Forum OpenACS Q&A: xowiki permission problem

Collapse
1: xowiki permission problem
Posted by Claudio Pasolini on 09/01/06 04:14 PM
I have a site (using dotlrn 2.2.0 xowiki 0.36 and xotcl-core 0.43) where I granted read permission to the public both on the main subsite and on the xowiki instance.

The home page (an xowiki page) is set via the parameter IndexRedirectUrl, but if an anonymous user tries to view the page he is redirected to the registration page.

Other applications where I granted read permisssion to the public (i.e. news) work as expected, and so I suspect that the registration is requested by xowiki. I think it shouldn't be so, for a site to be visited by the public.

In previous versions of xowiki there was the view.tcl to look at, but now the rendering of the page is managed by an object's method and my actual knowledge of xotcl leaves me down.

Any hints?

Collapse
2: Re: xowiki permission problem (response to 1)
Posted by Claudio Pasolini on 09/03/06 09:07 AM
I tracked down the problem fixing the proc ConnectionContext into the file tcl/context-procs.tcl of xotcl-core.

If the user_id of the connection was 0 (i.e. not logged in), the proc invoked the registration page via auth::require_login. I forced instead party_id to -1 (The public) so giving to all subsequent permission checks a valid party_id and requiring login only when necessary.

Collapse
3: Re: xowiki permission problem (response to 2)
Posted by Gustaf Neumann on 09/04/06 01:23 AM
Claudio,

yes, you are correct, anonymous viewing was not possible with the initial release of xowiki 0.36. i have committed a small patch to fix this problem. It contains two parts: changing the permissions for "view" in policy1 to "none" (see xowiki/tcl/package-procs.tcl) and pass the actual user-id from the view-page to the conditional links (such that the permission checking for the conditional links does not force the login).

After a cvs update, two settings are required for anonymous viewing:

  • give "the public" read permissions for the package ("permissions" link on admin page), if applicable, for the subsite as well. and
  • use policy1 as security policy ("parameters" on the admin page, policy1 is the default).

For your setup, just the update should be enough.