DokuWiki

It's better when it's simple

User Tools

Site Tools


acl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
acl [2020-11-22 07:07]
– old revision restored (2019-10-31 10:06) Aleksandr
acl [2022-04-05 17:35] (current)
– [ACLs by Example] - The former description of the first ACL example was not completely correct. And, I added further clarifications as well. 2001:1c04:2a92:5f00:249c:704f:cb88:6096
Line 7: Line 7:
 ===== Configuration and Setup =====  ===== Configuration and Setup ===== 
  
-ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config:useacl]] option and create a copy of the example files ''conf/​acl.auth.php.dist''​ and ''​conf/​users.auth.php.dist''.​ Rename the files to ''​conf/​acl.auth.php''​ and ''​conf/​users.auth.php''​ respectively.+ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config:useacl]] option and create a copy of the example files ''conf/​acl.auth.php.dist''​ and ''​conf/​users.auth.php.dist''.​ Rename the files to ''​conf/​acl.auth.php''​ and ''​conf/​users.auth.php'' respectively. 
  
 +
 +Example of a minimal ''​conf/​users.auth.php'' file for a user ''admin'' with the password ''admin''. If you use it, be sure to change the password afterwards.
 +
 +<file php conf/​users.auth.php>
 +# login:passwordhash:Real Name:email:groups,comma,separated
 +
 +admin:$2y$10$P5YH8uIM2uAE9snRq32yAuHMb4/XAzksFd5Cakqqtsw9BWeSsyLZq:admin:admin@admin.com:admin,user
 +</file>
 ==== See also ===== ==== See also =====
  
Line 65: Line 73:
   - User //bigboss// is given full rights.   - User //bigboss// is given full rights.
   - Now the access for the ''devel'' namespace is restricted. Nobody is allowed to do anything.   - Now the access for the ''devel'' namespace is restricted. Nobody is allowed to do anything.
-  - Well not nobody really---we give members of the //devel// group full rights here. +  - Well not nobody really---we give members of the //devel// group almost full rights here. Deleting files however is not allowed
-  - And of course //bigboss// is allowed, too, and they're the only one who can delete uploaded files. +  - User //bigboss// however is allowed full access to the ''devel'' namespace. He/she can even delete uploaded files. 
-  - And the //marketing// group may read everything in the ''devel'' namespace, but read only.+  - The //marketing// group may read everything in the ''devel'' namespace, but cannot edit or create pages.
   - However the devel team doesn't want their boss to see the ''funstuff'' page---remember exact pagematches override namespace permissions.   - However the devel team doesn't want their boss to see the ''funstuff'' page---remember exact pagematches override namespace permissions.
-  - And finally the //marketing// group is allowed to edit the ''devel:marketing'' page as well. +  - And finally the //marketing// group is allowed to edit the ''devel:marketing'' page as well. (This page could however not have been created by them.) 
-  - Then the permissions for the namespace ''marketing'' are set. All members of the //marketing// group are allowed to upload there---other users will be matched by line 1 so they can still create and edit. //bigboss// inherits their rights from line 2 so they can still upload and delete files. +  - Then the permissions for the namespace ''marketing'' are set. All members of the //marketing// group are allowed to upload there  
-  - The last line finally restricts the start page to readonly for everyone. Only superusers will be able to ever edit that page.+    * other users will be matched by line #1 so they can still create and edit.  
 +    * Rights for //bigboss// are inherited from line #2 so this user can still upload and delete files. (No wonder that everyone would like to be the //bigboss//.) 
 +  - The last line finally restricts the start page to readonly for everyone. Even for //bigboss//. Only superusers will be able to ever edit that page.
  
 Let's have a look at a second example to better understand **specific matching**: Let's have a look at a second example to better understand **specific matching**:
acl.1606025225.txt.gz · Last modified: 2020-11-22 07:07 by Aleksandr

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki