Difference: TWikiAccessControl (39 vs. 40)

Revision 402012-09-11 - TWikiContributor

Line: 1 to 1
 

TWiki Access Control

Restricting read and write access to topics and webs, by Users and groups

Line: 150 to 150
  By default, TWiki does not secure file attachments. Without making the following changes to the twiki.conf file, it is possible for anyone who has access to the server to gain access to an attachment if they know the attachment's fully qualified path, even though access to the topic associated with the attachment is secured. This is because attachments are referred to directly by Apache, and are not by default delivered via TWiki scripts. This means that the above instructions for controlling to topics do not apply to attachments unless you make the changes as described below.
Changed:
<
<
An effective way to secure attachments is to apply the same access control settings to attachments as those applied to topics. This security enhancement can be accomplished by instructing the webserver via Apache's mod_rewrite module to redirect accesses to attachments via the TWiki viewfile script, which honors the TWiki access controls settings to topics.
>
>
An effective way to secure attachments is to apply the same access control settings to attachments as those applied to topics. This security enhancement can be accomplished by instructing the webserver to redirect accesses to attachments via the TWiki viewfile script, which honors the TWiki access controls settings to topics. See the notes below for implications.
  The preferred method to secure attachments is by editing the twiki.conf file to include:
Changed:
<
<
ScriptAlias /twiki/bin/ /filesystem/path/to/twiki/bin/ Alias /twiki/pub/ /filesystem/path/to/twiki/pub/

RewriteEngine on RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Sandbox)/+.+ RewriteRule ^/+twiki/+pub/+(.*)$ /twiki/bin/viewfile/$1 [L,PT]

>
>
ScriptAlias /do /filesystem/path/to/twiki/bin Alias /pub/TWiki /filesystem/path/to/twiki/pub/TWiki Alias /pub/Sandbox /filesystem/path/to/twiki/pub/Sandbox ScriptAlias /pub /filesystem/path/to/twiki/bin/viewfile
 

Notes:

Changed:
<
<
>
>
 
  • You will need to restart your Apache server after this change.
  • Images embedded in topics will load slower since attached images will also be delivered by the viewfile script. The TWiki web and Sandbox web are excluded for performance reasons.
Deleted:
<
<
  • As an alternative to editing the twiki.conf file used by Apache, you can make the same change directly to the .htaccess file in the /twiki/bin directory.
 
  • The viewfile script sets the mime type based upon file name suffix. Unknown types are served as text/plain which can result in corrupt files.

Line: 213 to 210
 

Access Control quick recipes

Added:
>
>
 

Restrict Access to Whole TWiki Site

Changed:
<
<
For a firewalled TWiki, e.g. an intranet wiki or extranet wiki, you want to allow only invited people to access your TWiki. In this case, enable user authentication with ApacheLogin and lock down access to the whole twiki/bin and twiki/pub directories to all but valid users. In the Apache .htaccess file or the appropriate .conf file, replace the <FilesMatch "(attach|edit|... section with this:
>
>
In a firewalled TWiki, e.g. an intranet wiki or extranet wiki, you want to allow only invited people to access your TWiki. There are three options:

1. Install TWiki Behind Firewall:

The firewall takes care of giving access to TWiki to authorized people only. This is a typical setup for a company wiki. As for TWiki configuration, no special setup is needed.

2. Extranet TWiki Using Template Login:

All TWiki content (pages and attachments) need to be access controlled. The Template Login allows users to login and logout. Only logged in users can access TWiki content.

Configuration: Follow the default setup, then change these configure settings:

  • Secure attachments as documented. The TWiki:TWiki.ApacheConfigGenerator is useful to get the setting right.
  • Require authentication for all TWiki scripts except backuprestore, configure, login, logon and resetpasswd with the following configure setting:
    $TWiki::cfg{AuthScripts} = 'attach, changes, edit, manage, oops, preview, rdiff, rdiffauth, register, rename, rest, save, search, twiki_cgi, upload, statistics, view, viewauth, viewfile';
  • When you install additional plugins make sure to add scripts they might introduce also to twiki/bin also to the {AuthScripts} configure setting.
    Attention: Some scripts of additional plugins might not be aware of TWiki's template login. Test all new scripts with a non-authenticated user!

3. Extranet TWiki Using Apache Login:

All TWiki content (pages and attachments) need to be access controlled. The Apache Login does not offer a logout; typically the browser needs to be restarted to logout. Only logged in users can access TWiki content.

Configuration: Enable user authentication with ApacheLogin and lock down access to the whole twiki/bin and twiki/pub directories to all but valid users. In the Apache config file for TWiki (twiki.conf or .htaccess), replace the <FilesMatch "(attach|edit|... section with this:

 
<FilesMatch ".*">
Line: 223 to 243
 
Changed:
<
<
If needed, you can further restrict access to selected webs with ALLOWWEBVIEW and other access control settings.

Note: With this configuration, someone with access to the site needs to register new users.

Authenticate all Webs and Restrict Selected Webs

>
>
Notes:
 
Changed:
<
<
Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs. Requires TWikiUserAuthentication to be enabled.

  1. Set require valid-user on your view script in .htaccess or the appropriate Apache .conf file. As of 4.x, this looks like: FilesMatch "(attach|edit|manage|rename|save|view|upload|mail|logon|.*auth).*" (normally view is not in that list).
  2. Restrict view access to selected Users and Groups. Set one or both of these variables in its WebPreferences topic:
    • Set DENYWEBVIEW = < list of Users and Groups >
    • Set ALLOWWEBVIEW = < list of Users and Groups >
    • Note: DENYWEBVIEW is evaluated before ALLOWWEBVIEW. Access is denied if the authenticated person is in the DENYWEBVIEW list, or not in the ALLOWWEBVIEW list. Access is granted if DENYWEBVIEW and ALLOWWEBVIEW are not defined.
  3. If you still want public users to be able to register automatically follow TWiki:TWiki.RegisterOnViewRestrictedSite.
>
>
  • In all three options, content can be restricted selectively with ALLOWWEBVIEW and other access control settings documented above. See also the next quick recipe.
  • In the extranet setup, someone with access to the site needs to register new users. If you still want public users to be able to register automatically follow TWiki:TWiki.RegisterOnViewRestrictedSite.
 

Authenticate and Restrict Selected Webs Only

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.TWikiAccessControl.