Item5464: ALLOWTOPICRENAME should not apply to attachments

Situation: User is not a member of TWikiAdminGroup

Page has

  Set ALLOWTOPICRENAME = TWikiAdminGroup

User attempts to delete an attachment on the topic.

Error:
Access rename not allowed on topic

This violates the Principle of Least Surprise. Deleting an attachment should fall under ALLOWTOPICCHANGE. The topic is not being renamed in this case.

Note that adding or "managing" an attachment falls under TOPICCHANGE as expected.

-- TWiki:Main/VickiBrown - 22 Mar 2008

Possible enhancement: ALLOWATTACHMENT* options might be interesting

-- TWiki:Main/VickiBrown - 23 Mar 2008

I think your original proposal is best and I agree that it is a bug that ALLOWTOPICRENAME affects renaming an attachment.

I do not think we need more complex access rights. The most reasonable fix would be to let ALLOWTOPICCHANGE be what limits renaming of attachments and only let ALLOWTOPICRENAME control renaming the topic name.

-- TWiki:Main.KennethLavrsen - 23 Mar 2008

Kenneth - agreed. Just an idea on the additional "Attachment" rights. My primary concern is that adding (or deleting or updating) an attachment should all fall under TOPICCHANGE.

-- TWiki:Main.VickiBrown - 25 Mar 2008

Agreed. Confirmed.

-- CrawfordCurrie - 04 Jan 2009

Fix committed to trunk. Tested on release11 branch as well, but not checked in there yet. Existing unit tests didn't need changes. Added two tests to verify the impact of topic permissions, and one unrelated test to verify that CHANGE is required on the target web of a topic rename.

Kenneth - any thoughts on getting this one into 1.1.3?

-- GeorgeClark - 19 Mar 2011