This question about This website: Answered

Custom Permission Settings and IF access conditions

RenderSimpleTopicCreator does start with the line:
%IF{"'%BASEWEB%.%BASETOPIC%' allows 'CREATE'" ...
Examples in System.IfStatements#Access_permissionsdo not show create as an option. I cannot find an exhaustive list of valid options in the documentation. The code has comments stating:

   * =$mode=  - 'VIEW', 'CHANGE', 'CREATE', etc. (defaults to VIEW)

but I cannot locate a place where these are allocated. Nor can I find an expansion on the etc...

I have created an example in BvOTestIF. It does the right thing for CHANGE. But it does not do the right thing for CREATE. What am I missing?

-- BramVanOosterhout - 30 Apr 2020

TopicTypes in WikiWorkbenchContrib when deployed with a TopicStub allow you to define a separate ACL CREATE to control who is allowed to create topics of that kind. This is mostly used in the TopicCreator UI and RenderSimpleTopicCerator.

-- MichaelDaum - 30 Apr 2020

Basically you can create any sort of ACL list by yourself:

   * Set ALLOWTOPICBOTCH = BramVanOosterhout

Results: you are NOT allowed to botch this topic. go away.

-- MichaelDaum - 30 Apr 2020

Apologies for my half question.I got interrupted. And thanks for your prompt note.

Where can I find some detail on how to define this separate ACL.?

I tried the Permissions tab, but that inserted the following preferences. Not CREATE.

-- BramVanOosterhout - 30 Apr 2020

The next version of NatSkin will have a third section for those topics.

-- MichaelDaum - 30 Apr 2020

I was curious about what Michael suggested above so did some testing myself. I confirmed it does work exactly as Michael described, however this operates outside the standard Foswiki permissions, so you can't use that permissions tab UI to do this. If you define some arbitrary permission setting such as Michael did above (e.g. ALLOWTOPICBOTCH), IF will test against that permission (e.g. allows 'BOTCH'). Keep in mind that you can't test this behavior if you are in AdminGroup since permissions are not evaluated at all for this group. So in Michael's example above, it should display that you can not botch this topic (assuming you are neither BramVanOosterhout nor a member of AdminGroup).

Back to RenderSimpleTopicCreator, you can simply set a permission ALLOWTOPICCREATE to some individual or group (using the standard syntax of defining a preference and as illustrated in Michael's example above), and the form for creating new topics will be visible to that individual or group.

It is an interesting new wrinkle (to me at least) that one can define a custom permission definition and use IF macro to test against it. I'm sure I'll find some novel uses for this feature!

-- LynnwoodBrown - 30 Apr 2020

Thanks Michael and Lynwood,

Reading AccessControl again, I can see that the custom ACLs are hinted at. And to summarise:
  • VIEW, CHANGE and RENAME will directly affect Foswiki topic access when set
  • HISTORY and RAW will affect Foswiki topic access if enabled in configure
  • XXX will not affectFoswiki access, unless implemented by an extension developer. For instance COMMENT as documented in CommentPlugin#Custom_access_controls

And IF allows supports the testing for arbitrary user defined modes. Magic!

In all cases, if the ACL is not defined or empty, it has no effect and IF allows tests true.

Thanks for the clarification.

-- BramVanOosterhout - 01 May 2020
 

QuestionForm edit

Subject This website
Extension WikiWorkbenchContrib
Version Foswiki 2.1.6
Status Answered
Related Topics
Topic revision: r10 - 01 May 2020, BramVanOosterhout
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy