You are here: Foswiki>Tasks Web>Item10241 (07 Mar 2012, GeorgeClark)Edit Attach

Item10241: No permission to view WebLeftBar, WebTopBarExample when blocking System web to group

pencil
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Reported By: WryFi
Waiting For: Main.WryFi
Last Change By: GeorgeClark
On occasion, I and my users will go to our wiki url, and find that the page contents are displayed correctly, but that we lack permission to view Main.WebLeftBar and Foswiki.WebTopBarExample ('Foswiki' is my renamed %SYSTEMWEB%).

See screenshot: http://img38.imageshack.us/f/nopermission.png/

This seems, anecdotally, to happen most often after a user has closed his browser (without logging out), and then returns to the site many hours (a day?) later. The problem is resolved by manually entering a logout URL, or clearing the browser cache and cookies. This has happened in Firefox 3.6 and Chrome, but likely affects other browsers, too.

All of my webs, including Main and Foswiki ( %SYSTEMWEB%), are protected as follows:

  • Set ALLOWWEBCHANGE = Admin
  • Set ALLOWWEBRENAME = Admin
  • Set ALLOWWEBVIEW = Staff

These are flat groups, which come from my ldap server via the LdapContrib extension.

-- WryFi - 11 Jan 2011

I have all webs incl System web blocked for access at our production site at the office and I have never seen this.

So either there is a specific place where the renaming of System web suddenly causes trouble OR it is the special LDAP setup that does not correctly see the people in Staff.

If I were you I would not set an ALLOWWEBVIEW on the System (Foswiki in your case) web. I would either keep it open OR set a DENYWEBVIEW = WikiGuest.

There is no security reason at all to hide the System web unless you start putting confidencial stuff in it. The design of Foswiki assumes anyone can see the System web.

Anyone can go on the Internet and find ANY Foswiki incl foswiki.org and read the content of System web. There is no sain reason to hide it from view.

If a user in any situation is not member of the staff group you have this problem. But it is a bit self inflicted. I am downgrading this to normal and asking for more feedback on when this is happening.

There has been some bugs related to groups that will be fixed in 1.1.3. I cannot say if this improved this one. But urgent it is not. It is not at all a good idea to limit view access to System web to a group.

-- KennethLavrsen - 26 Jan 2011

I'll try setting DENYWEBVIEW=WikiGuest and see if that fixes it. While I agree that there is nothing particularly sensitive or important in the system web, it is a customer facing portal for us and it is hard to explain to customers why this part of it is public.

Moreover, I don't really want to waste my bandwidth on providing documentation to random people. wink

Thanks!

-- WryFi - 08 Feb 2011

It sounds as though there is some disconnect between the Foswiki sessions, their expiration and the browser cache, etc. You mention LDAP, how are you actually handling Login? Through apache, or through Template login, or ?? What are some of your Cookie and session parameters set to:?

  • {Sessions}{ExpireAfter}
  • {Sessions}{ExpireCookiesAfter}
  • {Sessions}{IDsInURLs}
  • {Sessions}{UseIPMatching}
  • {Sessions}{MapIP2SID}

-- GeorgeClark - 21 Mar 2011

No feedback in nearly a year. Please re-open if this is still an issue. Setting to No Action

-- GeorgeClark - 07 Mar 2012
 

ItemTemplate edit

Summary No permission to view WebLeftBar, WebTopBarExample when blocking System web to group
ReportedBy WryFi
Codebase 1.1.2
SVN Range
AppliesTo Engine
Component
Priority Normal
CurrentState No Action Required
WaitingFor WryFi
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
Release01x01Checkins
Topic revision: r5 - 07 Mar 2012, GeorgeClark - This page was cached on 15 May 2020 - 12:50.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy