You are here: Foswiki>Development Web>ReleaseProcess>FeatureRequest>EncryptDataInTopics (29 Jun 2009, CraigBowers) Edit this topic text (e) Attach an image or document to this topic; manage existing attachments (a) View sequential topic history View without formatting (v) Create new topic Printable version of this topic (p) More: delete or rename this topic; set parent topic; view and compare revisions (m)

Feature Proposal: It would be great if users could add personal data to topics, viewed by their own only

Motivation

I have used this wiki to work, and to store information, and i have missed the feature of adding "personalized" data, to be read only by me. One can always make information visible based on UserLogin? , but that is not very "safe", specialy with the raw view feature

Description and Documentation

Create a MACRO much like STARSECTIO/ENDSECTIO

%STARTENCRYPT% <

infomation to be stored in the Topic, encrypted

%ENDENCRYPT%

Examples

If you type: 
My boss is hard work person</em>

%STARTENCRYPT{user="MyUser"}%
and a cheap bastard prick 
%ENDENCRYPT%

The topic created would have the following 
My boss is hard work person
%STARTENCRYPT{user="MyUser"}%
U2FsdGVkX18UKqG9+RMYRCH+oY//WiDpLTh1ne9T3Ckhu0B9RQLlH+LtRSH1iMsi 
%ENDENCRYPT%

which is the encryption of the sentence above using openssl (openssl enc -a -bf -d) with password "123. The password could be retrieved from user password.

When the topic is rendered the user would see:

My boss is hard work person and a cheap bastard prick

Whereas someone else would see (encrypt information is hidden) My boss is hard work person

Impact

WhatDoesItAffect? : %WHATDOESITAFFECT%

Implementation

-- Contributors: RuiProcopio - 28 Feb 2009

Discussion

mmmm, it'd also be interesting to do the same for a group..

-- SvenDowideit - 28 Feb 2009

Not that I totally disagree, in fact in the past I'd hoped for just such a feature. TWiki had a similar plugin which didn't work on 4.2

However can you expand on your thought of the insecurity with raw view? I'd not myself seen a weakness (other than that having physical or root access to the server gives you the plain text of the topics, but that's obvious and expected). Did you mean in relation to comment tags perhaps?

For your scenario above, I put the sensitive content in another topic with restricted view/change permissions. Then Include that topic into the public one, with warn=off set. Only those with permission see the protected topic see that included text inline, and the protected topic is safe from searches.

The encryption as I view your spec, wouldn't prevent an admin level person from decrypting the message so it provides no physical access protection. It would however seem to prevent a Wiki admin from viewing the text. That could potentially create problems for spamming, XSS, or other attacks that might render and affect some wiki users, but which were not readily noticed, or searchable by an admin.

With my end user hat on, I like encryption. With my IT Manager hat on, it's use/abuse gives me pause. For that reason I'd be in favor of the text only decrypting for the person who encrypted it. Not for an entire group or list of users that could be set by the person setting the encryption. Unless the plugin also stripped or encoded any HTML/TML. My 2 cents.

-- CraigBowers - 13 Jun 2009

The main motivation i had for this were "side notes". As i said, i used foswiki (TWiki actualy) to work... used it to build some "followup tools" to follow some open issues during SW developement (thats what i used to do). Many times i wanted to keep my personal notes together with the "official" ones, but without the possibility of the customer to see them (for personal use only).

I guess your solution is very good and it would do the trick. But some kind of plugin/application should allow it to be as easy as just typing in the notes... and not create another topic, editi it, save it, change its permissions.... it should be "automatic".

Any suggestions on that?

As you may have guessed, i'm not very skilled in foswiki smile

Thanks for your comments

-- RuiProcopio - 13 Jun 2009

That's a useful application. I can't provide you much additional help, as I'm not a developer. But you might have a browse through the extensions here and see if you can get there with an existing combination. Another approach to your example would be to try something with http://www.foswiki.org/Extensions/TopicCreatePlugin

The idea being that you'd create a new support topic that would automatically have a child private notes page created at the same time. Seeing as it would be created with a template, you could have the permissions created automatically, and the inline include in the parent topic. So once you add content to the private notes topic below, it would show up inline.

-- CraigBowers - 209 Jun 2009

ChangeProposalForm edit

TopicSummary It would be great if users could add personal data to topics, viewed by their own only
CurrentState UnderInvestigation
CommittedDeveloper
ReasonForDecision None
DateOfCommitment 28 Feb 2009
ConcernRaisedBy
BugTracking
RelatedTopics
PlannedFor
Edit | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: 29 Jun 2009, CraigBowers
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads