DokuWiki

It's better when it's simple

User Tools

Site Tools


acl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

acl [2011/01/06 02:15]
ach old revision restored
acl [2014/03/29 14:05] (current)
2001:4dd0:ff00:8eb9:a198:f49e:127c:420e old revision restored (2014/03/24 17:25)
Line 1: Line 1:
 ====== Access Control Lists (ACL) ====== ====== Access Control Lists (ACL) ======
 +[[DokuWiki]] -- like most wikis  --- is very open by default. Everyone is allowed to create, edit and delete pages. However ​sometimes it makes sense to restrict access to certain or all pages. This is when //Access Control List// (ACL) comes into play. This page should give you an overview of how ACLs work in DokuWiki and how they are configured.
  
-[[DokuWiki]] -- like most wikis --- is very open by default. Everyone is allowed to create, edit and delete pages. However sometimes it makes sense to restrict access to certain or all pages. This is when //Access Control Lists// (ACL) come to play. This page should give you an overview of how ACLs work in DokuWiki and how they are configured.+===== Configuration ​and Setup ===== 
  
-:!: **WARNING:​** DokuWiki'​s ACL feature has now been included for some time and should ​be pretty stableHoweverif you are concerned about the risk of unauthorized ​users accessing information in your wiki, you should never put it on a computer accessible from the Internet...+ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as wellTo manually enable ACLsswitch on the [[config:​useacl]] option and create a copy of the example files '​​'​​conf/​​acl.auth.php.dist'​​'​​ and '​​'​​conf/​​users.auth.php.dist'​​'​.​ Rename ​the files to '​​'​​conf/​​acl.auth.php'​​'​​ and '​​'​​conf/​​users.auth.php'​​'​​ respectively.
  
- ===== Configuration and Setup ===== +==== See also =====
- +
-ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config:​useacl]] option and copy the example files ''​conf/​acl.auth.php.dist''​ and ''​conf/​users.auth.php.dist''​ to ''​conf/​acl.auth.php''​ and ''​conf/​users.auth.php''​ respectively. +
- +
-==== See also ====+
  
 There are a few more config options and features that relate to authentication,​ user registration and ACL setup. Please check their respective wiki pages to get more information:​ There are a few more config options and features that relate to authentication,​ user registration and ACL setup. Please check their respective wiki pages to get more information:​
Line 21: Line 18:
   * [[faq:​regdisable|FAQ:​ How to disable open user registration]]   * [[faq:​regdisable|FAQ:​ How to disable open user registration]]
  
 +:!: **WARNING:​** DokuWiki'​s ACL feature has been included for some time and should be pretty stable. However, if you are concerned about the risk of unauthorized users accessing information in your wiki, you should never put it on a computer accessible from the Internet.
 ===== Access Restrictions ===== ===== Access Restrictions =====
  
Line 97: Line 94:
  
 Note rule #5, which appears to duplicate rule #3.  Without it, staff members wouldn'​t be able to access the private namespace as rule #4 would keep them out. Note rule #5, which appears to duplicate rule #3.  Without it, staff members wouldn'​t be able to access the private namespace as rule #4 would keep them out.
- 
  
 ===== Background Info ===== ===== Background Info =====
Line 135: Line 131:
 </​file>​ </​file>​
  
-Please notethat **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace.+Please note that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace.
  
 :!: **Note:** To configure users or groups with special chars (like whitespaces) you need to URL escape them. This only applies to specialchars in the lower 128 byte range. The ACL file uses UTF-8 encoding so any multibytechars can be written as is. :!: **Note:** To configure users or groups with special chars (like whitespaces) you need to URL escape them. This only applies to specialchars in the lower 128 byte range. The ACL file uses UTF-8 encoding so any multibytechars can be written as is.
Line 142: Line 138:
  
 :!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore. :!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore.
 +
 ==== User Wildcards ==== ==== User Wildcards ====
  
-It is possible to use user wildcards in the ACLs. This can be useful for Wikis with many registered users, if you want to give each user a personal namespace where only he/she has write access, and you don't want to edit the ACLs for each user. To accomplish that **%USER%** is replaced by the username of the currently logged in user. \\ In the following example a logged in user gains full access (upload/​delete) permissions for the user's namespace ''​users:<​username>:​*''​ and revoke all access from other namespaces located in ''​users:​*''​ \\ +It is possible to use user and group wildcards in the ACLs. This can be useful for Wikis with many registered users, if you want to give each user or group a personal namespace where only he/she has write access, and you don't want to edit the ACLs for each of them. To accomplish that **''​%USER%''​** is replaced by the username of the currently logged in user and **''​%GROUP%''​** by all the groups of this user. 
-In this case logged in user has access to own namespace only and have not access to users namespaces (even view names of namespaces) of other users. ​+ 
 +In the following example a logged-in user gains full access (upload/​delete) permissions for the user's namespace ''​user:<​username>:​*''​ and revoke all access from other namespaces located in ''​user:​*''​.\\ In this case logged-in user has access to own namespace only and have not access to users namespaces (even view names of namespaces) of other users. ​
  
 <​file>​ <​file>​
 # #
 # Grant full access to logged in user's namespace # Grant full access to logged in user's namespace
-users:​%USER%:​* ​         %USER% ​ AUTH_DELETE+user:​%USER%:​* ​         %USER% ​ AUTH_DELETE
 # #
-# Allow to browse own namespace via INDEX +# Allow to browse own namespace via the index 
-users:                  %USER% ​ AUTH_READ+user:                  %USER% ​ AUTH_READ
 # #
-# Allow read only access to start page located in <​users> ​namespace  +# Allow read only access to start page located in "​user" ​namespace  
-users:​start ​            ​%USER% ​ AUTH_READ+user:​start ​            ​%USER% ​ AUTH_READ
 # #
-# Disable all access to user's home namespaces not owned by logged in user (include view namespaces via INDEX)  +# Disable all access to user's home namespaces not owned by logged in user  
-users:*                 ​@user ​  ​AUTH_NONE+(include view namespaces via the index)  
 +user:*                 ​@user ​  ​AUTH_NONE 
 +
 +# Allow members of '​group'​ to edit pages in the '​group'​ namespace. 
 +# be careful, if you have a user namespace, all members of the default group  
 +# will gain access to it 
 +%GROUP%:​* ​              ​%GROUP% AUTH_EDIT
 </​file>​ </​file>​
  
-:!: **Note:​** ​current ​version 2009-12-25c "​Lemming"​ has some caveat. If you add, update or remove ACL from GUI admin interface then DokuWiKi ​engine ​will replace %USER% in the second field of ACL to %25USER%25 ​that is [[http://​bugs.splitbrain.org/​index.php?​do=details&​task_id=1955|bug FS#1955]]. To avoid itchange permissions manually only (file: ''​conf/​acl.auth.php''​) or correct them manually after each operations with ACL from GUI because ​mask %25USER%25 does not work as expected, only %USER% should be used in the ''​conf/​acl.auth.php''​. ​ +:!: **Note:** version 2009-12-25c "​Lemming"​ has some caveat. If you add, update or remove ACL entries ​from the admin interface then DokuWiKi will replace %USER% in the second field of the ACL to ''​%25USER%25''​ (this is [[http://​bugs.dokuwiki.org/​index.php?​do=details&​task_id=1955|bug FS#1955]]). To avoid this, change permissions manually only (by editing: ''​conf/​acl.auth.php''​) or correct them manually after each operation in the admin interface ​because ​''​%25USER%25'' ​does not work as expected, only ''​%USER%'' ​should be used in the ''​conf/​acl.auth.php''​. ​This bug is fixed in newer versions.
- +
-:!: **Note:** The wildcard was recently changed from @ to % -- if you are upgrading from an older version you need to adjust your ACL setup accordingly.+
  
 +:!: **Note:** The wildcard changed from @ to % in December 2008 -- if you are upgrading from an older version you need to adjust your ACL setup accordingly.
acl.1294276544.txt.gz · Last modified: 2011/01/06 02:15 by ach