acl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
acl [2011-01-16 13:35] – [Editing ACLs] 115.126.238.8 | acl [2017-09-05 10:29] – 183.16.192.248 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Access Control Lists (ACL) ====== | + | ====== Access Control Lists (ACL)s ====== |
- | [[DokuWiki]] -- like most wikis --- is very open by default. Everyone is allowed to create, edit and delete pages. However sometimes it makes sense to restrict access to certain or all pages. This is when //Access Control | + | [[DokuWiki]] |
- | :!: **WARNING: | + | {{:aclexample.png? |
+ | ===== Configuration | ||
- | ===== Configuration | + | ACLs can be enabled in the [[installer]] |
- | ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config: | + | ==== See also ===== |
- | + | ||
- | ==== See also ==== | + | |
There are a few more config options and features that relate to authentication, | There are a few more config options and features that relate to authentication, | ||
Line 15: | Line 14: | ||
* Config option [[config: | * Config option [[config: | ||
* Config option [[config: | * Config option [[config: | ||
- | * Config option [[config:disableactions]] -- allows you to disable open registration | + | * Config option [[config:openregister]] -- allows you to disable open registration |
* Config option [[config: | * Config option [[config: | ||
* [[plugin: | * [[plugin: | ||
Line 21: | Line 20: | ||
* [[faq: | * [[faq: | ||
+ | :!: **WARNING: | ||
===== Access Restrictions ===== | ===== Access Restrictions ===== | ||
Line 30: | Line 30: | ||
When DokuWiki checks which rights it should give to a user, it uses all rules matching the user's name or the groups he or she is in. The rule that provides a user's permission is chosen according to the following process: | When DokuWiki checks which rights it should give to a user, it uses all rules matching the user's name or the groups he or she is in. The rule that provides a user's permission is chosen according to the following process: | ||
- | * Rules which match closer to the namespace: | + | * Rules which match closer to the namespace: |
* When more than one rule matches at the same level, the rule giving the highest access level is preferred. | * When more than one rule matches at the same level, the rule giving the highest access level is preferred. | ||
Users are in the groups they were assigned to in the user manager (or the auth backend). However there are two **groups** that are somewhat special: | Users are in the groups they were assigned to in the user manager (or the auth backend). However there are two **groups** that are somewhat special: | ||
- | * **@ALL**. Everyone, even users not logged in, is a member of the ALL group. You can use this group to restrict access for all users (as a default setting) and then relax the permissions for some selected users. | + | * **@ALL** Everyone, even users not logged in, is a member of the ALL group. You can use this group to restrict access for all users (as a default setting) and then relax the permissions for some selected users. |
- | * **@user**. All self-registered users are by default automatically a member of the group ' | + | * **@user** All self-registered users are by default automatically a member of the group ' |
Groups are represented internally and in the ACL manager by a prepended '' | Groups are represented internally and in the ACL manager by a prepended '' | ||
Line 50: | Line 50: | ||
* by selecting a known group or user from the dropdown menu | * by selecting a known group or user from the dropdown menu | ||
* or by selecting " | * or by selecting " | ||
- | - set the appropriate | + | - set the appropriate |
Existing rules can be modified or deleted in the table at the bottom of the ACL manager. | Existing rules can be modified or deleted in the table at the bottom of the ACL manager. | ||
- | 8-O | + | |
==== ACLs by Example ==== | ==== ACLs by Example ==== | ||
Line 65: | Line 65: | ||
- User //bigboss// is given full rights. | - User //bigboss// is given full rights. | ||
- Now the access for the '' | - Now the access for the '' | ||
- | - Well not nobody really -- we give members of the //devel// group full rights here. | + | - Well not nobody really---we give members of the //devel// group full rights here. |
- | - And of course //bigboss// is allowed, too -- and he's the only one who can delete uploaded files. | + | - And of course //bigboss// is allowed, too, and they're the only one who can delete uploaded files. |
- | - And the // | + | - And the // |
- | - However the devel guys don't want their boss to see the '' | + | - However the devel team doesn't want their boss to see the '' |
- | - And finally the // | + | - And finally the // |
- | - Then the permissions for the namespace '' | + | - Then the permissions for the namespace '' |
- | - The last line finally restricts the start page to readonly for everyone. | + | - The last line finally restricts the start page to readonly for everyone. Only superusers will be able to ever edit that page. |
Let's have a look at a second example to better understand **specific matching**: | Let's have a look at a second example to better understand **specific matching**: | ||
{{: | {{: | ||
+ | |||
+ | FIXME - Should the group be changed to @user in the table, which I thought was the default group? | ||
This time we look what rules will match for different users when trying to access the page '' | This time we look what rules will match for different users when trying to access the page '' | ||
Line 82: | Line 84: | ||
* three rules match, #1, #2, #4 | * three rules match, #1, #2, #4 | ||
* rule #4 is closest, it matches at the namespace level so it takes precedence over the other three | * rule #4 is closest, it matches at the namespace level so it takes precedence over the other three | ||
