X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/bc509a3119ee5c3704ad47e920bbba28f0b052f8..5397cca7350747805cf47df05e63f18ac6746bf2:/doc/todo/Zoned_ikiwiki.mdwn diff --git a/doc/todo/Zoned_ikiwiki.mdwn b/doc/todo/Zoned_ikiwiki.mdwn index d618aec3c..76b2b69c7 100644 --- a/doc/todo/Zoned_ikiwiki.mdwn +++ b/doc/todo/Zoned_ikiwiki.mdwn @@ -67,6 +67,12 @@ a private zone needs only a `.htaccess` file with `Deny from All` or `Require all denied` (or other equivalent directive for the `http` server in use), and a `403` error handler of `{$cgiurl}?do=view`. +The plugin emits response headers intended to discourage non-private caches +from retaining the retrieved content. (They are already supposed to avoid +caching any response to a request with an `Authorization` header, but this +plugin can be used with any ikiwiki-supported auth method, not all of which +require that header.) + A plugin like [[plugins/contrib/pagespec_alias]] can be very useful for defining a group of authorized users: @@ -91,7 +97,21 @@ A plugin implementing a [FastCGI](http://www.fastcgi.com/) [Authorizer](http://www.fastcgi.com/drupal/node/6?q=node/22#S6.3) could provide the same benefits as [[plugins/contrib/signinview]] (any ikiwiki-supported auth method, simple zone definition with [[ikiwiki/PageSpec]]s) with less overhead -per access. +per access. It would also be simpler than [[plugins/contrib/signinview]] by +leaving it as the `http` server's responsibility to generate the proper headers +and serve the content. + +Caching proxies are already supposed to avoid caching any response to a request +that included an `Authorization` header. For some ikiwiki-supported auth methods, +that header might not be needed in the request, and care may be needed to configure +the server to emit other necessary response headers to discourage caching of +content from a private zone. + +*Drawbacks:* Not yet implemented, someone would have to do it. +It's not clear [[what code changes fastcgi|todo/fastcgi or modperl installation instructions]] +would require in ikiwiki. An Authorizer seems like a good place to start because of its +limited, simple functionality--but as it could make use of any ikiwiki-supported auth method, +evaluate `PageSpec`s, and the like, it could still run a non-trivial amount of the code. ## Obstacles @@ -103,6 +123,18 @@ but I'll begin it here. Note that not all of these issues will be problems for all **zoned ikiwiki use cases**. +### Leakage of page existence by `do=goto` + +An unauthorized client can use a `do=goto` request to find out whether a +page exists (will be forbidden to view it) or not (will be forbidden to create it). + +In [[plugins/contrib/signinview]] this is handled by hooking +`cgi` first and checking for `goto` and a non-public page. If the requested page +(existing or not) matches the `public_pages` PageSpec, it is handed off for the `goto` +plugin to handle normally. Otherwise, the `do` parameter is changed to `signingoto` +so the `goto` plugin's `cgi` hook will _not_ handle it, and the `sessioncgi` hook +takes care of it when the user's identity is available. + ### Backlinks What is problematic is when you link a public page in a private page : @@ -234,3 +266,10 @@ review of the code and plugins (including third-party plugins) to complete. * Not to forget `contrib` plugins * [[plugins/contrib/report]] ? * _others_? + +Note that, _with_ the right controls on who can edit the pages and insert +the directives, the fact that a public page can inline stuff from private +pages can be very useful. Public pages can be created that are populated +by selected content that's maintained on the private side. The [[ikiwiki/directive/if]] +directive can be used in the private content to control what parts can be +inlined into public pages. All of this is in ikiwiki today.