<td> </td>
</tr>
<tr>
+ <td> 11118 </td>
+ <td><a href="http://develop.twiki.org/~develop/cgi-bin/view/Bugs/Item2322" rel="nofollow">Item2322</a> removed span tag around oneliner bullet output </td>
+ </tr>
+ <tr>
<td> 8788 </td>
<td><a href="http://develop.twiki.org/~develop/cgi-bin/view/Bugs/Item1465" rel="nofollow">Item1465</a> Item1577: reverted 8433 to fix inclusion of correct user templates </td>
</tr>
**_Related Topics:_** [[TWikiPreferences]], [[TWikiPlugins]]
--- TWiki:Main/CrawfordCurrie - 02:19:11 26 June 2006
+-- TWiki:Main/CrawfordCurrie - 02:16:06 25 October 2006
Short comment, signed and dated
- %TMPL:DEF{outputoneliner}%<span class="commentPlugin commentPluginOutputOneliner"> * %URLPARAM{"comment"}% -- %WIKIUSERNAME% - %SERVERTIME%</span></span><!--/commentPlugin-->%TMPL:END%
+ %TMPL:DEF{outputoneliner}% * %URLPARAM{"comment"}% -- %WIKIUSERNAME% - %SERVERTIME%%TMPL:END%
----
- #Set EDITBUTTON = Edit table
- Set EDITBUTTON = Edit this table, ![edittable.gif](http://www.dementia.org/twiki//view/edittable.gif)
-**_Note:_** The Plugin uses base settings like language and style from the [[JSCalendarContrib]]. The standard date format is '%e %B %Y' and is defined within this plugin.
+**_Note:_** The Plugin uses base settings like date format, language and style from the [[JSCalendarContrib]].
## <a name="Limitations and Known Issues"></a> Limitations and Known Issues
</table>
- The Plugin depends on the `viewauth` script to authenticate the user. As described in [[TWikiAccessControl]], copy the `view` script to `viewauth` (or better, create a symbolic link) and add `viewauth` to the list of authenticated scripts in the `.htaccess` file.
- The Mishoo DHTML calendar 0.9.5 is preinstalled and should work without any configuration. If you wish to use another language, specify the in the Plugin settings, or create a new language files, attach it to the Plugin topic, and change the Plugin settings
+- (Dakar) Visit `configure` in your TWiki installation, and enable the plugin in the \{Plugins\} section.
- Test if the Plugin is correctly installed:
- Check above example if there is an **[ Edit table ]** button below the table in above example
- Click on **[ Edit table ]**, make changes and save the table
<table border="1" cellpadding="0" cellspacing="0">
<tr>
<td align="right"> Plugin Author: </td>
- <td> TWiki:Main/PeterThoeny </td>
+ <td><a href="http://www.structuredwikis.com/" target="_top">Peter Thoeny</a></td>
+ </tr>
+ <tr>
+ <td align="right"> Copyright: </td>
+ <td> © 2002-2006, TWiki:Main.PeterThoeny </td>
+ </tr>
+ <tr>
+ <td align="right"> License: </td>
+ <td> GPL (<a href="http://www.gnu.org/copyleft/gpl.html" target="_top">GNU General Public License</a>) </td>
</tr>
<tr>
<td align="right"> Plugin Version: </td>
- <td> 9598 </td>
+ <td> 11706 </td>
</tr>
<tr>
<td align="right"> Change History: </td>
<td> </td>
</tr>
<tr>
+ <td align="right"> 12 Oct 2006: </td>
+ <td><a href="http://develop.twiki.org/~develop/cgi-bin/view/Bugs/Item2982" rel="nofollow">Item2982</a> Use default date format from [[Main/JSCalendarContrib]]</td>
+ </tr>
+ <tr>
+ <td align="right"> 02 Oct 2006: </td>
+ <td><a href="http://develop.twiki.org/~develop/cgi-bin/view/Bugs/Item2884" rel="nofollow">Item2884</a> Check also for access permission in meta data; proper fix to not warn if oneself has a lock on topic </td>
+ </tr>
+ <tr>
+ <td align="right"> 30 Aug 2006: </td>
+ <td><a href="http://develop.twiki.org/~develop/cgi-bin/view/Bugs/Item2829" rel="nofollow">Item2829</a> Remove whitespace from select, radio and checkbox items; restored topic lock if $TWiki::Plugins::VERSION < 1.1 </td>
+ </tr>
+ <tr>
+ <td align="right"> 29 Jul 2006: </td>
+ <td><a href="http://develop.twiki.org/~develop/cgi-bin/view/Bugs/Item2684" rel="nofollow">Item2684</a> - Quietly ignore topic edit locks on table edit </td>
+ </tr>
+ <tr>
<td align="right"> 21 Jan 2006: </td>
<td> TWiki:Main.CrawfordCurrie ported to TWiki-4.0.0, changed to use [[Main/JSCalendarContrib]]</td>
</tr>
<td align="right"> Feedback: </td>
<td><a href="http://TWiki.org/cgi-bin/view/Plugins/%TOPIC%Dev" target="_top">http://TWiki.org/cgi-bin/view/Plugins/%TOPIC%Dev</a></td>
</tr>
+ <tr>
+ <td align="right"> Appraisal: </td>
+ <td><a href="http://TWiki.org/cgi-bin/view/Plugins/%TOPIC%Appraisal" target="_top">http://TWiki.org/cgi-bin/view/Plugins/%TOPIC%Appraisal</a></td>
+ </tr>
</table>
**_Related Topics:_** [[TWikiPreferences]], [[TWikiPlugins]]
--- TWiki:Main/PeterThoeny - 16 Sep 2004
+-- TWiki:Main/PeterThoeny - 02 Oct 2006
A singleton object of this class manages the access control database.
-This package has smell factor of **1**
+This package doesn't smell
## <a name="TWiki::Attach"></a> [[TWiki::Attach|Main/TWikiAttachDotPm]]
Global variables are avoided wherever possible to avoid problems with CGI accelerators such as mod\_perl.
-This package has smell factor of **30**
+This package has smell factor of **29**
## <a name="TWiki::Form"></a> [[TWiki::Form|Main/TWikiFormDotPm]]
The module also maintains a separate of the preferences found in every topic and web it reads. This supports the lookup of preferences for webs and topics that are not on the stack, and must not be chained in (you can't allow a user to override protections from their home topic!)
-This package has smell factor of **1**
+This package doesn't smell
## <a name="TWiki::Prefs::Parser"></a> [[TWiki::Prefs::Parser|Main/TWikiPrefsParserDotPm]]
UI delegate for attachment management functions
-This package has smell factor of **6**
+This package has smell factor of **3**
## <a name="TWiki::UI::View"></a> [[TWiki::UI::View|Main/TWikiUIViewDotPm]]
**All** methods in this class should be implemented by subclasses.
-This package has smell factor of **4**
+This package has smell factor of **3**
-There were a total of **227** smells
+There were a total of **220** smells
<li><a href="#Controlling access to a Web"> Controlling access to a Web</a></li>
<li><a href="#Controlling access to a Topic"> Controlling access to a Topic</a></li>
<li><a href="#Controlling access to Attachment"> Controlling access to Attachments</a></li>
- <li><a href="#How TWiki evaluates ALLOW/DENY s"> How TWiki evaluates ALLOW/DENY settings</a></li>
- </ul>
- </li>
- <li><a href="#Access Control quick recipes"> Access Control quick recipes</a><ul>
- <li><a href="#Obfuscating Webs"> Obfuscating Webs</a></li>
- <li><a href="#Authenticate all Webs and Restri"> Authenticate all Webs and Restrict Selected Webs</a></li>
- <li><a href="#Authenticate and Restrict Select"> Authenticate and Restrict Selected Webs Only</a></li>
- <li><a href="#Hide Control Settings"> Hide Control Settings</a></li>
</ul>
</li>
</ul>
The easiest way to apply the same access control rules for attachments as apply to topics is to use the Apache `mod_rewrite` module, and configure your webserver to redirect accesses to attachments to the TWiki `viewfile` script. For example,
- ScriptAlias /twiki/bin/ /filesystem/path/to/twiki/bin/
- Alias /twiki/pub/ /filesystem/path/to/twiki/pub/
-
- RewriteEngine on
- RewriteRule ^/twiki/pub/TWiki/(.*)$ /twiki/pub/TWiki/$1 [L,PT]
- RewriteRule ^/twiki/pub/([^\/]+)/([^\/]+)/([^\/]+)$ /twiki/bin/viewfile/$1/$2?filename=$3 [L,PT]
+ ScriptAlias /twiki/bin/ /filesystem/path/to/twiki/bin/
+ Alias /twiki/pub/ /filesystem/path/to/twiki/pub/
-That way all the controls that apply to the topic also apply to attachments to the topic. Other types of webserver have similar support.
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+TWiki/+.+
+ RewriteRule ^/+twiki/+pub/+([^/]+)/+((([^/]+)/+)+)(.+) /twiki/bin/viewfile/$1/$4?filename=$5 [L,PT]
+ </verbatim
-**_Note:_** Images embedded in topics will load much slower since each image will be delivered by the `viewfile` script.
+ That way all the controls that apply to the topic also apply to attachments to the topic. Other types of webserver have similar support.
-### <a name="How TWiki evaluates ALLOW/DENY s"></a> How TWiki evaluates ALLOW/DENY settings
+ __Note:__ Images embedded in topics will load much slower since each image will be delivered by the =viewfile= script.
-When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at **PERMITTED** or **DENIED** that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately.
+ ---+++ How TWiki evaluates ALLOW/DENY settings
-1. If the user is a [[super-user|Main/WebHome#SuperAdminGroup]]
- - access is **PERMITTED**.
-2. If DENYTOPIC is set to a list of wikinames
- - people in the list will be **DENIED**.
-3. If DENYTOPIC is set to _empty_ ( i.e. `Set DENYTOPIC =` )
- - access is **PERMITTED** _i.e_ no-one is denied access to this topic
-4. If ALLOWTOPIC is set
- 1. people in the list are **PERMITTED**
- 2. everyone else is **DENIED**
- - Note that this means that setting ALLOWTOPIC to empty _denies access to everyone except admins_ (unless DENYTOPIC is also set to empty, as described above)
-5. If DENYWEB is set to a list of wikiname
- - people in the list are **DENIED** access
-6. If ALLOWWEB is set to a list of wikinames
- - people in the list will be **PERMITTED**
- - everyone else will be **DENIED**
- - Note that setting ALLOWWEB to empty _denies access to everyone except admins_
-7. If you got this far, access is **PERMITTED**
+ When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at *PERMITTED* or *DENIED* that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately.
+ 1 If the user is a [[#SuperAdminGroup][super-user]]
+ * access is *PERMITTED*.
+ 1 If DENYTOPIC is set to a list of wikinames
+ * people in the list will be *DENIED*.
+ 1 If DENYTOPIC is set to _empty_ ( i.e. <tt>Set DENYTOPIC =</tt> )
+ * access is *PERMITTED* _i.e_ no-one is denied access to this topic
+ 1 If ALLOWTOPIC is set
+ 1 people in the list are *PERMITTED*
+ 1 everyone else is *DENIED*
+ * Note that this means that setting ALLOWTOPIC to empty _denies access to everyone except admins_ (unless DENYTOPIC is also set to empty, as described above)
+ 1 If DENYWEB is set to a list of wikiname
+ * people in the list are *DENIED* access
+ 1 If ALLOWWEB is set to a list of wikinames
+ * people in the list will be *PERMITTED*
+ * everyone else will be *DENIED*
+ * Note that setting ALLOWWEB to empty _denies access to everyone except admins_
+ 1 If you got this far, access is *PERMITTED*
-## <a name="Access Control quick recipes"></a> Access Control quick recipes
+ ---++ Access Control quick recipes
-### <a name="Obfuscating Webs"></a> Obfuscating Webs
+ ---+++ Obfuscating Webs
-Another way of hiding webs is to keep them hidden by not publishing the URL and by preventing the <code>**all webs**</code> search option from accessing obfuscated webs. Do so by enabling the <code>**NOSEARCHALL**</code> variable in [[WebPreferences]]:
+ Another way of hiding webs is to keep them hidden by not publishing the URL and by preventing the ==all webs== search option from accessing obfuscated webs. Do so by enabling the ==NOSEARCHALL== variable in %WEBPREFSTOPIC%:
+ * ==Set <nop>NOSEARCHALL = on==
-- <code>**Set NOSEARCHALL = on**</code>
+ This setup can be useful to hide a new web until content its ready for deployment, or to hide view access restricted webs.
-This setup can be useful to hide a new web until content its ready for deployment, or to hide view access restricted webs.
+ __%X% Note:__ Obfuscating a web without view access control is *very* insecure, as anyone who knows the URL can access the web.
-**_%X% Note:_** Obfuscating a web without view access control is **very** insecure, as anyone who knows the URL can access the web.
+ ---+++ Authenticate all Webs and Restrict Selected Webs
-### <a name="Authenticate all Webs and Restri"></a> Authenticate all Webs and Restrict Selected Webs
+ Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs. Requires TWikiUserAuthentication to be enabled.
-Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs. Requires [[TWikiUserAuthentication]] to be enabled.
+ 1. *Restrict* view access to selected Users and Groups. Set one or both of these variables in its %WEBPREFSTOPIC% topic:
+ * ==Set <nop>DENYWEBVIEW = < list of Users and Groups >==
+ * ==Set <nop>ALLOWWEBVIEW = < list of Users and Groups >==
+ * __Note:__ =DENYWEBVIEW= is evaluated before =ALLOWWEBVIEW=. Access is denied if the authenticated person is in the =DENYWEBVIEW= list, or not in the =ALLOWWEBVIEW= list. Access is granted in case =DENYWEBVIEW= and =ALLOWWEBVIEW= is not defined.
-1. **Restrict** view access to selected Users and Groups. Set one or both of these variables in its [[WebPreferences]] topic:
- - <code>**Set DENYWEBVIEW = < list of Users and Groups >**</code>
- - <code>**Set ALLOWWEBVIEW = < list of Users and Groups >**</code>
- - **_Note:_** `DENYWEBVIEW` is evaluated before `ALLOWWEBVIEW`. Access is denied if the authenticated person is in the `DENYWEBVIEW` list, or not in the `ALLOWWEBVIEW` list. Access is granted in case `DENYWEBVIEW` and `ALLOWWEBVIEW` is not defined.
+ ---+++ Authenticate and Restrict Selected Webs Only
-### <a name="Authenticate and Restrict Select"></a> Authenticate and Restrict Selected Webs Only
+ Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs. Requires TWikiUserAuthentication to be enabled.
-Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs. Requires [[TWikiUserAuthentication]] to be enabled.
+ 1. *Restrict* view access to selected Users and Groups. Set one or both of these variables in its %WEBPREFSTOPIC% topic:
+ * ==Set <nop>DENYWEBVIEW = < list of Users and Groups >==
+ * ==Set <nop>ALLOWWEBVIEW = < list of Users and Groups >==
+ * __Note:__ =DENYWEBVIEW= is evaluated before =ALLOWWEBVIEW=. Access is denied if the authenticated person is in the =DENYWEBVIEW= list, or not in the =ALLOWWEBVIEW= list. Access is granted in case =DENYWEBVIEW= and =ALLOWWEBVIEW= is not defined.
-1. **Restrict** view access to selected Users and Groups. Set one or both of these variables in its [[WebPreferences]] topic:
- - <code>**Set DENYWEBVIEW = < list of Users and Groups >**</code>
- - <code>**Set ALLOWWEBVIEW = < list of Users and Groups >**</code>
- - **_Note:_** `DENYWEBVIEW` is evaluated before `ALLOWWEBVIEW`. Access is denied if the authenticated person is in the `DENYWEBVIEW` list, or not in the `ALLOWWEBVIEW` list. Access is granted in case `DENYWEBVIEW` and `ALLOWWEBVIEW` is not defined.
+ ---+++ Hide Control Settings
-### <a name="Hide Control Settings"></a> Hide Control Settings
+ __%T% Tip:__ To hide access control settings from normal browser viewing, place them in HTML comment markers.
-**_%T% Tip:_** To hide access control settings from normal browser viewing, place them in HTML comment markers.
+ <blockquote>
+ ==<!--== <br />
+ == * Set <nop>DENYTOPICCHANGE = %MAINWEB%.<nop>SomeGroup== <br />
+ ==-->==
+ </blockquote>
-> <code>**<!--**</code>
->
-> <br />
->
-> <code>** \* Set DENYTOPICCHANGE = Main.SomeGroup**</code>
->
-> <br />
->
-> <code>**-->**</code>
+ %STOPINCLUDE%
-**_Related Topics:_** [[AdminDocumentationCategory]], [[TWikiUserAuthentication]], TWiki:TWiki.TWikiAccessControlSupplement
+ __Related Topics:__ AdminDocumentationCategory, TWikiUserAuthentication, TWiki:TWiki.TWikiAccessControlSupplement
--- **_Contributors:_** TWiki:Main.PeterThoeny, TWiki:Main.MikeMannix, TWiki:Main.CrawfordCurrie
+ -- __Contributors:__ TWiki:Main.PeterThoeny, TWiki:Main.MikeMannix, TWiki:Main.CrawfordCurrie
<li><a href="#ClassMethod <strong>new</strong> ()"> ClassMethod new <tt>()</tt></a></li>
<li><a href="#ObjectMethod <strong>permissionsSet</strong> ($"> ObjectMethod permissionsSet <tt>($web) -> $boolean</tt></a></li>
<li><a href="#ObjectMethod <strong>getReason</strong> () -> $"> ObjectMethod getReason <tt>() -> $string</tt></a></li>
- <li><a href="#ObjectMethod *check_AccessPermis"> ObjectMethod checkAccessPermission <tt>($action,$user,$text,$topic,$web) -> $boolean</tt></a></li>
+ <li><a href="#ObjectMethod *check_AccessPermis"> ObjectMethod checkAccessPermission <tt>($action,$user,$text,$meta,$topic,$web) -> $boolean</tt></a></li>
</ul>
</li>
</ul>
Return a string describing the reason why the last access control failure occurred.
-## <a name="ObjectMethod <strong>check_AccessPermis"></a> [[ObjectMethod]] \*checkAccessPermission `($action,$user,$text,$topic,$web) -> $boolean`
+## <a name="ObjectMethod <strong>check_AccessPermis"></a> [[ObjectMethod]] \*checkAccessPermission `($action,$user,$text,$meta,$topic,$web) -> $boolean`
Check if user is allowed to access topic
- `$action` - 'VIEW', 'CHANGE', 'CREATE', etc.
- `$user` - User object
- `$text` - If undef or '': Read '$theWebName.$theTopicName' to check permissions
+- `$meta` - If undef, but `$text` is defined, then metadata will be parsed from `$text`. If defined, then metadata embedded in `$text` will be ignored. Always ignored if `$text` is undefined. Settings in `$meta` override \* Set settings in plain text.
- `$topic` - Topic name to check, e.g. 'SomeTopic' \*undef to check web perms only)
- `$web` - Web, e.g. 'Know'
Check access permission for a topic based on the [[TWiki.TWikiAccessControl|TWiki/TWikiAccessControl]] rules
- `$type` - Access type, e.g. `'VIEW'`, `'CHANGE'`, `'CREATE'`
-- `$wikiName` - [[WikiName]] of remote user, i.e. `"Main.PeterThoeny"`
-- `$text` - Topic text, optional. If empty, topic `$web.$topic` is consulted
+- `$wikiName` - [[WikiName]] of remote user, e.g. `"PeterThoeny"`. If `$wikiName` is '', 0 or undef then access is always **permitted**.
+- `$text` - Topic text, optional. If 'perl false' (undef, 0 or ''), topic `$web.$topic` is consulted
- `$topic` - Topic name, required, e.g. `'PrivateStuff'`
- `$web` - Web name, required, e.g. `'Sandbox'`
+A perl true result indicates that access is permitted.
+
**Since:** TWiki::Plugins::VERSION 1.000 (27 Feb 2001)
## <a name="Webs, Topics and Attachments"></a> Webs, Topics and Attachments
<li><a href="#ObjectMethod *get_PreferencesVal"> ObjectMethod getPreferencesValue <tt>($key) -> $value</tt></a></li>
<li><a href="#ObjectMethod <strong>isFinalised</strong> ($key"> ObjectMethod isFinalised <tt>($key)</tt></a></li>
<li><a href="#ObjectMethod *get_TopicPreferenc"> ObjectMethod getTopicPreferencesValue <tt>($key,$web,$topic) -> $value</tt></a></li>
- <li><a href="#get_TextPreferencesValue( $key,"> getTextPreferencesValue( $key, $text, $web, $topic ) -> $value</a></li>
+ <li><a href="#get_TextPreferencesValue( $key,"> getTextPreferencesValue( $key, $text, $meta, $web, $topic ) -> $value</a></li>
<li><a href="#ObjectMethod *get_WebPreferences"> ObjectMethod getWebPreferencesValue <tt>($key,$web) -> $value</tt></a></li>
<li><a href="#ObjectMethod stringify() -> $tex">ObjectMethod stringify() -> $text</a></li>
</ul>
Intended for use in protections mechanisms, where the order doesn't match the prefs stack.
-## <a name="get_TextPreferencesValue( $key,"></a><a name="get_TextPreferencesValue( $key, "></a> getTextPreferencesValue( $key, $text, $web, $topic ) -> $value
+## <a name="get_TextPreferencesValue( $key,"></a><a name="get_TextPreferencesValue( $key, "></a> getTextPreferencesValue( $key, $text, $meta, $web, $topic ) -> $value
-Get a preference value from the settings in the text. The values are **not** cached.
+Get a preference value from the settings in the text (and/or optional $meta). The values read are **not** cached.
## <a name="ObjectMethod <strong>get_WebPreferences"></a> [[ObjectMethod]] \*getWebPreferencesValue `($key,$web) -> $value`
<li><a href="#ClassMethod <strong>new</strong> ($prefs,$paren"> ClassMethod new <tt>($prefs,$parent,$type,$web,$topic,$prefix)</tt></a></li>
<li><a href="#ObjectMethod <strong>finalise</strong> ($parent"> ObjectMethod finalise <tt>($parent)</tt></a></li>
<li><a href="#ObjectMethod *load_PrefsFromTopi"> ObjectMethod loadPrefsFromTopic <tt>($web,$topic,$keyPrefix)</tt></a></li>
- <li><a href="#ObjectMethod *load_PrefsFromText"> ObjectMethod loadPrefsFromText <tt>($text,$web,$topic)</tt></a></li>
+ <li><a href="#ObjectMethod *load_PrefsFromText"> ObjectMethod loadPrefsFromText <tt>($text,$meta,$web,$topic)</tt></a></li>
<li><a href="#ObjectMethod <strong>insert</strong> ($type,$ke"> ObjectMethod insert <tt>($type,$key,$val)</tt></a></li>
<li><a href="#ObjectMethod <strong>stringify</strong> ($html,"> ObjectMethod stringify <tt>($html,\%shown) -> $text</tt></a></li>
</ul>
Loads preferences from a topic. All settings loaded are prefixed with the key prefix (default '').
-## <a name="ObjectMethod <strong>load_PrefsFromText"></a> [[ObjectMethod]] \*loadPrefsFromText `($text,$web,$topic)`
+## <a name="ObjectMethod <strong>load_PrefsFromText"></a> [[ObjectMethod]] \*loadPrefsFromText `($text,$meta,$web,$topic)`
-Loads preferences from a topic. All settings loaded are prefixed with the key prefix (default '').
+Loads preferences from text and optional metadata. All settings loaded are prefixed with the key prefix (default ''). If `$meta` is defined, then metadata will be taken from that object. Otherwise, `$text` will be parsed to extract meta-data.
## <a name="ObjectMethod <strong>insert</strong> ($type,$ke"></a> [[ObjectMethod]] **insert** `($type,$key,$val)`
</ul>
</li>
<li><a href="#Frustrating Robots and Spammers"> Frustrating Robots and Spammers</a></li>
- <li><a href="#New User Registration"> New User Registration </a></li>
+ <li><a href="#New User Registration"> New User Registration</a></li>
<li><a href="#E-mail addresses"> E-mail addresses</a></li>
<li><a href="#Change notification support"> Change notification support</a></li>
<li><a href="#Site Changes Summary"> Site Changes Summary</a></li>
<li><a href="#TWiki 4.0.3 Enhancements"> TWiki 4.0.3 Enhancements</a></li>
</ul>
</li>
+ <li><a href="#TWiki 4.0.4 Patch Release Detail"> TWiki 4.0.4 Patch Release Details</a><ul>
+ <li><a href="#TWiki 4.0.4 Fixes"> TWiki 4.0.4 Fixes</a></li>
+ <li><a href="#TWiki 4.0.4 Enhancements"> TWiki 4.0.4 Enhancements</a></li>
+ </ul>
+ </li>
+ <li><a href="#TWiki 4.0.5 Patch Release Detail"> TWiki 4.0.5 Patch Release Details</a><ul>
+ <li><a href="#TWiki 4.0.5 Fixes"> TWiki 4.0.5 Fixes</a></li>
+ <li><a href="#TWiki 4.0.5 Enhancements"> TWiki 4.0.5 Enhancements</a></li>
+ </ul>
+ </li>
</ul>
</div>
The evaluation of protections has been re-worked to make it more naturally understandable, and also fill a number of holes in the protection scheme, These holes meant that it was relatively easy to _deny_ access to a topic, but rather difficult to subsequently _restore_ access without either compromising other topics, or compromising old revisions.
-When deciding whether to grant access, TWiki now evaluates the following rules in order (read from the top of the list; if the logic arrives at **PERMITTED** or **DENIED** that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately.
+When deciding whether to grant access, TWiki now evaluates the following rules in order (read from the top of the list; if the logic arrives at **PERMITTED** or **DENIED** that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW and CHANGE access may be granted/denied separately.
1. If the user is a [[super-user|Main/WebHome#SuperAdminGroup]]
- access is **PERMITTED**.
- Set DENYWEBCHANGE =
- Set ALLOWWEBCHANGE =
- This will now _deny_ change access to everyone _not_ in the list (i.e. everyone except admins)
-- Set DENYWEBRENAME =
-- Set ALLOWWEBRENAME =
- - This will now _deny_ rename access to everyone _not_ in the list (i.e. everyone except admins)
- Set ALLOWTOPICCHANGE =
- This will now _deny_ change access to everyone _not_ in the list (i.e. everyone except admins)
-- Set ALLOWTOPICRENAME = Main.TWikiAdminGroup
The standard webs shipped with this release have these settings disabled. However you are likely to have inherited the old default settings in your user webs. The easiest way to deal with this is to simply insert a # sign in these settings; for example:
</tr>
</table>
-The 4.0.1 release was built from SVN <http://svn.twiki.org:8181/svn/twiki/branches/TWikiRelease04x00> revision **8740**.
+The 4.0.1 release was built from SVN <http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x00> revision **8740**.
## <a name="TWiki 4.0.2 Patch Release Detail"></a> TWiki 4.0.2 Patch Release Details
</tr>
</table>
-The 4.0.2 release was built from SVN <http://svn.twiki.org:8181/svn/twiki/branches/TWikiRelease04x00> revision **9626**.
+The 4.0.2 release was built from SVN <http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x00> revision **9626**.
## <a name="TWiki 4.0.3 Patch Release Detail"></a> TWiki 4.0.3 Patch Release Details
</tr>
</table>
-The 4.0.3 release was built from SVN <http://svn.twiki.org:8181/svn/twiki/branches/TWikiRelease04x00> revision **10706**..
+The 4.0.3 release was built from SVN <http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x00> revision **10706**..
+
+## <a name="TWiki 4.0.4 Patch Release Detail"></a> TWiki 4.0.4 Patch Release Details
+
+The following fixes and minor enhancements have been addressed in this release:
+
+### <a name="TWiki 4.0.4 Fixes"></a> TWiki 4.0.4 Fixes
+
+<table border="1" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>[[BUGS/Item2578]]</td>
+ <td> SECURITY HOTFIX: Improved protection against attaching php scripts that can be executed afterwords by simple view </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2568]]</td>
+ <td> Fix potential script error when attachment twisty is removed </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2558]]</td>
+ <td> TWiki 4.0.3 distributed LocalSite.cfg.txt uses incorrect syntax </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2546]]</td>
+ <td> Handmade twisty buttons has underline under them </td>
+ </tr>
+</table>
+
+### <a name="TWiki 4.0.4 Enhancements"></a> TWiki 4.0.4 Enhancements
+
+No enhancements.
+
+The 4.0.4 release was built from SVN <http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x00> revision **10799**
+
+## <a name="TWiki 4.0.5 Patch Release Detail"></a> TWiki 4.0.5 Patch Release Details
+
+Note that TWiki 4.0.5 contains all fixes previously released at hotfixes 1 to 4 for TWiki 4.0.4.
+
+The following fixes have been addressed in this release:
+
+### <a name="TWiki 4.0.5 Fixes"></a> TWiki 4.0.5 Fixes
+
+<table border="1" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>[[BUGS/Item2609]]</td>
+ <td> Func.pm API function wikiToEmail has a coding error. </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2602]]</td>
+ <td> AfterEditHandler only called by preview, not save </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2595]]</td>
+ <td> Emails are not stored in user topic when TWiki setup in a corporate environment </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2573]]</td>
+ <td> %META{"formfield" name="formfieldname"}% broken (returns nothing) </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2518]]</td>
+ <td> INCLUDE from external url with filename breaks relative links of included content </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2607]]</td>
+ <td> Crash TWiki with IF variable. </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2619]]</td>
+ <td> TOC Link URI References are not Relative </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2322]]</td>
+ <td> Incomplete fix for Comment box should have ability to be disabled by skin template </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2594]]</td>
+ <td> Hierarchical webs and WEBLIST can make things excruciatingly slow </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2666]]</td>
+ <td> Javascript errors caused by twiki.js </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2669]]</td>
+ <td> Configure robustness update </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2565]]</td>
+ <td> SEARCH parameter newline not documented. </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2631]]</td>
+ <td> Reset Password does not work when $TWiki::cfg{MapUserToWikiName} = 0. </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2684]]</td>
+ <td> EditTablePlugin Don't complain on lock taken if taken by one self </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2714]]</td>
+ <td> SECURITY ISSUE! - Topics with ALLOWTOPICVIEW defined in "Edit Settings" (META) can be read by anyone with a specially crafted SEARCH. </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2758]]</td>
+ <td> Updated TWiki.TWikiVariables so that the variable precedence includes both TWiki.TWikiPreferences and Main.TWikiPreferences </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2780]]</td>
+ <td> Rename to non wikiword name gives empty message </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2806]]</td>
+ <td> Security Alert CVE-2006-4294 - viewfile doesn't follow rules for mapping attachment names </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2821]]</td>
+ <td> Potential bugs from parsing settings in topics when the following line contains white space. </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2825]]</td>
+ <td> Potential source of error related to code that checks access permissions. </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2823]]</td>
+ <td> SMTP recipient name format issue </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2829]]</td>
+ <td> EditTablePlugin select drops selected item if cell has whitespace </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2625]]</td>
+ <td> %SEARCH% does not work when non-wikiword used in topic="" parameter </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2859]]</td>
+ <td> Attachments are being named the full path name instead of the filename only </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2746]]</td>
+ <td> Disable tag parameter issue in preview </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2856]]</td>
+ <td> make TWikiForms defined in another web clickable in "changeform" </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2721]]</td>
+ <td> Newly created topics have wrong version number when using RcsLite </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2928]]</td>
+ <td> Mailto links in brackets [[Main/WebHome]] contain visible when text is upper case </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2884]]</td>
+ <td> EditTablePlugin does not honour ALLOWTOPICCHANGE (bug introduced in 4.0.4 hotfix 3) </td>
+ </tr>
+ <tr>
+ <td>[[BUGS/Item2980]]</td>
+ <td> TWiki::Func::checkAccessPermission issue with '' vs. undef </td>
+ </tr>
+</table>
+
+### <a name="TWiki 4.0.5 Enhancements"></a> TWiki 4.0.5 Enhancements
+
+No enhancements
+
+The 4.0.5 release was built from SVN <http://svn.twiki.org/svn/twiki/tags/TWikiRelease04x00x05> revision **11821**...
<li><a href="#ClassMethod <strong>new</strong> ($os,$realOS)"> ClassMethod new <tt>($os,$realOS)</tt></a></li>
<li><a href="#StaticMethod *untaintUnchecked*"> StaticMethod untaintUnchecked <tt>($string) -> $untainted</tt></a></li>
<li><a href="#StaticMethod *normalize_FileName"> StaticMethod normalizeFileName <tt>($string) -> $filename</tt></a></li>
+ <li><a href="#StaticMethod *sanitize_Attachmen"> StaticMethod sanitizeAttachmentName <tt>($fname) -> ($fileName,$origName)</tt></a></li>
<li><a href="#ObjectMethod <strong>sysCommand</strong> ($temp"> ObjectMethod sysCommand <tt>($template,@params) -> ($data,$exit)</tt></a></li>
</ul>
</li>
## <a name="StaticMethod <strong>normalize_FileName"></a> [[StaticMethod]] \*normalizeFileName `($string) -> $filename`
-STATIC Errors out if $string contains filtered characters.
+Errors out if $string contains filtered characters.
The returned string is not tainted, but it may contain shell metacharacters and even control characters.
+## <a name="StaticMethod <strong>sanitize_Attachmen"></a> [[StaticMethod]] \*sanitizeAttachmentName `($fname) -> ($fileName,$origName)`
+
+Given a file name received in a query parameter, sanitise it. Returns the sanitised name together with the basename before sanitisation.
+
+Sanitisation includes filtering illegal characters and mapping client file names to legal server names.
+
## <a name="ObjectMethod <strong>sysCommand</strong> ($temp"></a> [[ObjectMethod]] **sysCommand** `($template,@params) -> ($data,$exit)`
Invokes the program described by $template and @params, and returns the output of the program and an exit code. STDOUT is returned. STDERR is THROWN AWAY.
`upload` command handler. This method is designed to be invoked via the `TWiki::UI::run` method.
-Attach a file to a topic. CGI parameters are:
-
-<table border="1" cellpadding="0" cellspacing="0">
- <tr>
- <td><code>filename</code></td>
- <td> Name of attachment </td>
- </tr>
- <tr>
- <td><code>skin</code></td>
- <td> Skin(s) to use in presenting pages </td>
- </tr>
-</table>
+Adds the meta-data for an attachment to a toic. Does **not** upload the attachment itself, just modifies the meta-data.
## <a name="StaticMethod <strong>upload</strong> ($session)"></a> [[StaticMethod]] **upload** `($session)`
<td> </td>
</tr>
</table>
+
+Does the work of uploading a file to a topic. Designed to be useable as a REST method (it will redirect to the 'view' script unless the 'noredirect' parameter is specified, in which case it will print a message to STDOUT, starting with 'OK' on success and 'ERROR' on failure.
You can set variables in all the following places:
-1. local site level in [[TWikiPreferences]]
-2. user level in individual user topics in Main web
-3. web level in [[WebPreferences]] of each web
-4. topic level in topics in webs
-5. plugin topics (see [[TWikiPlugins]])
-6. session variables (if sessions are enabled)
+1. local site level in [[TWiki.TWikiPreferences|TWiki/TWikiPreferences]]
+2. local site level in [[Main.TWikiPreferences|Main/TWikiPreferences]]
+3. user level in individual user topics in Main web
+4. web level in [[WebPreferences]] of each web
+5. topic level in topics in webs
+6. plugin topics (see [[TWikiPlugins]])
+7. session variables (if sessions are enabled)
Settings at higher-numbered levels override settings of the same variable at lower numbered levels, unless the variable was included in the setting of FINALPREFERENCES at a lower-numbered level, in which case it is locked at the value it has at that level.
**_Related Topics:_** [[TWikiPreferences]]
--- TWiki:Main.LynnwoodBrown - 02:19:16 26 June 2006
+-- TWiki:Main.LynnwoodBrown - 02:16:11 25 October 2006
</tr>
<tr>
<td><code>separator=", "</code></td>
- <td> Line separator between hits </td>
- <td> Newline <code>"$n"</code></td>
+ <td> Line separator <em>between</em> search hits </td>
+ <td><code>"$n"</code> (Newline) </td>
+ </tr>
+ <tr>
+ <td><code>newline="%BR%"</code></td>
+ <td> Line separator <em>within</em> a search hit. Useful if the format="" parameter contains a $pattern() that captures more than one line, i.e. contents of a textfield in a form. </td>
+ <td><code>"$n"</code> (Newline) </td>
</tr>
</table>
- Example: `%SEARCH{"wiki" web="Main" scope="topic"}%`
**_Related Topics:_** [[TWikiPreferences]], [[TWikiPlugins]]
--- TWiki:Main/CrawfordCurrie - 02:19:17 26 June 2006
+-- TWiki:Main/CrawfordCurrie - 02:16:12 25 October 2006