Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
TWiki Access ControlRestricting read and write access to topics and webs, by Users and groups | ||||||||
Line: 150 to 150 | ||||||||
By default, TWiki does not secure file attachments. Without making the following changes to the twiki.conf file, it is possible for anyone who has access to the server to gain access to an attachment if they know the attachment's fully qualified path, even though access to the topic associated with the attachment is secured. This is because attachments are referred to directly by Apache, and are not by default delivered via TWiki scripts. This means that the above instructions for controlling to topics do not apply to attachments unless you make the changes as described below. | ||||||||
Changed: | ||||||||
< < | An effective way to secure attachments is to apply the same access control settings to attachments as those applied to topics. This security enhancement can be accomplished by instructing the webserver via Apache's mod_rewrite module to redirect accesses to attachments via the TWiki viewfile script, which honors the TWiki access controls settings to topics. | |||||||
> > | An effective way to secure attachments is to apply the same access control settings to attachments as those applied to topics. This security enhancement can be accomplished by instructing the webserver to redirect accesses to attachments via the TWiki viewfile script, which honors the TWiki access controls settings to topics. See the notes below for implications. | |||||||
The preferred method to secure attachments is by editing the twiki.conf file to include: | ||||||||
Changed: | ||||||||
< < | ScriptAlias /twiki/bin/ /filesystem/path/to/twiki/bin/ Alias /twiki/pub/ /filesystem/path/to/twiki/pub/ RewriteEngine on RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Sandbox)/+.+ RewriteRule ^/+twiki/+pub/+(.*)$ /twiki/bin/viewfile/$1 [L,PT] | |||||||
> > | ScriptAlias /do /filesystem/path/to/twiki/bin Alias /pub/TWiki /filesystem/path/to/twiki/pub/TWiki Alias /pub/Sandbox /filesystem/path/to/twiki/pub/Sandbox ScriptAlias /pub /filesystem/path/to/twiki/bin/viewfile | |||||||
Notes: | ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Deleted: | ||||||||
< < |
| |||||||
| ||||||||
Line: 213 to 210 | ||||||||
Access Control quick recipes | ||||||||
Added: | ||||||||
> > | ||||||||
Restrict Access to Whole TWiki Site | ||||||||
Changed: | ||||||||
< < | For a firewalled TWiki, e.g. an intranet wiki or extranet wiki, you want to allow only invited people to access your TWiki. In this case, enable user authentication with ApacheLogin and lock down access to the whole twiki/bin and twiki/pub directories to all but valid users. In the Apache .htaccess file or the appropriate .conf file, replace the <FilesMatch "(attach|edit|... section with this: | |||||||
> > | In a firewalled TWiki, e.g. an intranet wiki or extranet wiki, you want to allow only invited people to access your TWiki. There are three options:
1. Install TWiki Behind Firewall:
The firewall takes care of giving access to TWiki to authorized people only. This is a typical setup for a company wiki. As for TWiki configuration, no special setup is needed.
2. Extranet TWiki Using Template Login:
All TWiki content (pages and attachments) need to be access controlled. The Template Login allows users to login and logout. Only logged in users can access TWiki content.
Configuration: Follow the default setup, then change these configure settings:
twiki/bin and twiki/pub directories to all but valid users. In the Apache config file for TWiki (twiki.conf or .htaccess ), replace the <FilesMatch "(attach|edit|... section with this: | |||||||
<FilesMatch ".*"> | ||||||||
Line: 223 to 243 | ||||||||
Changed: | ||||||||
< < | If needed, you can further restrict access to selected webs with ALLOWWEBVIEW and other access control settings.
Note: With this configuration, someone with access to the site needs to register new users.
Authenticate all Webs and Restrict Selected Webs | |||||||
> > | Notes: | |||||||
Changed: | ||||||||
< < | Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs. Requires TWikiUserAuthentication to be enabled.
| |||||||
> > |
| |||||||
Authenticate and Restrict Selected Webs Only |