Difference: TWikiAccessControl (10 vs. 11)

TWiki Access Control

TWiki allows you to define restrictions of who is allowed to view a TWiki web, make changes to topics or attach files.

• ALLOWTOPICCHANGE defines who is allowed to change the group topic; it is a comma delimited list of users and groups. You typically want to restrict that to the members of the group itself, so it should contain the name of the topic, i.e.
      * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup
  for the TWikiAdminGroup topic. (This is to prevent users not in the group from editing the topic and gaining unauthorized membership to the group.)

• DENYTOPICCHANGE (in topic) overrides DENYWEBCHANGE (in WebPreferences)
• ALLOWTOPICCHANGE (in topic) overrides ALLOWWEBCHANGE (in WebPreferences)

• DENYTOPICRENAME (in topic) overrides DENYWEBRENAME (in WebPreferences)
• ALLOWTOPICRENAME (in topic) overrides ALLOWWEBRENAME (in WebPreferences)

• Set DENYWEBVIEW = < list of users and groups >
• Set ALLOWWEBVIEW = < list of users and groups >

• The view restriction is not suitable for very sensitive content since there is a way to circumvent the read access restriction.
• Read access restriction only works if the view script is authenticated, that means that users need to log on also just to read topics. TWiki Installation has more on basic authentication based on the .htaccess file.
• There is a workaround if you prefer to to have unrestricted access to view topics located in normal webs, and to authenticate users only for webs where view restriction is enabled:

• It is not recommended to restrict view access to individual topics since all content is searchable within a web.
• The view restriction is not suitable for very sensitive content since there is a way to circumvent the read access restriction.

UnchangeableTopicBug

• set the $superAdminGroup variable in TWiki.cfg to the name of a group of users that are always allowed to edit/view topics. E.g.:

• the default setting is not to have superusers