Restricting TWiki Access Using Capabilities

Background is now accessible by iFriends, and so the trick of restricting access to only DICE users by setting DENYWEBVIEW (or TOPICVIEW) to TWikiGuest won't work.

One option was to automatically populate something like DICEUsersGroup and then restrict viewing to that group, but that was going to be unwieldy. Instead we've tweaked TWiki/ to consult our roles and capabilities that we already populate with various classes of users.

For example all DICE users have the person role and this gives people the web/wiki/dice capability. Users classed as staff in the database have the staff role and this gives those people the web/wiki/staff capability.

Unfortunately there are not user-friendly tools to let you interrogate the roles and capabilities. You can interrogate them via ldapsearch though, eg to list all capabilities ldapsearch -LLL -b ou=Capabilities,dc=inf,dc=ed,dc=ac,dc=uk cn

How to use capabilities

Assuming you are familiar with the concepts of TWikiAccessControl, then it is simply a matter of using a WikiWord like WebWikiStaffCapability where you'd normally use a User or Group, to represent users with the capability Web/Wiki/Staff. The case changes in the WikiWord represent where the / (forward slashes) go.

Note that due to the WikiWord name-space being smaller than the capability name-space, ie - (hyphen) and _ (underscore) are not allowed in WikiWord's, not all capabilities can be accessed via this mechanism. eg nagios/mp-unit can't be expressed as a WikiWord.

So some examples:

Restricting web-level editing to those users with the web/wiki/staff capability (ie staff).

  • Define the ALLOWWEBCHANGE variable in the WebPreferences topic eg:
    • Set ALLOWWEBCHANGE = WebWikiStaffCapability

Restrict editing of a particular topic, to all DICE users and the named iFriend user.

  • Define the ALLOWTOPICCHANGE variable in the topic you want to restrict:
    • Set ALLOWTOPICCHANGE = WebWikiDiceCapability, Main.NeilBrownFriend

Restrict viewing of a topic, to sysmans users.

    • Set ALLOWTOPICVIEW = SysmansCapability

Note that in this case, searches will still reveal some content.

-- NeilBrown - 09 Mar 2009

Topic revision: r4 - 27 Apr 2009 - 09:47:15 - RogerBurroughes
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies