DokuWiki

It's better when it's simple

User Tools

Site Tools


acl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
acl [2014-10-20 12:14]
183.87.144.45
acl [2019-03-02 19:01] (current)
turnermm [See also]
Line 1: Line 1:
-====== Access Control Lists (ACL) ====== +====== Access Control Lists (ACL)====== 
-[[DokuWiki]]---like most wikis---is very open by default. Everyone is allowed to create, edit and delete pages. However ​sometimes it makes sense to restrict access to certain or all pages. This is when //Access Control List// (ACL) comes into play. This page should give you an overview of how ACLs work in DokuWiki and how they are configured.+ 
 +[[DokuWiki]] --- like most wikis --- is very open by default. Everyone is allowed to create, edit and delete pages. However ​sometimes it makes sense to restrict access to certain or all pages. This is when the //Access Control List// (ACL) comes into play. This page gives an overview of how ACLs work in DokuWiki and how they are configured. 
 + 
 +{{:​aclexample.png?​400|}}
  
 ===== Configuration and Setup =====  ===== Configuration and Setup ===== 
  
 ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config:​useacl]] option and create a copy of the example files '​​'​​conf/​​acl.auth.php.dist'​​'​​ and '​​'​​conf/​​users.auth.php.dist'​​'​.​ Rename the files to '​​'​​conf/​​acl.auth.php'​​'​​ and '​​'​​conf/​​users.auth.php'​​'​​ respectively. ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config:​useacl]] option and create a copy of the example files '​​'​​conf/​​acl.auth.php.dist'​​'​​ and '​​'​​conf/​​users.auth.php.dist'​​'​.​ Rename the files to '​​'​​conf/​​acl.auth.php'​​'​​ and '​​'​​conf/​​users.auth.php'​​'​​ respectively.
 +
 ==== See also ===== ==== See also =====
  
 There are a few more config options and features that relate to authentication,​ user registration and ACL setup. Please check their respective wiki pages to get more information:​ There are a few more config options and features that relate to authentication,​ user registration and ACL setup. Please check their respective wiki pages to get more information:​
  
-  * Config option [[config:​useacl]] - enable ACL usage +  * Config option [[config:​useacl]] ​-- enable ACL usage 
-  * Config option [[config:​superuser]] - setup superusers with ACL granting rights +  * Config option [[config:​superuser]] ​-- setup superusers with ACL granting rights  
-  * Config option [[config:disableactions]] - allows you to disable open registration +  * Config option [[config:defaultgroup]] -- the default group to which new users are added 
-  * Config option [[config:​defaultgroup]] ​- the default group to which new users are added +  * [[plugin:​usermanager|User Manager]] ​-- managing users 
-  * [[plugin:​usermanager|User Manager]] - managing users +  * [[auth|Authentication Backends]] ​-- identify users from different data sources 
-  * [[auth|Authentication Backends]] - identify users from different data sources +  * [[faq:​regdisable|FAQ:​ How to disable open user registration]] -- replaces $conf[openregister]
-  * [[faq:​regdisable|FAQ:​ How to disable open user registration]]+
  
 :!: **WARNING:​** DokuWiki'​s ACL feature has been included for some time and should be pretty stable. However, if you are concerned about the risk of unauthorized users accessing information in your wiki, you should never put it on a computer accessible from the Internet. :!: **WARNING:​** DokuWiki'​s ACL feature has been included for some time and should be pretty stable. However, if you are concerned about the risk of unauthorized users accessing information in your wiki, you should never put it on a computer accessible from the Internet.
- 
  
 ===== Access Restrictions ===== ===== Access Restrictions =====
Line 33: Line 35:
 Users are in the groups they were assigned to in the user manager (or the auth backend). However there are two **groups** that are somewhat special: Users are in the groups they were assigned to in the user manager (or the auth backend). However there are two **groups** that are somewhat special:
  
-  * **@ALL**Everyone, even users not logged in, is a member of the ALL group. You can use this group to restrict access for all users (as a default setting) and then relax the permissions for some selected users.  +  * **@ALL** Everyone, even users not logged in, is a member of the ALL group. You can use this group to restrict access for all users (as a default setting) and then relax the permissions for some selected users.  
-  * **@user**All self-registered users are by default automatically a member of the group '​user'​. Use this to give permissions to '​logged-in'​ users. The name of this group is configured through the [[config:​defaultgroup]] option. Unlike the virtual "​ALL"​ group, the "​user"​ group is a real group to which all users are added automatically when using the plain auth backend. If you use a different backend you need to use the groups provided by this backend.+  * **@user** All self-registered users are by default automatically a member of the group '​user'​. Use this to give permissions to '​logged-in'​ users. The name of this group is configured through the [[config:​defaultgroup]] option. Unlike the virtual "​ALL"​ group, the "​user"​ group is a real group to which all users are added automatically when using the plain auth backend. If you use a different backend you need to use the groups provided by this backend.
  
