New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Using an extension: Answered

How does PublishPlugin handle ALLOWTOPICVIEW? (Bug?)

I'm publishing a web in which specific pages use the setting ALLOWTOPICVIEW to limit access (could be in a topic containing admin passwords).

Problem: Topics that limit access using ALLOWTOPICVIEW are published just the same as any other topic = secret content is published. is this a bug, or a deliberate feature?

Question: How can I publish the web in such a way that access restrictions are enforced?

Suggestion: Are the access restrictions based on the specific wiki user who is doing the publish action? If so, would it be enough to create a PublishingUser for this purpose, and make sure that this user has access to exactly the intended pages? I'm hesitant to just experiment because I don't want to change too many settings in our wiki, that's why I ask here instead.


I've experimented now (despite mentioned hesitations) and come to this conclusion:

The access rights of the current user are inherited to the PublishPlugin, meaning that the permissions of the current user determine what pages get published. If certain pages should not be published, then the process should be performed by a user that doesn't have access to these pages.

In my experiment, I created a new user JohannesGutenberg that had view access to the web but not to the secret pages. I also needed to Set ALLOWTOPICCHANGE on that web's PublishPluginHistory. (Note: Add that setting right at the top of the page, followed by a line with %BR%, to make sure that the setting is not lost when the plugin re-writes that page.)

The secret pages are simply missing in the published pages (you get HTTP Error 404 when you click a link to such a page).

If you have more complex access permissions that are mutually exclusive or overlapping, then you might need to use specific DENY/ALLOWTOPICVIEW settings in each relevant page.

-- TorbenGB - 29 Apr 2010

QuestionForm edit

Subject Using an extension
Extension PublishPlugin
Version Foswiki 1.0.9
Status Answered
Topic revision: r2 - 29 Apr 2010, TorbenGB - This page was cached on 23 Mar 2018 - 06:08.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License