Item2073: Protect deleted topic/attachments that had access
Priority: Normal
Current State: No Action Required
Released In:
Target Release: n/a
Applies To: Engine
Component:
Branches:
(We're using TWiki 4.2.4. Unless you've already tackled this issue, Foswiki will have it too.)
Currently all deleted topic/attachments go into the same web regardless of
their previous access control.
This causes protected topics and attachments to lose their "protected" status.
Suggestion: create a
TrashSecure web, which is viewable only by the
TWikiAdmin group regardless of permissions on regular Trash. When an attachment or topic is deleted it will go into
TrashSecure if there were any view access control on the relevant topic.
By default the Trash web is set to admingroup-only, which seems to be a sufficient solution for most sites. I believe this change happened prior to TWiki 4.2.4, so you must have relaxed the permissions on the Trash web to be able to view these attachments.
It's not a perfect solution (unless you are using
viewfile
, attachments can't be protected anyway) but it's sufficient for most.
No action.
--
CrawfordCurrie - 24 Jun 2010