I just spent a half an hour chasing my tail trying to get TWiki to deny view privileges to anonymous users (who are assigned the TWikiGuest userid. I have a client that is going to be using TWiki as a document repository/portal, and wanted to make sure that we weren’t depending on ‘security through obscurity’.
We’re using Apache Authentication and it worked just fine for editing–you had to login before you could edit anything. We only want to limit access to certain Webs (it would be nice if people who knew about it could self register, which requires access to the TWiki web). I tried to edit the WebPreferences for the web to be protected and
set DENYWEBVIEW = MainWeb.TWikiGuest This denied view of the Dev web whether or not I was logged in.
%WIKIUSERNAME% variable and this post on a similar problem led me to conclude that the
REMOTE_USER environment variable wasn’t being carried across invocations. On every view, TWiki thought I was the TWikiGuest, until I explicitly logged in. Then, as long as I was editing, it was fine, but viewing was still denied.
That led me to this FAQ: Why is the environment variable REMOTE_USER var not set? which states that the
REMOTE_USER variable isn’t sent on every request, but only for protected resources.
Protecting my view.cgi script did the trick. I did so by adding this line to my apache config (in the twiki/bin directory entry) and restarting it:
<FilesMatch "(view|attach|edit|manage|rename|save|upload|mail|logon|.*auth).*"> require valid-user </FilesMatch>
Now, the only problem is that self registration doesn’t work. But that’s minor, as I can create a guest user and have folks login to register with that user (and deny it access to the protected webs too, to force everyone to register).