This question about Installation of Foswiki, Upgrading from TWiki to Foswiki: Answered

How To Allow Topic View And Change Admin Only

Hi,

I recently migrated my TWiki site to Foswiki. So far so good.

I have some public and some secured webs.

Within the secured webs, I'd like to have some pages which can only be viewed and changed by the AdminUser.

However, the topic can still be viewed and changed by other registered users if I set the following in the topic:

Set DENYTOPICVIEW =
Set ALLOWTOPICVIEW = TWikiAdminUser, AdminUser
Set DENYTOPICCHANGE =
Set ALLOWTOPICCHANGE = TWikiAdminUser, AdminUser
Set DENYTOPICRENAME =
Set ALLOWTOPICRENAME = TWikiAdminUser, AdminUser

How comes...

Does the topic also have Meta settings? (Set from the "More Topic Actions" menu, with the "Edit topic preference settings" action?) Meta settings would override inline settings.

Also, you seem to have empty DENY rules present. In TWiki and in older versions of Foswiki, an empty DENY rule is equivalent to Allow All. This behaviour is deprecated on Foswiki. However they might be active if the setting {AccessControlACL}{EnableDeprecatedEmptyDeny} is enabled. (Default is disabled).

I'm not sure why else ACLs would not be active.

-- GeorgeClark - 21 Jun 2017

Hi George,

thanks for your answer.

I saw the following meta settings:
  • #Local PERMSET_VIEW_DETAILS = AdminUser
  • #Local PERMSET_CHANGE_DETAILS = AdminUser
  • #Set ALLOWTOPICVIEW = AdminUser
  • #Set ALLOWTOPICCHANGE = AdminUser
  • #Local PERMSET_VIEW = details
  • #Local PERMSET_CHANGE = details

But even after I deleted them, I was still able to view/edit the topic.

Since I never tried this on TWiki, I tried it there as well with the same effect.

However, I then took a look at the AdminGroup. If I remove "myself" from the AdminGroup, the topic disappears. If i try to access it, I have to be the admin user to view/change it.

I'd suppose that if I limit the allowtopic... settings to AdminUser, that I would not be able to view/change/rename the topic with another account that is member of the AdminGroup, but apparently I'm wrong.

Or is there something else I'm not seeing clear?

-- StijnBousard - 21 Jun 2017

Ah... ACLs are not enforced for the AdminUser (which can actually be completely disabled in Foswiki 2.x,) and the AdminGroup. So if a user is a member of the AdminGroup then they are allowed blanket access. I thought that TWiki worked the same way. AdminGroup has site-wide Admin rights. At least it did back when we forked Foswiki.

So with AdminGroup being site-wide. One option is to allow specific users to join/leave the AdminGroup on demand. That's the way we handle Foswiki.org.

  • Edit the AdminGroup topic, and make sure that any user in the AdminGroup is also listed in the ALLOWTOPICCHANGE permissions for the AdminGroup.
  • Add %INCLUDE{"System.AdminToggle"}% to the userLeftBar

With it set up this way, you can join/leave the AdminGroup on demand. That way you'll operate with 'normal user' permissions and only join the AdminGroup when you need to do admin things.

-- GeorgeClark - 22 Jun 2017

Works great. Nice feature, the AdminToggle. Thanks!

-- StijnBousard - 27 Jul 2017
 

QuestionForm edit

Subject Installation of Foswiki, Upgrading from TWiki to Foswiki
Extension
Version
Status Answered
Related Topics
Topic revision: r7 - 27 Jul 2017, StijnBousard - This page was cached on 15 Jan 2018 - 14:10.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License