This question about Installation of Foswiki, Upgrading from TWiki to Foswiki: Answered
How To Allow Topic View And Change Admin Only
Hi,
I recently migrated my TWiki site to Foswiki. So far so good.
I have some public and some secured webs.
Within the secured webs, I'd like to have some pages which can only be viewed and changed by the
AdminUser.
However, the topic can still be viewed and changed by other registered users if I set the following in the topic:
Set DENYTOPICVIEW =
Set ALLOWTOPICVIEW = TWikiAdminUser, AdminUser
Set DENYTOPICCHANGE =
Set ALLOWTOPICCHANGE = TWikiAdminUser, AdminUser
Set DENYTOPICRENAME =
Set ALLOWTOPICRENAME = TWikiAdminUser, AdminUser
How comes...
Does the topic also have Meta settings? (Set from the "More Topic Actions" menu, with the "Edit topic preference settings" action?) Meta settings would override inline settings.
Also, you seem to have empty DENY rules present. In TWiki and in older versions of Foswiki, an empty DENY rule is equivalent to Allow All. This behaviour is deprecated on Foswiki. However they might be active if the setting
{AccessControlACL}{EnableDeprecatedEmptyDeny}
is enabled. (Default is disabled).
I'm not sure why else ACLs would not be active.
--
GeorgeClark - 21 Jun 2017
Hi George,
thanks for your answer.
I saw the following meta settings:
- #Local PERMSET_VIEW_DETAILS = AdminUser
- #Local PERMSET_CHANGE_DETAILS = AdminUser
- #Set ALLOWTOPICVIEW = AdminUser
- #Set ALLOWTOPICCHANGE = AdminUser
- #Local PERMSET_VIEW = details
- #Local PERMSET_CHANGE = details
But even after I deleted them, I was still able to view/edit the topic.
Since I never tried this on TWiki, I tried it there as well with the same effect.
However, I then took a look at the
AdminGroup. If I remove "myself" from the
AdminGroup, the topic disappears. If i try to access it, I have to be the admin user to view/change it.
I'd suppose that if I limit the allowtopic... settings to
AdminUser, that I would not be able to view/change/rename the topic with another account that is member of the
AdminGroup, but apparently I'm wrong.
Or is there something else I'm not seeing clear?
--
StijnBousard - 21 Jun 2017
Ah... ACLs are not enforced for the
AdminUser (which can actually be completely disabled in Foswiki 2.x,) and the
AdminGroup. So if a user is a member of the
AdminGroup then they are allowed blanket access. I thought that TWiki worked the same way.
AdminGroup has site-wide Admin rights. At least it did back when we forked Foswiki.
So with
AdminGroup being site-wide. One option is to allow specific users to join/leave the
AdminGroup on demand. That's the way we handle Foswiki.org.
- Edit the AdminGroup topic, and make sure that any user in the AdminGroup is also listed in the ALLOWTOPICCHANGE permissions for the AdminGroup.
- Add
%INCLUDE{"System.AdminToggle"}%
to the userLeftBar
With it set up this way, you can join/leave the
AdminGroup on demand. That way you'll operate with 'normal user' permissions and only join the
AdminGroup when you need to do admin things.
--
GeorgeClark - 22 Jun 2017
Works great. Nice feature, the
AdminToggle. Thanks!
--
StijnBousard - 27 Jul 2017