Restricting TWiki Access Using Capabilities
Background
wiki.inf.ed.ac.uk is now accessible by iFriends, and so the trick of restricting access to only DICE users by setting DENYWEBVIEW (or TOPICVIEW) to
TWikiGuest won't work.
One option was to automatically populate something like DICEUsersGroup and then restrict viewing to that group, but that was going to be unwieldy. Instead we've tweaked TWiki/Access.pm to consult our roles and capabilities that we already populate with various classes of users.
For example all DICE users have the
person role and this gives people the
web/wiki/dice capability. Users classed as staff in the database have the
staff role and this gives those people the
web/wiki/staff capability.
Unfortunately there are not user-friendly tools to let you interrogate the roles and capabilities. You can interrogate them via
ldapsearch
though, eg to list all capabilities
ldapsearch -LLL -b ou=Capabilities,dc=inf,dc=ed,dc=ac,dc=uk cn
How to use capabilities
Assuming you are familiar with the concepts of
TWikiAccessControl, then it is simply a matter of using a
WikiWord like
WebWikiStaffCapability
where you'd normally use a
User
or
Group
, to represent users with the capability
Web/Wiki/Staff
. The case changes in the
WikiWord represent where the
/
(forward slashes) go.
Note that due to the
WikiWord name-space being smaller than the capability name-space, ie - (hyphen) and _ (underscore) are not allowed in
WikiWord's, not all capabilities can be accessed via this mechanism. eg
nagios/mp-unit
can't be expressed as a
WikiWord.
So some examples:
Restricting web-level editing to those users with the
web/wiki/staff
capability (ie staff).
- Define the ALLOWWEBCHANGE variable in the WebPreferences topic eg:
-
Set ALLOWWEBCHANGE = WebWikiStaffCapability
Restrict editing of a particular topic, to all DICE users and the named iFriend user.
- Define the ALLOWTOPICCHANGE variable in the topic you want to restrict:
-
Set ALLOWTOPICCHANGE = WebWikiDiceCapability, Main.NeilBrownFriend
Restrict viewing of a topic, to
sysmans users.
-
-
Set ALLOWTOPICVIEW = SysmansCapability
Note that in this case, searches will still reveal some content.
--
NeilBrown - 09 Mar 2009