EditAttachPrintable
r47 - 27 Mar 2005 - 08:14:15 - TWikiContributorYou are here: OnumaTWiki >  TWiki Web  > TWikiDocumentation

TWiki Reference Manual (Tue, 04 Jul 2006 build 10807)

This page contains all documentation topics as one long, complete reference sheet.
Doubleclick anywhere to return to the top of the page.

Related Topics: TWikiSite, TWikiHistory, TWikiPlannedFeatures, TWikiEnhancementRequests, UserDocumentationCategory, AdminDocumentationCategory

TWiki System Requirements

Server and client requirements

Low client and server base requirements are core features that keep TWiki widely deployable, particularly across a range of browser platforms and versions. Many Plugins and contrib modules exist which enhance and expand TWiki's capabilities; they may have additional requirements.

Server Requirements

TWiki is written in Perl 5, uses a number of shell commands, and requires RCS (Revision Control System), a GNU Free Software package. TWiki is developed in a basic Linux/Apache environment. It also works with Microsoft Windows, and should have no problem on any other platform that meets the requirements.

Resource Required Server Environment *
Perl 5.005_03 or higher (5.8.4 or higher is recommended)
RCS 5.7 or higher (including GNU diff)
Optional, TWiki includes a pure perl implementation of RCS that can be used instead (although it's slower)
GNU diff GNU diff 2.7 or higher is required when not using the all-Perl RcsLite.
Install on PATH if not included with RCS (check version with diff -v)
Must be the version used by RCS, to avoid problems with binary attachments - RCS may have hard-coded path to diff
GNU patch For upgrades only: GNU patch is required when using the TWiki:Codev.UpgradeTWiki script
Other external programs fgrep, egrep
Cron/scheduler • Unix: cron
• Windows: cron equivalents
Web server Apache is well supported; see TWiki:TWiki.InstallingTWiki#OtherWebServers for other servers

Required CPAN Modules

The following Perl modules are used by TWiki:
Module Preferred version
Algorithm::Diff (included)  
CGI::Carp >=1.26
Config >=0
Cwd >=3.05
Data::Dumper >=2.121
Error (included)  
File::Copy >=2.06
File::Find >=1.05
File::Spec >=3.05
File::Temp (included with perl 5.6 and later)
FileHandle >=2.01
IO::File >=1.10
Text::Diff (included)  
Time::Local >=1.11

Optional CPAN Modules

The following Perl modules may be used by TWiki:
Module Preferred version Description
CGI::Cookie >=1.24 Used for session support
CGI::Session >=3.95 Used for session support
Digest::base    
Digest::SHA1    
Jcode   Used for I18N support with perl 5.6
Locale::Maketext::Lexicon >=0 Used for I18N support
Net::SMTP >=2.29 Used for sending mail
Unicode::Map   Used for I18N support with perl 5.6
Unicode::Map8   Used for I18N support with perl 5.6
Unicode::MapUTF8   Used for I18N support with perl 5.6
Unicode::String   Used for I18N support with perl 5.6
URI   Used for configure

Most of them will probably already be available in your installation. You can check version numbers with the configure script, or if you're still trying to get to that point, check from the command line like this: 

perl -e 'use FileHandle; print $FileHandle::VERSION."\n"'

Client Requirements

The TWiki standard installation has relatively low browser requirements:

  • HTML 3.2 compliant
  • Cookies, if persistent sessions are required

CSS and Javascript are used in most skins, although there is a low-fat skin (Classic skin) available that minimises these requirements. Some skins will require more recent releases of browsers. The default skin (Pattern) is tested on IE 6, Safari, and Mozilla 5.0 based browsers (such as Firefox).

You can easily select a balance of browser capability versus look and feel. Try the installed skins at TWikiSkinBrowser and more at TWiki:Plugins.SkinPackage.

Important note about TWiki Plugins

  • Plugins can require just about anything - browser-specific functions, stylesheets (CSS), Java applets, cookies, specific Perl modules,... - check the individual Plugin specs.
    • TIP Note: Plugins included in the TWiki distribution do not add requirements, except for the CommentPlugin which requires Perl 5.6.1.

Related Topics: AdminDocumentationCategory

TWiki Installation Guide

Installation instructions for the TWiki 4.0 production release.

If you are upgrading from a previous version of TWiki, you probably want to read TWikiUpgradeGuide instead.

TWiki should be fine with any web server and OS that meet the system requirements. The following installation instructions are written for experienced system administrators; please review the AdminSkillsAssumptions before you install TWiki. If you need help, ask a question in the TWiki:Support web or on TWiki:Codev.TWikiIRC (irc.freenode.net, channel #twiki)

HELP Hint: TWiki:TWiki.InstallingTWiki on TWiki.org has supplemental documentation that help you install TWiki on different platforms, environments and web hosting sites.

Basic Installation

  1. Download the TWiki distribution from http://TWiki.org/download.html.
  2. Make a directory for the installation and unpack the distribution in it.
  3. Make sure the user that runs CGI scripts on your system can read and write all files in the distribution.
    Detailed instructions on file permissions are beyond the scope of this guide, but in general:
    • During installation and configuration, the CGI user needs to be able to read and write everything in the distribution,
    • Once installation and configuration is complete, the CGI user needs write access to everything under the data and pub directories and to lib/LocalSite.cfg. Everything else should be read-only.
    • Everybody else should be denied access to everything, always.
  4. Make sure Perl 5 and the Perl CGI library are installed on your system.
    The default location of Perl is /usr/bin/perl. If it's somewhere else, change the path to Perl in the first line of each script in the twiki/bin directory.
    HELP Some systems require a special extension on perl scripts (e.g. .cgi or .pl). If necessary, rename all files in twiki/bin (i.e. rename view to view.pl etc). If you do this, make sure you set the ScriptSuffix option in configure (Step 6).
  5. Create the file /twiki/bin/LocalLib.cfg.
    There is a template for this file in /twiki/bin/LocalLib.cfg.txt.
    The file must contain a setting for $twikiLibPath, which must point to the absolute file path of your twiki/lib e.g. /home/httpd/twiki/lib.
    HELP If you need to install additional CPAN modules, but can't update the main Perl installation files on the server, you can set $CPANBASE to point to your personal CPAN install. Don't forget that the webserver user has to be able to read those files as well.
  6. Configure the webserver so you can execute the bin/configure script from your browser.
    • Explicit instructions for doing this are beyond the scope of this document, though there is a lot of advice on TWiki.org covering different configurations of webserver. To help you out, there's an example Apache httpd.conf file in twiki_httpd_conf.txt at the root of the package. This file also contains advice on securing your installation. There's also a script called tools/rewriteshebang.pl to help you in fixing up the shebang lines in your CGI scripts.
  7. Run the configure script from your browser, and resolve any errors or warnings it tells you about.
You now have a basic, unauthenticated installation running. At this point you can just point your Web browser at http://yourdomain.com/twiki/bin/view and start TWiki-ing away!

