWeb ) { + TWiki::UI::checkAccess( $session, $oldParentWeb || undef, undef, + 'CHANGE', $session->{user} ); + } } my $newTopic; Modified: twiki/trunk/core/lib/TWiki/Users.pm =================================================================== --- twiki/trunk/core/lib/TWiki/Users.pm 2017-01-13 00:51:51 UTC (rev 30297) +++ twiki/trunk/core/lib/TWiki/Users.pm 2017-01-25 03:28:55 UTC (rev 30298) @@ -1281,6 +1281,22 @@ =pod +---++ ObjectMethod canRenameWeb($oldWeb, $newWeb) -> $boolean + +=cut + +sub canRenameWeb { + my( $this, $oldWeb, $newWeb ) = @_; + my $cUID = $this->{session}{user}; + my $mapping = $this->_getMapping( $cUID ); + if ( $mapping && $mapping->can( 'canRenameWeb' ) ) { + return $mapping->canRenameWeb($cUID, $oldWeb, $newWeb); + } + return 0; +} + +=pod + ---++ ObjectMethod getAffiliation($cUID) -> $affiliation =cut |
