acl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
acl [2016-09-21 12:45] – 46.237.130.38 | acl [2024-01-13 11:44] (current) – old revision restored (2023-06-28 11:12) Aleksandr | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Access Control Lists (ACL) ====== | + | ====== Access Control Lists (ACL)s ====== |
[[DokuWiki]] --- like most wikis --- is very open by default. Everyone is allowed to create, edit and delete pages. However sometimes it makes sense to restrict access to certain or all pages. This is when the //Access Control List// (ACL) comes into play. This page gives an overview of how ACLs work in DokuWiki and how they are configured. | [[DokuWiki]] --- like most wikis --- is very open by default. Everyone is allowed to create, edit and delete pages. However sometimes it makes sense to restrict access to certain or all pages. This is when the //Access Control List// (ACL) comes into play. This page gives an overview of how ACLs work in DokuWiki and how they are configured. | ||
Line 6: | Line 6: | ||
===== Configuration and Setup ===== | ===== Configuration and Setup ===== | ||
- | ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config: | + | ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config: |
+ | |||
+ | Example of a minimal '' | ||
+ | |||
+ | <file php conf/ | ||
+ | # login: | ||
+ | |||
+ | admin: | ||
+ | </ | ||
==== See also ===== | ==== See also ===== | ||
Line 13: | Line 21: | ||
* Config option [[config: | * Config option [[config: | ||
- | * Config option [[config: | + | * Config option [[config: |
- | * Config option [[config: | + | |
* Config option [[config: | * Config option [[config: | ||
* [[plugin: | * [[plugin: | ||
* [[auth|Authentication Backends]] -- identify users from different data sources | * [[auth|Authentication Backends]] -- identify users from different data sources | ||
- | * [[faq: | + | * [[faq: |
:!: **WARNING: | :!: **WARNING: | ||
Line 50: | Line 57: | ||
* by selecting a known group or user from the dropdown menu | * by selecting a known group or user from the dropdown menu | ||
* or by selecting " | * or by selecting " | ||
- | - set the appropriate | + | - set the appropriate |
Existing rules can be modified or deleted in the table at the bottom of the ACL manager. | Existing rules can be modified or deleted in the table at the bottom of the ACL manager. | ||
Line 65: | Line 72: | ||
- User //bigboss// is given full rights. | - User //bigboss// is given full rights. | ||
- Now the access for the '' | - Now the access for the '' | ||
- | - Well not nobody really---we give members of the //devel// group full rights here. | + | - Well not nobody really---we give members of the //devel// group almost |
- | - And of course | + | - User // |
- | - And the // | + | - The // |
- However the devel team doesn' | - However the devel team doesn' | ||
- | - And finally the // | + | - And finally the // |
- | - Then the permissions for the namespace '' | + | - Then the permissions for the namespace '' |
- | - The last line finally restricts the start page to readonly for everyone. Only superusers will be able to ever edit that page. | + | * other users will be matched by line #1 so they can still create and edit. |
+ | * Rights for // | ||
+ | - The last line finally restricts the start page to readonly for everyone. Even for //bigboss//. Only superusers will be able to ever edit that page. | ||
Let's have a look at a second example to better understand **specific matching**: | Let's have a look at a second example to better understand **specific matching**: | ||
Line 77: | Line 86: | ||
{{: | {{: | ||
- | FIXME - Should the group be changed to @user in the table, which I thought was the default group? | ||
This time we look what rules will match for different users when trying to access the page '' | This time we look what rules will match for different users when trying to access the page '' | ||
Line 138: | Line 146: | ||
Please note that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. | Please note that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. | ||
- | :!: **Note: | + | :!: **Note: |
+ | |||
+ | ==== User/Group Encoding ==== | ||
+ | |||
+ | Because the ACL configuration uses a few special | ||
+ | |||
+ | When you use the ACL Manager you don't have to think about this, it will do it automatically for you. | ||
+ | |||
+ | When manually editing ACLs, user and group names need to be encoded. Internally this is done using the [[xref> | ||
+ | |||
+ | The encoding uses URL encoding for all non-letter/ | ||
+ | |||
+ | Example: '' | ||
- | :!: **Note:** When using $conf[' | ||
- | :!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore. | ||
==== User Wildcards ==== | ==== User Wildcards ==== | ||
Line 155: | Line 174: | ||
# | # | ||
# Grant full access to logged in user's namespace | # Grant full access to logged in user's namespace | ||
- | user: | + | user: |
# | # | ||
# Allow to browse own namespace via the index | # Allow to browse own namespace via the index | ||
- | user: %USER% | + | user: %USER% |
# | # | ||
# Allow read only access to start page located in " | # Allow read only access to start page located in " | ||
- | user: | + | user: |
# | # | ||
# Disable all access to user's home namespaces not owned by logged in user | # Disable all access to user's home namespaces not owned by logged in user | ||
# (include view namespaces via the index) | # (include view namespaces via the index) | ||
- | user: | + | user: |
# | # | ||
# Allow members of ' | # Allow members of ' | ||
- | # be careful, if you have a user namespace, all members of the default group | + | # BE CAREFUL, if you have a 'user' |
- | # will gain access to it | + | # will gain access to it since %GROUP% will be replaced literally |
- | %GROUP%: | + | %GROUP%: |
</ | </ | ||
acl.1474454717.txt.gz · Last modified: 2016-09-21 12:45 by 46.237.130.38