Next Steps

Once you have your TWiki running, you can move on to customise it for your users.

Troubleshooting

  • The first step is to re-run the configure script and make sure you have resolved all errors, and are happy that you understand any warnings.
  • TWiki:TWiki.InstallingTWiki on TWiki.org has supplemental documentation that help you install TWiki on different platforms, environments and web hosting sites.
  • If you need help, ask a question in the TWiki:Support web or on TWiki:Codev.TWikiIRC (irc.freenode.net, channel #twiki)

TWiki Upgrade Guide

Upgrade from the previous TWiki 01-Sep-2004 Prodcution Release to TWiki-4.0.0

Overview

TWiki-4.0.0 is a major new release. You can chose between an automated upgrade using a script or a manual update.

Upgrade Requirements

  • Please review the AdminSkillsAssumptions before you upgrade TWiki
  • Review TWiki:TWiki.TWikiUpgradeTo04x00x00 for latest information and experience notes.
  • To upgrade from a release prior to TWiki Release 01-Sep-2004, start with TWiki:TWiki.UpgradingTWiki on TWiki.org
  • To upgrade from a standard TWiki Release 01-Sep-2004 to the latest TWiki-4.0.0 Production Release, follow the instructions below
  • Once the upgrade has been applied, an existing earlier installation will still be able to read all the topics, but should not be used to write. Make sure you take a backup!
  • Not all Plugins written for TWiki Release 01-Sep-2004 are fully supported with Dakar. Make sure the Plugins you use can be upgraded as well!

Major Changes Compared to TWiki Release 01-Sep-2004

See TWikiReleaseNotes04x00.

Automated Upgrade Procedure

If you would prefer to do things manually, or if you made custom modifications to distributed files (except topics), then skip to the manual upgrade procedure below.

The upgrade script is called "UpgradeTwiki", and is found in the root of the distribution. It can be run by any user, though you will need to make sure you correct the permissions so that the webserver user can write all files in the new installation when you have finished. The upgrade script does not write to your existing installation.

The upgrade script will upgrade the TWiki core only. Plugins will need to be upgraded separately.

Note: To upgrade from a Beta, do not use UpgradeTWiki. Instead follow the steps outlined in Upgrading a Beta, below.

It will:

  • Create a new TWiki installation, placing the files from the distribution there as appropriate
  • Where possible, merge the changes you've made in your existing topics and attachments into the new twiki
  • Where not possible, it will tell you, and you can inspect those differences manually
  • Create new configuration files for the new TWiki based on your existing configuation information
  • Set the permissions in the new TWiki so that it should work straight away
  • Attempt to setup authentication for your new TWiki, if you are using .htaccess in the old one
  • Tell you what else you need to do

To perform the upgrade, you need to:

  • Check first if there is a newer UpgradeTwiki script available, see TWiki:Codev.UpgradeTWiki
  • Create a new directory for your new installation: Let's call this distro/
  • Put the distribution zip file in distro/
  • Unzip it
  • Choose a directory for the new installation. I will call this new_twiki. This directory must not already exist.
  • Change directory to distro/ and run:
    ./UpgradeTwiki <full path to existing_twiki's setlib.cfg> <full path to new_twiki>
  • confirm your system settings by pointing your browser to the configure script

Assuming all goes well, UpgradeTwiki will give you the final instructions.

Visit TWiki:Codev.KnownIssuesOfTWiki04x00x00 and fix known issues that apply to you.

There are a few points worth noting:

  • UpgradeTwiki may not be able to merge all the changes you made in your existing TWiki into the new installation, but it will tell you which ones it couldn't deal with
  • UpgradeTwiki creates the new installation in a new directory tree. It makes a complete copy of all your existing data, so:
    • Clearly you need to point it to a location where there is enough space
    • If you have symlinks under your data/ directory in your existing installation, these are reproduced as actual directories in the new structure. It is up to you to pull these sub-directories out again and re-symlink as needed
  • UpgradeTwiki doesn't deal with custom templates or Plugins, you will have to reinstall these in the new installation.
  • If you are using the Htpasswd login manager, then note that email addresses for users have moved out of user topics and into the password database. There is a script that performs this extra upgrade step for you - see tools/upgrade_emails.pl.

Manual Upgrade Procedure

The following steps are a rough guide to upgrading only. It is impossible to give detailed instructions, as what you have to do may depend on whether you can configure the webserver or not, and how much you have changed distributed files in your current TWiki release.

  1. Follow the installation instructions, and install the new release in a new directory.
  2. Copy your local webs over to the data and pub directories of the new install
    • You could also use softlinks to link the web directories in data and pub to the old installation area
  3. Unlock the rcs files in data and pub directories from the old installation using the following shell commands:
    • find data -name '*,v' -exec rcs -r -u -M '{}' \;
    • find pub -name '*,v' -exec rcs -r -u -M '{}' \;
  4. Examine your old TWiki.cfg, and for each local setting, set the corresponding value in the configure interface for the new install.
    • If you can't use configure, then copy the new TWiki.cfg to LocalSite.cfg, and edit LocalSite.cfg. Remove all the settings that you didn't change in your previous install, and change the remaining settings to the values from your old TWiki.cfg.
  5. Transfer any customized and local settings from TWiki.TWikiPreferences to the topic pointed at by {LocalSitePreferences} (Main.TWikiPreferences). This avoids having to write over files in the distribution.
  6. If you changed any of the topics in the original TWiki distribution, you will have to transfer your changes to the new install manually. There is no simple way to do this, though the following procedure may help:
    1. Install a copy of the original TWiki release you were using in a temporary directory
    2. Use 'diff' to find changed files, and transfer the changes into the new Dakar install.
    3. Install updated plugins into your new area.
  7. Point your webserver at the new install.
  8. Visit TWiki:Codev.KnownIssuesOfTWiki04x00x00 and fix known issues that apply to you.
  9. If you are using the Htpasswd login manager, then note that email addresses for users have moved out of user topics and into the password database. There is a script that performs this extra upgrade step for you - see tools/upgrade_emails.pl.

You are highly recommended not to change any distributed files if you can avoid it, to simplify future upgrades!

Upgrading a Beta

If you followed the recommendations and avoided modifying any distributed files, then this is quite straightforward:
  1. Follow the installation instructions, and install the new release in a new directory.
  2. Copy your local webs over to the data and pub directories of the new install
    • Be careful to copy over the user topics and TWikiUsers?.txt in the Main web
  3. Copy over your bin/LocalLib.cfg and lib/LocalSite.cfg files
  4. Copy over any local files you created (such as .htpasswd and .htaccess files)
  5. Point your webserver at the new install.
If you changed any of the distributed files, you will have to continue from Step 5 above.

Upgrading from Cairo to TWiki4 (additional advice)

Favicon

TWiki4's PatternSkin introduces the use of the favicon feature which most browsers use to show a small icon in front of the URL and for bookmarks.

In TWiki4 it is assumed that each web has a favicon.ico file attached to the WebPreferences topic. When you upgrade from Cairo to TWiki4 you do not have this file and you will get flooded with errors the error log of your web server. There are two solutions to this.

  • Attach a favicon.ico file to WebPreferences in each web.
  • Change the setting of the location of favicon.ico in TWikiPreferences so all webs use the favicon.ico from the TWiki web. This is the fastest and easiest solution.

To change the location of favicon.ico in TWikiPreferences to the TWiki web add this line to TWikiPreferences 

   * Set FAVICON = %PUBURLPATH%/%TWIKIWEB%/%WEBPREFSTOPIC%/favicon.ico

TWiki User Authentication

TWiki site access control and user activity tracking options

Overview

Authentication, or "login", is the process by which a user lets TWiki know who they are.

Authentication isn't just to do with access control. TWiki uses authentication to identify users, so it can keep track of who made changes, and manage a wide range of personal settings. With authentication enabled, users can personalise TWiki and contribute as recognised individuals, instead of shadows.

TWiki authentication is very flexible, and can either stand alone or integrate with existing authentication schemes. You can set up TWiki to require authentication for every access, or only for changes. Authentication is also essential for access control.

Quick Authentication Test - Use the %WIKIUSERNAME% variable to return your current identity:

TWiki user authentication is split into three sections; password management, user registration, and login management. Password management deals with how users are recognised (authenticated). Registration deals with how new users are added to the wiki. Login management deals with how users log in.

Once a user is logged on, they are remembered using a "session id" stored in a cookie in the browser (or by other less elegant means if the user has disabled cookies). This avoids them having to log on again and again.

Please note FileAttachments are not protected by TWiki User Authentication.

TIP Tip: TWiki:TWiki.TWikiUserAuthenticationSupplement on TWiki.org has supplemental documentation on user authentication.

Password Management

As shipped, TWiki supports the Apache 'htpasswd' password manager. This manager supports the use of .htpasswd files on the server. These files can be unique to TWiki, or can be shared with other applications (such as an Apache webserver). A variety of password encodings are supported for flexibility when re-using existing files. See the descriptive comments in the Security Settings section of the configure interface for more details.

New User Registration

New user registration uses the password manager to set and change passwords. It is also responsible for the new user verification process. the registration process supports single user registration via the TWikiRegistration page, and bulk user registration via the BulkRegistration page (for admins only).

The registration process is responsible for creating user topics.

Login Management

Login management controls the way users have to log in. There are three basic options; no login, login via a TWiki login page, and login using the webserver authentication support.

You can select your chosen login through the Security Settings pane in the configure interface.

No Login (select none in configure)

Does exactly what it says on the tin. Forget about authentication to make your site completely public - anyone can browse and edit freely, in classic Wiki style. All visitors are given the TWikiGuest default identity, so you can't track individual user activity.

ALERT! Note: This setup is not recommended on public websites for security reasons; anyone would be able to change system settings and perform tasks usually restricted to the TWikiAdminGroup.

Template Login (select TWiki::Client::TemplateLogin in configure)

Template Login asks for a username and password in a web page, and processes them using whatever Password Manager you choose. Users can log in and log out.

Enabling Template Login

  1. Use the configure interface to
    1. select the TWiki::Client::TemplateLogin login manager (on the Security Settings pane).
    2. select the appropriate password manager for your system, or provide your own.
  2. Register yourself in the TWikiRegistration topic.
    HELP Check that the password manager recognises the new user. If you are using .htpasswd files, check that a new line with the username and encrypted password is added to the .htpasswd file. If not, you probably got a path wrong, or the permissions may not allow the webserver user to write to that file.
  3. Create a new topic to check if authentication works.
  4. Edit the TWikiAdminGroup topic in the Main web to include users with system administrator status.
    ALERT! This is a very important step, as users in this group can access all topics, independent of TWiki access controls.

TWikiAccessControl has more information on setting up access controls.

ALERT! At this time TWikiAccessControls cannot control access to files in the pub area, unless they are only accessed through the viewfile script. If your pub directory is set up in the webserver to allow open access you may want to add .htaccess files in there to restrict access.

TIP You can create a custom version of the TWikiRegistration form by deleting or adding input tags. The name="" parameter of the input tags must start with: "Twk0..." (if this is an optional entry), or "Twk1..." (if this is a required entry). This ensures that the fields are carried over into the user home page correctly.

TIP You can customize the default user home page in NewUserTemplate. The same variables get expanded as in the template topics

Apache Login (select TWiki::Client::ApacheLogin in configure)

Using this method TWiki does not authenticate users internally. Instead it depends on the REMOTE_USER environment variable, which is set when you enable authentication in the webserver.

The advantage of this scheme is that if you have an existing website authentication scheme using Apache modules such as mod_auth_ldap or mod_auth_mysql you can just plug in directly to them.

The disadvantage is that because the user identity is cached in the browser, you can log in, but you can't log out again unless you restart the browser.

TWiki maps the REMOTE_USER that was used to log in to the webserver to a WikiName using the table in TWikiUsers. This table is updated whenever a user registers, so users can choose not to register (in which case their webserver login name is used for their signature) or register (in which case that login name is mapped to their WikiName).

The same private .htpasswd file used in TWiki Template Login can be used to authenticate Apache users, using the Apache Basic Authentication support. This allows the TWiki registration support to maintain usernames and passwords.

Warning: Do not use the Apache htpasswd program with .htpasswd files generated by TWiki! htpasswd wipes out email addresses that TWiki plants in the info fields of this file.

Enabling Apache Login using mod_auth

You can use any other Apache authentication module that sets REMOTE_USER.
  1. Use configure to select the TWiki::Client::ApacheLogin login manager.
  2. Use configure to set up TWiki to create the right kind of .htpasswd entries.
  3. Create a .htaccess file in the twiki/bin directory.
    HELP There is an template for this file in twiki/bin/.htaccess.txt that you can copy and change. The comments in the file explain what need to be done.
    HELP If you got it right, the browser should now ask for login name and password when you click on the Edit. If .htaccess does not have the desired effect, you may need to "AllowOverride All" for the directory in httpd.conf (if you have root access; otherwise, e-mail web server support)
    ALERT! At this time TWikiAccessControls do not control access to files in the pub area, unless they are only accessed through the viewfile script. If your pub directory is set up to allow open access you may want to add .htaccess files in there as well to restrict access
  4. You can create a custom version of TWikiRegistration by deleting or adding input tags. The name="" parameter of the input tags must start with: "Twk0..." (if this is an optional entry), or "Twk1..." (if this is a required entry). This ensures that the fields are carried over into the user home page correctly.
    You can customize the default user home page in NewUserTemplate. The same variables get expanded as in the template topics
  5. Register yourself in the TWikiRegistration topic.
    HELP Check that a new line with the username and encrypted password is added to the .htpasswd file. If not, you may have got a path wrong, or the permissions may not allow the webserver user to write to that file.
  6. Create a new topic to check if authentication works.
  7. Edit the TWikiAdminGroup topic in the Main web to include users with system administrator status.
    ALERT! This is a very important step, as users in this group can access all topics, independent of TWiki access controls.
TWikiAccessControl has more information on setting up access controls.

Logons via bin/logon

Any time a user enters a page that needs authentication, they will be forced to log on. It may be convenient to have a "logon" as well, to give the system a chance to identify the user and retrieve their personal settings. It may be convenient to force them to log on.

The bin/logon script accomplishes this. The bin/logon script must be setup in the bin/.htaccess file to be a script which requires a valid user. However, once authenticated, it will simply redirect the user to the view URL for the page from which the logon script was linked.

Sessions

TWiki uses the CPAN:CGI::Session and CPAN:CGI::Cookie modules to track sessions using cookies. These modules are de facto standards for session management among Perl programmers. If you can't use Cookies for any reason, CPAN:CGI::Session also supports session tracking using the client IP address. See How to choose an authentication method for a discussion of the pros and cons of the various authentication methods.

There are a number of TWikiVariables available that you can use to interrogate your current session. You can even add your own session variables to the TWiki cookie. Session variables are referred to as "sticky" variables.

Getting, Setting, and Clearing Session Variables

You can get, set, and clear session variables from within TWiki web pages or by using script parameters. This allows you to use the session as a personal "persistent memory space" that is not lost until the web browser is closed. Also note that if a session variable has the same name as a TWiki preference, the session variables value takes precedence over the TWiki preference. This allows for per-session preferences.

To make use of these features, use the tags: 

%SESSION_VARIABLE{ "varName" }%
%SESSION_VARIABLE{ "varName" set="varValue" }%
%SESSION_VARIABLE{ "varName" clear="" }%

Note that you cannot override access controls preferences this way.

Cookies and Transparent Session IDs

TWiki normally uses cookies to store session information on a client computer. Cookies are a common way to pass session information from client to server. TWiki cookies simply hold a unique session identifier that is used to look up a database of session information on the TWiki server.

For a number of reasons, it may not be possible to use cookies. In this case, TWiki has a fallback mechanism; it will automatically rewrite every internal URL it sees on pages being generated to one that also passes session information.

TWiki Username vs. Login Username

This section applies only if you are using authentication with existing login names (i.e. mapping from login names to WikiNames).

OnumaTWiki internally manages two usernames: Login Username and TWiki Username.

  • Login Username: When you login to the intranet, you use your existing login username, ex: pthoeny. This name is normally passed to TWiki by the REMOTE_USER environment variable, and used internally. Login Usernames are maintained by your system administrator.

  • TWiki Username: Your name in WikiNotation, ex: PeterThoeny, is recorded when you register using TWikiRegistration; doing so also generates a personal home page in the Main web.

TWiki can automatically map an Intranet (Login) Username to a TWiki Username if the {AllowLoginName} is enabled in configure. The default is to use your WikiName as a login name.

NOTE: To correctly enter a WikiName - your own or someone else's - be sure to include the Main web name in front of the Wiki username, followed by a period, and no spaces, for example Main.WikiUsername or %MAINWEB%.WikiUsername. This points WikiUsername to the Main web, where user home pages are located, no matter which web it's entered in. Without the web prefix, the name appears as a NewTopic? everywhere but in the Main web.

Changing Passwords

If your {PasswordManager} supports password changing, you can change and reset passwords using forms on regular pages.

Changing E-mail Addresses

If the active {PasswordManager} supports storage and retrieval of user e-mail addresses, you can change your e-mail using a regular page. As shipped, this is true only for the Apache 'htpasswd' password manager.

Controlling access to individual scripts

You may want to add or remove scripts from the list of scripts that require authentication. The method for doing this is different for each of Template Login and Apache Login.
  • For Template Login, update the {AuthScripts} list using configure
  • For Apache Login, add/remove the script from .htaccess

How to choose an authentication method

One of the key features of TWiki is that it is possible to add HTML to topics. No authentication method is 100% secure on a website where end users can add HTML, as there is always a risk that a malicious user can add code to a topic that gathers user information, such as session IDs. The TWiki developers have been forced to make certain tradeoffs, in the pursuit of efficiency, that may be exploited by a hacker.

This section discusses some of the known risks. You can be sure that any potential hackers have read this section as well!

Firstly, the most secure method is without doubt to use the webserver authentication support, with Sessions turned off.

The second most secure method is to use TWiki's internal authentication with Sessions turned off. This method is less secure than using the webserver because passwords are sent in plain text and can therefore be intercepted in transit.

As soon as you allow the server to maintain information about a logged-in user, you open a door to potential attacks. There are a variety of ways a malicious user can pervert TWiki to obtain another users session ID, the most common of which is known as a cross-site scripting attack. Once a hacker has an SID they can pretend to be that user.

To help prevent these sorts of attacks, TWiki supports IP matching, which ensures that the IP address of the user requesting a specific session is the same as the IP address of the user who created the session. This works well as long as IP addresses are unique to each client, and as long as the IP address of the client can't be faked.

The third most secure method is to use sessions with IP matching ({UseIPMatching} switched on). Shorter session expiry times are more secure ({Sessions}{ExpireAfter}). The default session lifetime is 6 hours, which is quite a long lifetime for a session.

Session IDs are usually stored by TWiki in cookies, which are stored in the client browser. Cookies work well, but not all environments or users permit cookies to be stored in browsers. So TWiki also supports two other methods of determining the session ID. The first method uses the client IP address to determine the session ID. The second uses a rewriting method that rewrites local URLs in TWiki pages to include the session ID in the URL.

The first method works well as long as IP addresses are unique to each individual client, and client IP addresses can't be faked by a hacker. If IP addresses are unique and can't be faked, it is almost as secure as cookies + IP matching, so it ranks as the fourth most secure method.

If you have to turn IP matching off, and cookies can't be relied on, then you may have to rely on the second method, URL rewriting. This method exposes the session IDs very publicly, so should be regarded as the least secure method.

See TWiki:TWiki.SecuringTWikiSite for more information.

TWiki Access Control

Restricting read and write access to topics and webs, by Users and groups

TWiki Access Control allows you restrict access to single topics and entire webs, by individual user and by user Groups. Access control, combined with TWikiUserAuthentication, lets you easily create and manage an extremely flexible, fine-grained privilege system.

TIP Tip: TWiki:TWiki.TWikiAccessControlSupplement on TWiki.org has additional documentation on access control.

An Important Control Consideration

Open, freeform editing is the essence of WikiCulture - what makes TWiki different and often more effective than other collaboration tools. For that reason, it is strongly recommended that decisions to restrict read or write access to a web or a topic are made with great care - the more restrictions, the less Wiki in the mix. Experience shows that unrestricted write access works very well because:

  • Peer influence is enough to ensure that only relevant content is posted.
  • Peer editing - the ability for anyone to rearrange all content on a page - keeps topics focused.
  • In TWiki, content is transparently preserved under revision control:
    • Edits can be undone by the TWikiAdminGroup (the default administrators group; see #ManagingGroups).
    • Users are encouraged to edit and refactor (condense a long topic), since there's a safety net.
As a collaboration guideline:
  • Create broad-based Groups (for more and varied input), and...
  • Avoid creating view-only Users (if you can read it, you should be able to contribute to it).

Permissions settings of the webs on this TWiki site

Web Sitemap VIEW CHANGE RENAME
Listed DENY ALLOW DENY ALLOW DENY ALLOW
Main ... on            
TWiki ... on       TWikiAdminGroup   TWikiAdminGroup

See TWikiAccessControl for details

Please Note:

  • A blank in the the above table may mean either the corresponding control is absent or commented out or that it has been set to a null value. The two conditions have dramatically different and possibly opposed semantics.
  • TWikiGuest is the guest account - used by unauthenticated users.
  • The TWiki web must not deny view to TWikiGuest; otherwise, people will not be able to register.

Note: Above table comes from SitePermissions

Authentication vs. Access Control

Authentication: Identifies who a user is based on a login procedure. See TWikiUserAuthentication.

Access control: Restrict access to content based on users and groups once a user is identified.

Users and Groups

Access control is based on the familiar concept of Users and Groups. Users are defined by their WikiNames. They can then be organized in unlimited combinations by inclusion in one or more user Groups. For convenience, Groups can also be included in other Groups.

Managing Users

A user can create an account in TWikiRegistration. The following actions are performed:

  • WikiName and encrypted password are recorded using the password manager if authentication is enabled.
  • A confirmation e-mail is sent to the user.
  • A user home page with the WikiName of the user is created in the Main web.
  • The user is added to the TWikiUsers topic.

The default visitor name is TWikiGuest. This is the non-authenticated user.

Managing Groups

Groups are defined by group topics located in the Main web, such as the TWikiAdminGroup. To create a new group, visit TWikiGroups and enter the name of the new group ending in Group into the "new group" form field. This will create a new group topic with two important settings:

  • Set GROUP = < list of Users and/or Groups >
  • Set ALLOWTOPICCHANGE = < list of Users and/or Groups >

The GROUP setting is a comma-separated list of users and/or other groups. Example:

  • Set GROUP = Main.SomeUser, Main.OtherUser, Main.SomeGroup

The ALLOWTOPICCHANGE setting defines who is allowed to change the group topic; it is a comma delimited list of users and groups. You typically want to restrict that to the members of the group itself, so it should contain the name of the topic. This prevents users not in the group from editing the topic to give themselves or others access. For example, for the TWikiAdminGroup topic write:

  • Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup

ALERT! Note: TWiki has strict formatting rules. Make sure you have three spaces, an asterisk, and an extra space in front of any access control rule.

The Super Admin Group

By mistyping a user or group name in the settings, it's possible to lock a topic so that no-one can edit it from a browser. To avoid this, add the WikiNames of registered administrators to the super admin group topic called TWikiAdminGroup. The name of this topic is defined by the {SuperAdminGroup} configure setting. Example group setting:

  • Set GROUP= Main.ElizabethWindsor, Main.TonyBlair

Restricting Access

You can define who is allowed to read or write to a web or a topic. Note that some plugins may not respect access permissions.

  • Restricting VIEW blocks viewing and searching of content.
  • Restricting CHANGE blocks creating new topics, changing topics or attaching files.
  • Restricting RENAME controls who is allowed to rename, move or delete a topic.
    • To rename, move or delete a topic, the user also also needs VIEW and CHANGE permission. They also need CHANGE access to change references in any referring topics (though the rename can proceed without this access), and CHANGE access to the target topic.
  • Restricting MANAGE controls access to certain management functions, such as 'create web'. It must be set in the TWiki web.

Controlling access to a Web

You can define restrictions of who is allowed to view a OnumaTWiki web. You can restrict access to certain webs to selected Users and Groups, by:

  • authenticating all webs and restricting selected webs: Topic access in all webs is authenticated, and selected webs have restricted access.
  • authenticating and restricting selected webs only: Provide unrestricted viewing access to open webs, with authentication and restriction only on selected webs.

  • You can define these settings in the WebPreferences topic, preferable towards the end of the topic:
    • Set DENYWEBVIEW = < comma-delimited list of Users and Groups >
    • Set ALLOWWEBVIEW = < comma-delimited list of Users and Groups >
    • Set DENYWEBCHANGE = < comma-delimited list of Users and Groups >
    • Set ALLOWWEBCHANGE = < comma-delimited list of Users and Groups >
    • Set DENYWEBRENAME = < comma-delimited list of Users and Groups >
    • Set ALLOWWEBRENAME = < comma-delimited list of Users and Groups >

Be careful with empty values for any of these. In older versions of TWiki,

  • Set ALLOWWEBVIEW =
meant the same as not setting it at all. However since TWiki Dakar release, it means allow noone access i.e. prevent anyone from viewing the web. Similarly
  • Set DENYWEBVIEW =
now means do not deny anyone the right to view this web. See "How TWiki evaluates ALLOW/DENY settings" below for more on this.

Controlling access to a Topic

  • You can define these settings in the WebPreferences topic, preferable towards the end of the topic:
    • Set DENYTOPICVIEW = < comma-delimited list of Users and Groups >
    • Set ALLOWTOPICVIEW = < comma-delimited list of Users and Groups >
    • Set DENYTOPICCHANGE = < comma-delimited list of Users and Groups >
    • Set ALLOWTOPICCHANGE = < comma-delimited list of Users and Groups >
    • Set DENYTOPICRENAME = < comma-delimited list of Users and Groups >
    • Set ALLOWTOPICRENAME = < comma-delimited list of Users and Groups >

Remember when opening up access to specific topics within a restricted web that other topics in the web - for example, the WebLeftBar - may also be accessed when viewing the topics. The message you get when you are denied access should tell you what topic you were not permitted to access.

Be careful with empty values for any of these. In older versions of TWiki,

  • Set ALLOWTOPICVIEW =
meant the same as not setting it at all. However since TWiki Dakar release, it means allow no-one access i.e. prevent anyone from viewing the topic. Similarly
  • Set DENYTOPICVIEW =
now means do not deny anyone the right to view this topic. See "How TWiki evaluates ALLOW/DENY settings" below for more on this.

Controlling access to Attachments

Attachments are referred to directly, and are not normally indirected via TWiki scripts. This means that the above instructions for access control will not apply to attachments. It is possible that someone may inadvertently publicise a URL that they expected to be access-controlled.

The easiest way to apply the same access control rules for attachments as apply to topics is to use the Apache mod_rewrite module, and configure your webserver to redirect accesses to attachments to the TWiki viewfile script. For example, 

  ScriptAlias /twiki/bin/ /filesystem/path/to/twiki/bin/
  Alias /twiki/pub/       /filesystem/path/to/twiki/pub/

  RewriteEngine on
  RewriteRule ^/twiki/pub/TWiki/(.*)$ /twiki/pub/TWiki/$1 [L,PT]
  RewriteRule ^/twiki/pub/([^\/]+)/([^\/]+)/([^\/]+)$ /twiki/bin/viewfile/$1/$2?filename=$3 [L,PT]

That way all the controls that apply to the topic also apply to attachments to the topic. Other types of webserver have similar support.

Note: Images embedded in topics will load much slower since each image will be delivered by the viewfile script.

How TWiki evaluates ALLOW/DENY settings

When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW, CHANGE and RENAME access may be granted/denied separately.

  1. If the user is a super-user
    • access is PERMITTED.
  2. If DENYTOPIC is set to a list of wikinames
    • people in the list will be DENIED.
  3. If DENYTOPIC is set to empty ( i.e. Set DENYTOPIC = )
    • access is PERMITTED i.e no-one is denied access to this topic
  4. If ALLOWTOPIC is set
    1. people in the list are PERMITTED
    2. everyone else is DENIED
      • Note that this means that setting ALLOWTOPIC to empty denies access to everyone except admins (unless DENYTOPIC is also set to empty, as described above)
  5. If DENYWEB is set to a list of wikiname
    • people in the list are DENIED access
  6. If ALLOWWEB is set to a list of wikinames
    • people in the list will be PERMITTED
    • everyone else will be DENIED
      • Note that setting ALLOWWEB to empty denies access to everyone except admins
  7. If you got this far, access is PERMITTED

Access Control quick recipes

Obfuscating Webs

Another way of hiding webs is to keep them hidden by not publishing the URL and by preventing the all webs search option from accessing obfuscated webs. Do so by enabling the NOSEARCHALL variable in WebPreferences:

  • Set NOSEARCHALL = on

This setup can be useful to hide a new web until content its ready for deployment, or to hide view access restricted webs.

ALERT! Note: Obfuscating a web without view access control is very insecure, as anyone who knows the URL can access the web.

Authenticate all Webs and Restrict Selected Webs

Use the following setup to authenticate users for topic viewing in all webs and to restrict access to selected webs. Requires TWikiUserAuthentication to be enabled.

  1. Restrict view access to selected Users and Groups. Set one or both of these variables in its WebPreferences topic:
    • Set DENYWEBVIEW = < list of Users and Groups >
    • Set ALLOWWEBVIEW = < list of Users and Groups >
    • Note: DENYWEBVIEW is evaluated before ALLOWWEBVIEW. Access is denied if the authenticated person is in the DENYWEBVIEW list, or not in the ALLOWWEBVIEW list. Access is granted in case DENYWEBVIEW and ALLOWWEBVIEW is not defined.

Authenticate and Restrict Selected Webs Only

Use the following setup to provide unrestricted viewing access to open webs, with authentication only on selected webs. Requires TWikiUserAuthentication to be enabled.

