Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Line: 112 to 112 | ||||||||
| ||||||||
Changed: | ||||||||
< < | Restricting Web Access | |||||||
> > | Restricting Read Access | |||||||
Changed: | ||||||||
< < | You can prevent selected Users and Groups from accessing certain webs, by hiding them using restricting read access, or by requiring login. There are two basic methods, one simple, using standard preferences variables to hide a web, but offering low security, and a secure log-in approach that is currently a workaround, involving some minor script and filesystem modification. | |||||||
> > | You can define who is allowed to see a web. | |||||||
Changed: | ||||||||
< < | Create Hidden Webs | |||||||
> > | Deny Viewing by Topic | |||||||
Changed: | ||||||||
< < | You can prevent selected Users and Groups from viewing certain TWiki webs by setting one or both of these variables in each web's WebPreferences topic: | |||||||
> > | Technically it is possible to restrict read access to an individual topic based on DENYTOPICVIEW / ALLOWTOPICVIEW preferences variables, provided that the view script is authenticated. However this setup is not recommended since all content is searchable within a web - a search will turn up view restricted topics.
Deny Viewing by WebYou can define restrictions of who is allowed to view a TWiki web. You can restrict access to certain webs to selected Users and Groups, by:
Obfuscate WebsThe idea is to keep a web hidden by not publishing its URL and by preventing theall webs search option from accessing obfuscated webs. Do so by enabling the NOSEARCHALL variable in WebPreferences:
Authenticate all Webs and Restrict Selected WebsUse the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs:
| |||||||
| ||||||||
Changed: | ||||||||
< < |
If keeping a hidden web out of general use is a consideration, you can prevent the all webs search option from accessing hidden webs, by enabling the NOSEARCHALL variable in WebPreferences: | |||||||
> > |
| |||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
Changed: | ||||||||
< < | Hiding webs is not very secure, as there is a way to circumvent the read access restriction. It can be useful in certain situations - for example, to simplify site organization and clutter, by hiding low traffic webs - but is not recommended for securing sensitive content. (See the next section for a more secure approach.) | |||||||
> > | This method only works if the view script is authenticated, which means that all Users have to login, even for read-only access. (An open guest account, like TWikiGuest, can get around this, allowing anyone to login to a common account with, for example, view-only access for public webs.) TWikiInstallationGuide has more on Basic Authentication, using the .htaccess file. | |||||||
Changed: | ||||||||
< < | Create Authenticated Access By Web | |||||||
> > | Authenticate and Restricting Selected Webs Only | |||||||
Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs: | ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
view script to the viewauth script once (this happens only if the user has never edited a topic). Doing so will ask for authentication. The viewauth script shows the requested topic if the user could log on and if the user is authorized to see that web.
Authenticating webs is not very secure, as there is a way to circumvent the read access restriction. It can be useful in certain situations - for example, to simplify site organization and clutter, by hiding low traffic webs - but is not recommended for securing sensitive content. | |||||||
Deleted: | ||||||||
< < |
| |||||||
Hiding Control Settings |