- | * abby's permissions level is 0 | + | * abby's permissions level is '' |
- bob, a regular user | - bob, a regular user | ||
* four rules match, #1, #2, #4, #6 | * four rules match, #1, #2, #4, #6 | ||
* rule #6 wins as its an exact match | * rule #6 wins as its an exact match | ||
- | * bob's permission level is 16 | + | * bob's permission level is '' |
- bob forgets to login and tries to access his page | - bob forgets to login and tries to access his page | ||
* two rules match, #1 & #4 | * two rules match, #1 & #4 | ||
* rule #4 is closer, it wins | * rule #4 is closer, it wins | ||
- | * bob's permission level while not logged in is 0 | + | * bob's permission level while not logged in is '' |
- charlie, a staff member | - charlie, a staff member | ||
- | * five rules match, #1 - #5 | + | * five rules match, #1--#5 |
* two rules match at namespace level, #5 gives charlie the higher permission so it wins | * two rules match at namespace level, #5 gives charlie the higher permission so it wins | ||
- | * charlie' | + | * charlie' |
- | + | ||
- | Note rule #5, which appears to duplicate rule #3. Without it, staff members wouldn't be able to access the private namespace as rule #4 would keep them out. | + | |
+ | Note rule #5, which appears to duplicate rule #3. Without it, staff members wouldn' | ||
===== Background Info ===== | ===== Background Info ===== | ||
Line 111: | Line 112: | ||
There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the //admin// permission of //255// can not be used in the '' | There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the //admin// permission of //255// can not be used in the '' | ||
- | ^ Name | + | ^ Name ^ Level ^ applies to ^ Permission ^ DokuWiki constant |
- | | none | + | | none | 0 | pages, namespaces |
- | | read | + | | read | 1 | pages, namespaces |
- | | edit | + | | edit | 2 | pages, namespaces |
- | | create | 4 | namespaces | + | | create |
- | | upload | 8 | namespaces | + | | upload |
- | | delete | 16 | namespaces | + | | delete |
- | | admin | 255 | admin plugins | + | | admin |
Here is an example setup matching the first example given above: | Here is an example setup matching the first example given above: | ||
Line 135: | Line 136: | ||
</ | </ | ||
- | Please note, that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. | + | Please note that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. |
:!: **Note:** To configure users or groups with special chars (like whitespaces) you need to URL escape them. This only applies to specialchars in the lower 128 byte range. The ACL file uses UTF-8 encoding so any multibytechars can be written as is. | :!: **Note:** To configure users or groups with special chars (like whitespaces) you need to URL escape them. This only applies to specialchars in the lower 128 byte range. The ACL file uses UTF-8 encoding so any multibytechars can be written as is. | ||
- | :!: **Note:** When using $conf[' | + | :!: **Note:** When using $conf[' |
+ | |||
+ | :!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can only overwrite existing media files if the [[config: | ||
- | :!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore. | ||
==== User Wildcards ==== | ==== User Wildcards ==== | ||
- | It is possible to use user wildcards in the ACLs. This can be useful for Wikis with many registered users, if you want to give each user a personal namespace where only he/she has write access, and you don't want to edit the ACLs for each user. To accomplish that **%USER%** is replaced by the username of the currently logged in user. \\ In the following example a logged in user gains full access (upload/ | + | It is possible to use user and group wildcards in the ACLs. This can be useful for Wikis with many registered users, if you want to give each user or group a personal namespace where only he/she has write access, and you don't want to edit the ACLs for each of them. To accomplish that **'' |
- | In this case logged in user has access to own namespace only and have not access to users namespaces (even view names of namespaces) of other users. | + | |
+ | In the following example a logged-in user gains full access (upload/ | ||
+ | |||
+ | In this case logged-in user has access to own namespace only and have not access to users namespaces (even view names of namespaces) of other users. | ||
< | < | ||
# | # | ||
# Grant full access to logged in user's namespace | # Grant full access to logged in user's namespace | ||
- | users: | + | user: |
# | # | ||
- | # Allow to browse own namespace via INDEX | + | # Allow to browse own namespace via the index |
- | users: %USER% | + | user: %USER% |
# | # | ||
- | # Allow read only access to start page located in < | + | # Allow read only access to start page located in " |
- | users: | + | user: |
# | # | ||
- | # Disable all access to user's home namespaces not owned by logged in user (include view namespaces via INDEX) | + | # Disable all access to user's home namespaces not owned by logged in user |
- | users:* | + | # (include view namespaces via the index) |
+ | user:* | ||
+ | # | ||
+ | # Allow members of ' | ||
+ | # BE CAREFUL, if you have a ' | ||
+ | # will gain access to it since %GROUP% will be replaced literally | ||
+ | %GROUP%: | ||
</ | </ | ||
- | :!: **Note: | + | :!: **Note:** version 2009-12-25c " |
- | + | ||
- | :!: **Note:** The wildcard was recently changed from @ to % -- if you are upgrading from an older version you need to adjust your ACL setup accordingly. | + | |
+ | :!: **Note:** The wildcard changed from @ to % in December 2008 -- if you are upgrading from an older version you need to adjust your ACL setup accordingly. |
acl.txt · Last modified: 2024-01-13 11:44 by Aleksandr