  1. Restrict view access to selected Users and Groups. Set one or both of these variables in its WebPreferences topic:
    • Set DENYWEBVIEW = < list of Users and Groups >
    • Set ALLOWWEBVIEW = < list of Users and Groups >
    • Note: DENYWEBVIEW is evaluated before ALLOWWEBVIEW. Access is denied if the authenticated person is in the DENYWEBVIEW list, or not in the ALLOWWEBVIEW list. Access is granted in case DENYWEBVIEW and ALLOWWEBVIEW is not defined.

Hide Control Settings

TIP Tip: To hide access control settings from normal browser viewing, place them in HTML comment markers.

<!--
   * Set DENYTOPICCHANGE = Main.SomeGroup
-->

TWiki Text Formatting

Working in TWiki is as easy as typing in text. You don't need to know HTML, though you can use it if you prefer. Links to topics are created automatically when you enter WikiWords. And TWiki shorthand gives you all the power of HTML with a simple coding system that takes no time to learn. It's all laid out below.

TWiki Editing Shorthand

Formatting Command: You write: You get:
Paragraphs:
Blank lines will create new paragraphs. 
1st paragraph

2nd paragraph
1st paragraph

2nd paragraph

Headings:
Three or more dashes at the beginning of a line, followed by plus signs and the heading text. One plus creates a top level heading, two pluses a second level heading, etc. The maximum heading depth is 6.

You can create a table of contents with the %TOC% variable. If you want to exclude a heading from the TOC, put !! after the ---+.

ALERT! Empty headings are allowed, but won't appear in the table of contents. 

---++ Sushi
---+++ Maguro
---+++!! Not in TOC

Sushi

Maguro

Not in TOC
Bold Text:
Words get shown in bold by enclosing them in * asterisks. 
*Bold*
Bold
Italic Text:
Words get shown in italic by enclosing them in _ underscores. 
_Italic_
Italic
Bold Italic:
Words get shown in bold italic by enclosing them in __ double-underscores. 
__Bold italic__
Bold italic
Fixed Font:
Words get shown in fixed font by enclosing them in = equal signs. 
=Fixed font=
Fixed font

Bold Fixed Font:
Words get shown in bold fixed font by enclosing them in double equal signs. 
==Bold fixed==
Bold fixed
TIP You can follow the closing bold, italic, or other (* _ __ = ==) indicator with normal punctuation, such as commas and full stops.

ALERT! Make sure there is no space between the text and the indicators. 

_This works_,
_this does not _
This works,
_this does not _
Verbatim (Literal) Text:
Surround code excerpts and other formatted text with <verbatim> and </verbatim> tags.
TIP verbatim tags disable HTML code. Use <pre> and </pre> tags instead if you want the HTML code within the tags to be interpreted.
ALERT! NOTE: Preferences variables (* Set NAME = value) are set within verbatim tags. 
<verbatim>
class CatAnimal {
  void purr() {
    <code here>
  }
}
</verbatim>

class CatAnimal {
  void purr() {
    <code here>
  }
}
Separator (Horizontal Rule):
Three or more three dashes at the beginning of a line.. 
-------
Bulleted List:
Multiple of three spaces, an asterisk, and another space.
HELP For all the list types, you can break a list item over several lines by indenting lines after the first one by at least 3 spaces. 
   * level 1
      * level 2
   * back on 1
   * A bullet
     broken over
     three lines
   * last bullet
  • level 1
    • level 2
  • back on 1
  • A bullet broken over three lines
  • last bullet
Numbered List:
Multiple of three spaces, a type character, a dot, and another space. Several types are available besides a number:
Type Generated Style Sample Sequence
1. Arabic numerals 1, 2, 3, 4...
A. Uppercase letters A, B, C, D...
a. Lowercase letters a, b, c, d...
I. Uppercase Roman Numerals I, II, III, IV...
i. Lowercase Roman Numerals i, ii, iii, iv... 
   1. Sushi
   1. Dim Sum
   1. Fondue

   A. Sushi
   A. Dim Sum
   A. Fondue

   i. Sushi
   i. Dim Sum
   i. Fondue
  1. Sushi
  2. Dim Sum
  3. Fondue

  1. Sushi
  2. Dim Sum
  3. Fondue

  1. Sushi
  2. Dim Sum
  3. Fondue
Definition List:
Three spaces, a dollar sign, the term, a colon, a space, followed by the definition. 
   $ Sushi: Japan
   $ Dim Sum: S.F.
Sushi
Japan
Dim Sum
S.F.
Table:
Each row of the table is a line containing of one or more cells. Each cell starts and ends with a vertical bar '|'. Any spaces at the beginning of a line are ignored.
  • | *bold* | header cell with text in asterisks
  • |   center-aligned   | cell with at least two, and equal number of spaces on either side
  • |      right-aligned | cell with more spaces on the left
  • | 2 colspan || and multi-span columns with multiple |'s right next to each other
  • |^| cell with caret indicating follow-up row of multi-span rows
  • You can split rows over multiple lines by putting a backslash '\' at the end of each line
  • Contents of table cells wrap automatically as determined by the browser
TIP The TablePlugin provides the |^| multiple-span row functionality and additional rendering features 
| *L* | *C* | *R* |
| A2 |  B2  |  C2 |
| A3 |  B3  |  C3 |
| multi span |||
| A5-7 |  5  |  5 |
|^| six | six |
|^| seven | seven |
| split\
  | over\
  | 3 lines |
| A9 |  B9  |  C9 |
L C R
A2 B2 C2
A3 B3 C3
multi span
A5-7 5 5
six six
seven seven
split over 3 lines
A9 B9 C9
WikiWord Links:
CapitalizedWordsStuckTogether (or WikiWords) will produce a link automatically if preceded by whitespace or parenthesis.
TIP If you want to link to a topic in a different web write Otherweb.TopicName.
HELP The link label excludes the name of the web, e.g. only the topic name is shown. As an exception, the name of the web is shown for the WebHome topic.

It's generally a good idea to use the TWikiVariables %TWIKIWEB% and %MAINWEB% instead of TWiki and Main. 