 Groups are represented internally and in the ACL manager by a prepended ''​@''​ character to the group name. Groups are represented internally and in the ACL manager by a prepended ''​@''​ character to the group name.
Line 48: Line 50:
     * by selecting a known group or user from the dropdown menu     * by selecting a known group or user from the dropdown menu
     * or by selecting "​User:"​ or "​Group:"​ and entering the group or user name in the field     * or by selecting "​User:"​ or "​Group:"​ and entering the group or user name in the field
-  - set the appropriate ​permission+  - set the appropriate ​permissions
  
 Existing rules can be modified or deleted in the table at the bottom of the ACL manager. Existing rules can be modified or deleted in the table at the bottom of the ACL manager.
Line 64: Line 66:
   - Now the access for the ''​devel''​ namespace is restricted. Nobody is allowed to do anything.   - Now the access for the ''​devel''​ namespace is restricted. Nobody is allowed to do anything.
   - Well not nobody really---we give members of the //devel// group full rights here.   - Well not nobody really---we give members of the //devel// group full rights here.
-  - And of course //bigboss// is allowed, too, and he'the only one who can delete uploaded files. +  - And of course //bigboss// is allowed, too, and they're the only one who can delete uploaded files. 
-  - And the //​marketing// ​team may read everything in the ''​devel''​ namespace, but read only. +  - And the //​marketing// ​group may read everything in the ''​devel''​ namespace, but read only. 
-  - However the devel guys don't want their boss to see the ''​funstuff''​ page---remember exact pagematches override namespace permissions. +  - However the devel team doesn't want their boss to see the ''​funstuff''​ page---remember exact pagematches override namespace permissions. 
-  - And finally the //​marketing// ​guys are allowed to edit the ''​devel:​marketing''​ page as well. +  - And finally the //​marketing// ​group is allowed to edit the ''​devel:​marketing''​ page as well. 
-  - Then the permissions for the namespace ''​marketing''​ are set. All members of the //​marketing//​ group are allowed to upload there---other users will be matched by line 1 so they can still create and edit. //bigboss// inherits ​his rights from line 2 so he can upload and delete files.+  - Then the permissions for the namespace ''​marketing''​ are set. All members of the //​marketing//​ group are allowed to upload there---other users will be matched by line 1 so they can still create and edit. //bigboss// inherits ​their rights from line 2 so they can still upload and delete files.
   - The last line finally restricts the start page to readonly for everyone. Only superusers will be able to ever edit that page.   - The last line finally restricts the start page to readonly for everyone. Only superusers will be able to ever edit that page.
  
Line 74: Line 76:
  
 {{:​aclexample2.png}} {{:​aclexample2.png}}
 +
 +FIXME - Should the group be changed to @user in the table, which I thought was the default group?
  
 This time we look what rules will match for different users when trying to access the page ''​private:​bobspage''​. This time we look what rules will match for different users when trying to access the page ''​private:​bobspage''​.
Line 108: Line 112:
 There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the //admin// permission of //255// can not be used in the ''​conf/​acl.auth.php''​ file. It is only used internally by matching against the [[config:​superuser]] option. There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the //admin// permission of //255// can not be used in the ''​conf/​acl.auth.php''​ file. It is only used internally by matching against the [[config:​superuser]] option.
  
-^ Name   ​^ Level ^ applies to        ^ Permission ​                              ​^ DokuWiki constant ^ +^ Name    ^ Level  ^ applies to ^ Permission ^ DokuWiki constant ​ 
-| none   ​|  0    | pages, namespaces | no permission---complete lock out        | AUTH_NONE ​        ​+| none    |  0  | pages, namespaces ​ | no permission---complete lock out  | AUTH_NONE ​ 
-| read   ​|  1    | pages, namespaces | read permission ​                         | AUTH_READ ​        ​+| read    |  1  | pages, namespaces ​ | read permission ​ | AUTH_READ ​ 
-| edit   ​|  2    | pages, namespaces | existing pages may be edited ​            ​| AUTH_EDIT ​        ​+| edit    |  2  | pages, namespaces ​ | existing pages may be edited | AUTH_EDIT ​ 
-| create |  4    | namespaces ​       | new pages can be created ​                ​| AUTH_CREATE ​      ​+| create ​ |  4  | namespaces | new pages can be created | AUTH_CREATE ​ 
-| upload |  8    | namespaces ​       | mediafiles may be uploaded ​              ​| AUTH_UPLOAD ​      ​+| upload ​ |  8  | namespaces | mediafiles may be uploaded | AUTH_UPLOAD ​ 
-| delete |  16   | namespaces ​       | mediafiles may be overwritten or deleted | AUTH_DELETE ​      ​+| delete ​ |  16   | namespaces | mediafiles may be overwritten or deleted | AUTH_DELETE ​ 
-| admin  |  255  | admin plugins ​    ​| superuser((see [[config:​superuser]])) can change admin settings ​     | AUTH_ADMIN ​       |+| admin   ​|  255  | admin plugins ​ | superuser((see [[config:​superuser]])) can change admin settings ​ | AUTH_ADMIN |
  
 Here is an example setup matching the first example given above: Here is an example setup matching the first example given above:
Line 138: Line 142:
 :!: **Note:** When using $conf['​authtype'​] = '​ad';​ and groups names with spaces needing to be written in the acl.auth.php with a "​%5f"​ replacing the spaces instead of "​%20"​. This is because Group names with spaces are first converted into underscores "​_"​ which are "​%5f"​. :!: **Note:** When using $conf['​authtype'​] = '​ad';​ and groups names with spaces needing to be written in the acl.auth.php with a "​%5f"​ replacing the spaces instead of "​%20"​. This is because Group names with spaces are first converted into underscores "​_"​ which are "​%5f"​.
  
-:!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore.+:!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can only overwrite existing media files if the [[config:​mediarevisions|media revisions]] option is enabled.
  
 ==== User Wildcards ==== ==== User Wildcards ====
Line 144: Line 148:
 It is possible to use user and group wildcards in the ACLs. This can be useful for Wikis with many registered users, if you want to give each user or group a personal namespace where only he/she has write access, and you don't want to edit the ACLs for each of them. To accomplish that **''​%USER%''​** is replaced by the username of the currently logged in user and **''​%GROUP%''​** by all the groups of this user. It is possible to use user and group wildcards in the ACLs. This can be useful for Wikis with many registered users, if you want to give each user or group a personal namespace where only he/she has write access, and you don't want to edit the ACLs for each of them. To accomplish that **''​%USER%''​** is replaced by the username of the currently logged in user and **''​%GROUP%''​** by all the groups of this user.
  
-In the following example a logged-in user gains full access (upload/​delete) permissions for the user's namespace ''​user:<​username>:​*''​ and revoke all access from other namespaces located in ''​user:​*''​.\\ In this case logged-in user has access to own namespace only and have not access to users namespaces (even view names of namespaces) of other users. ​+In the following example a logged-in user gains full access (upload/​delete) permissions for the user's namespace ''​user:<​username>:​*''​ and revoke all access from other namespaces located in ''​user:​*''​. 
 + 
 +In this case logged-in user has access to own namespace only and have not access to users namespaces (even view names of namespaces) of other users. ​
  
 <​file>​ <​file>​
 # #
 # Grant full access to logged in user's namespace # Grant full access to logged in user's namespace
-user:​%USER%:​* ​         %USER%  ​AUTH_DELETE+user:​%USER%:​* ​         %USER%  ​16
 # #
 # Allow to browse own namespace via the index # Allow to browse own namespace via the index
-user:                  %USER%  ​AUTH_READ+user:                  %USER%  ​1
 # #
 # Allow read only access to start page located in "​user"​ namespace ​ # Allow read only access to start page located in "​user"​ namespace ​
-user:​start ​            ​%USER%  ​AUTH_READ+user:​start ​            ​%USER%  ​1
 # #
 # Disable all access to user's home namespaces not owned by logged in user  # Disable all access to user's home namespaces not owned by logged in user 
 # (include view namespaces via the index) ​ # (include view namespaces via the index) ​
-user:​* ​                ​@user ​  AUTH_NONE+user:​* ​                ​@user ​  0
 # #
 # Allow members of '​group'​ to edit pages in the '​group'​ namespace. # Allow members of '​group'​ to edit pages in the '​group'​ namespace.
-be careful, if you have a user namespace, all members of the default group  +BE CAREFUL, if you have a 'user' ​namespace, all members of the default group  
-# will gain access to it +# will gain access to it since %GROUP% will be replaced literally 
-%GROUP%:​* ​              ​%GROUP% ​AUTH_EDIT+%GROUP%:​* ​              ​%GROUP% ​2
 </​file>​ </​file>​
  
-:!: **Note:** version 2009-12-25c "​Lemming"​ has some caveat. If you add, update or remove ACL entries from the admin interface then DokuWiKi ​will replace %USER% in the second field of the ACL to ''​%25USER%25''​ (this is [[http://​bugs.dokuwiki.org/​index.php?​do=details&​task_id=1955|bug FS#1955]]). To avoid this, change permissions manually only (by editing: ''​conf/​acl.auth.php''​) or correct them manually after each operation in the admin interface because ''​%25USER%25''​ does not work as expected, only ''​%USER%''​ should be used in the ''​conf/​acl.auth.php''​. This bug is fixed in newer versions.+:!: **Note:** version 2009-12-25c "​Lemming"​ has some caveat. If you add, update or remove ACL entries from the admin interface then DokuWiki ​will replace %USER% in the second field of the ACL to ''​%25USER%25''​ (this is [[https://​bugs.dokuwiki.org/​index.php?​do=details&​task_id=1955|bug FS#1955]]). To avoid this, change permissions manually only (by editing: ''​conf/​acl.auth.php''​) or correct them manually after each operation in the admin interface because ''​%25USER%25''​ does not work as expected, only ''​%USER%''​ should be used in the ''​conf/​acl.auth.php''​. This bug is fixed in newer versions.
  
 :!: **Note:** The wildcard changed from @ to % in December 2008 -- if you are upgrading from an older version you need to adjust your ACL setup accordingly. :!: **Note:** The wildcard changed from @ to % in December 2008 -- if you are upgrading from an older version you need to adjust your ACL setup accordingly.
- 
- 
acl.1413800059.txt.gz · Last modified: 2014-10-20 12:14 (external edit)