WebStatistics

Sandbox.WebNotify

Sandbox.WebHome
WebStatistics

WebNotify

Sandbox

Anchors:
You can define a reference inside a TWiki topic (called an anchor name) and link to that. To define an anchor write #AnchorName at the beginning of a line. The anchor name must be a WikiWord. To link to an anchor name use the [[MyTopic#MyAnchor]] syntax. You can omit the topic name if you want to link within the same topic. 
[[WikiWord#NotThere]]

[[#MyAnchor][Jump]]

#MyAnchor To here
WikiWord#NotThere

Jump

To here

Forced Links:
You can create a forced internal link by enclosing words in double square brackets.
Text within the brackets may contain optional spaces; the topic name is formed by capitalizing the initial letter and by removing the spaces; for example, [[text formatting FAQ]] links to topic TextFormattingFAQ. You can also refer to a different web and use anchors.
TIP To "escape" double square brackets that would otherwise make a link, prefix the leading left square bracket with an exclamation point. 
[[wiki syntax]]

[[Main.TWiki users]]

escaped:
![[wiki syntax]]
wiki syntax

Main.TWiki users

escaped: [[wiki syntax]]

Specific Links:
You can create a link where you specify the link text and the URL separately using nested square brackets [[reference][text]]. Internal link references (e.g. WikiSyntax) and URLs (e.g. http://TWiki.org/) are both supported. The rules described under Forced Links apply for internal link references.
TIP Anchor names can be added as well, to create a link to a specific place in a topic. 
[[WikiSyntax][wiki syntax]]

[[http://gnu.org][GNU]]
wiki syntax

GNU

Prevent a Link:
Prevent a WikiWord from being linked by prepending it with an exclamation point. 
!SunOS
SunOS
Disable Links:
You can disable automatic linking of WikiWords by surrounding text with <noautolink> and </noautolink> tags.
HELP It is possible to turn off all auto-linking with a NOAUTOLINK preferences setting. 
 <noautolink>
 RedHat &
 SuSE
 </noautolink>
RedHat & SuSE
Mailto Links:
E-mail addresses are linked automatically. To create e-mail links that have more descriptive link text, specify subject lines or message bodies, or omit the e-mail address, you can write [[mailto:user@domain][descriptive text]]. 
a@b.com

[[mailto:a@b.com]\
[Mail]]

[[mailto:?subject=\
Hi][Hi]]
a@b.com

Mail

Hi

Using HTML

You can use just about any HTML tag without a problem. You can add HTML if there is no TWiki equivalent, for example, write <strike>deleted text</strike> to get deleted text.

ALERT! There are a few usability and technical considerations to keep in mind:

  • On collaboration pages, it's better not to use HTML, but to use TWiki shorthand instead - this keeps the text uncluttered and easy to edit.
  • If you use HTML use XHTML 1.0 Transitional syntax.
  • ALERT! Script tags may be filtered out, at the discretion of your TWiki administrator.

Recommendations when pasting HTML from other sources:

  • Copy only text between <body> and </body> tags.
  • Remove all empty lines. TWiki inserts <p /> paragraph tags on empty lines, which causes problems if done between HTML tags that do not allow paragraph tags, like for example between table tags.
  • Remove leading spaces. TWiki might interpret some text as lists.
  • Do not span a tag over more than one line. TWiki requires that the opening and closing angle brackets - <...> - of an HTML tag are on the same line, or the tag will be broken.
  • In your HTML editing program, save without hard line breaks on text wrap.

TIP TWiki converts shorthand notation to HTML for display. To copy a fully marked-up page, simply view the source in your browser and save the contents. If you need to save HTML frequently, you may want to check out TWiki:Plugins/PublishAddOn.

Script tags

You can use HTML <script> tags for your TWiki applications. However note that your TWiki administrator can disable <script> in topics, and may have chosen to do so for security considerations. TWiki markup and TWikiVariables are not expanded inside script tags.

Hyperlinks

Being able to create links without any special formatting is a core TWiki feature, made possible with WikiWords and inline URLs.

Internal Links

  • GoodStyle is a WikiWord that links to the GoodStyle topic located in the current web.

  • NotExistingYet? is a topic waiting to be written. Create the topic by clicking on the ?. (Try clicking, but then, Cancel - creating the topic would wreck this example!)

External Links

  • http://..., https://..., ftp://..., gopher://..., news://..., file://..., telnet://... and mailto:...@... are linked automatically.

  • E-mail addresses like name@domain.com are linked automatically.

  • [[Square bracket rules]] let you easily create non-WikiWord links.
    • You can also write [[http://yahoo.com Yahoo home page]] as an easier way of doing external links with descriptive text for the link, such as Yahoo home page.

TWiki Variables

TWiki Variables are names that are enclosed in percent signs % that are expanded on the fly. Some variables take arguments, such as %INCLUDE%. For those variables, the arguments are included in curly braces ({ and }).

Variable In brief Full documentation
%TOC% Automatically generates a table of contents based on headings in a topic - see the top of this page for an example. VarTOC
%WEB% The current web, is TWiki. VarWEB
%TOPIC% The current topic name, is TWikiDocumentation. VarTOPIC
%ATTACHURL% The attachment URL of the current topic. Example usage: If you attach a file to a topic you can refer to it as %ATTACHURL%/image.gif to show the URL of the file or the image in your text. VarATTACHURL
%INCLUDE{"SomeTopic"}% Server side include, includes another topic. The current web is the default web. Example: %INCLUDE{"TWiki.SiteMap"}% VarINCLUDE
%SEARCH{"sushi"}% Inline search showing the search result embedded in a topic. FormattedSearch gives you control over formatting, useful for creating web-based applications. VarSEARCH

TWikiPreferences defines some site-wide variables. Among them are:

  • Line break: Write %BR% to start a new line.
  • Colored text: Write: %RED% Red %ENDCOLOR% and %BLUE% blue %ENDCOLOR% colors to get: Red and blue colors.

There are many more variables. To see them all, go to TWikiVariables.

Documentation Graphics: There are many graphics available to use in your topics. Use %ICON{"help"}%, %ICON{"tip"|%, and %icon{"warning"}% to get: HELP, TIP, and ALERT!. To see all of the graphics available, see TWikiDocGraphics.

tip To "escape" a variable, prefix it with an exclamation mark. Write: !%SOMEVARIABLE% to get: %SOMEVARIABLE%.

TWikiPlugin Formatting Extensions

Plugins can extend the functionality of TWiki into many other areas. There are a huge number of TWiki plugins available from the Plugins web on TWiki.org.

Currently enabled plugins on this TWiki installation, as listed by %PLUGINDESCRIPTIONS%: