DokuWiki

It's better when it's simple

User Tools

Site Tools


acl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
acl [2017-06-10 23:14] – Changed the auth constants in the example to numbers since the constants can't be used (on my system - otherwise please state how to get this working) dedeibelacl [2024-01-13 11:44] (current) – old revision restored (2023-06-28 11:12) Aleksandr
Line 1: Line 1:
-====== Access Control Lists (ACL) ======+====== Access Control Lists (ACL)======
  
 [[DokuWiki]] --- like most wikis --- is very open by default. Everyone is allowed to create, edit and delete pages. However ​sometimes it makes sense to restrict access to certain or all pages. This is when the //Access Control List// (ACL) comes into play. This page gives an overview of how ACLs work in DokuWiki and how they are configured. [[DokuWiki]] --- like most wikis --- is very open by default. Everyone is allowed to create, edit and delete pages. However ​sometimes it makes sense to restrict access to certain or all pages. This is when the //Access Control List// (ACL) comes into play. This page gives an overview of how ACLs work in DokuWiki and how they are configured.
Line 6: Line 6:
 ===== Configuration and Setup =====  ===== Configuration and Setup ===== 
  
-ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config:useacl]] option and create a copy of the example files ''conf/​acl.auth.php.dist''​ and ''​conf/​users.auth.php.dist''.​ Rename the files to ''​conf/​acl.auth.php''​ and ''​conf/​users.auth.php''​ respectively.+ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config:useacl]] option and create a copy of the example files ''conf/​acl.auth.php.dist''​ and ''​conf/​users.auth.php.dist''.​ Rename the files to ''​conf/​acl.auth.php''​ and ''​conf/​users.auth.php'' respectively. 
  
 +
 +Example of a minimal ''​conf/​users.auth.php'' file for a user ''admin'' with the password ''admin''. If you use it, be sure to change the password afterwards.
 +
 +<file php conf/​users.auth.php>
 +# login:passwordhash:Real Name:email:groups (comma[,] separated)
 +
 +admin:$2y$10$P5YH8uIM2uAE9snRq32yAuHMb4/XAzksFd5Cakqqtsw9BWeSsyLZq:admin:admin@admin.com:admin,user
 +</file>
 ==== See also ===== ==== See also =====
  
Line 13: Line 21:
  
   * Config option [[config:useacl]] -- enable ACL usage   * Config option [[config:useacl]] -- enable ACL usage
-  * Config option [[config:superuser]] -- setup superusers with ACL granting rights +  * Config option [[config:superuser]] -- setup superusers with ACL granting rights 
-  * Config option [[config:openregister]] -- allows you to disable open registration+
   * Config option [[config:defaultgroup]] -- the default group to which new users are added   * Config option [[config:defaultgroup]] -- the default group to which new users are added
   * [[plugin:usermanager|User Manager]] -- managing users   * [[plugin:usermanager|User Manager]] -- managing users
   * [[auth|Authentication Backends]] -- identify users from different data sources   * [[auth|Authentication Backends]] -- identify users from different data sources
-  * [[faq:regdisable|FAQ: How to disable open user registration]]+  * [[faq:regdisable|FAQ: How to disable open user registration]] -- replaces $conf[openregister]
  
 :!: **WARNING:** DokuWiki's ACL feature has been included for some time and should be pretty stable. However, if you are concerned about the risk of unauthorized users accessing information in your wiki, you should never put it on a computer accessible from the Internet. :!: **WARNING:** DokuWiki's ACL feature has been included for some time and should be pretty stable. However, if you are concerned about the risk of unauthorized users accessing information in your wiki, you should never put it on a computer accessible from the Internet.
Line 50: Line 57:
     * by selecting a known group or user from the dropdown menu     * by selecting a known group or user from the dropdown menu
     * or by selecting "User:" or "Group:" and entering the group or user name in the field     * or by selecting "User:" or "Group:" and entering the group or user name in the field
-  - set the appropriate permission+  - set the appropriate permissions
  
 Existing rules can be modified or deleted in the table at the bottom of the ACL manager. Existing rules can be modified or deleted in the table at the bottom of the ACL manager.
Line 65: Line 72:
   - User //bigboss// is given full rights.   - User //bigboss// is given full rights.
   - Now the access for the ''devel'' namespace is restricted. Nobody is allowed to do anything.   - Now the access for the ''devel'' namespace is restricted. Nobody is allowed to do anything.
-  - Well not nobody really---we give members of the //devel// group full rights here. +  - Well not nobody really---we give members of the //devel// group almost full rights here. Deleting files however is not allowed
-  - And of course //bigboss// is allowed, too, and they're the only one who can delete uploaded files. +  - User //bigboss// however is allowed full access to the ''devel'' namespace. He/she can even delete uploaded files. 
-  - And the //marketing// group may read everything in the ''devel'' namespace, but read only.+  - The //marketing// group may read everything in the ''devel'' namespace, but cannot edit or create pages.
   - However the devel team doesn't want their boss to see the ''funstuff'' page---remember exact pagematches override namespace permissions.   - However the devel team doesn't want their boss to see the ''funstuff'' page---remember exact pagematches override namespace permissions.
-  - And finally the //marketing// group is allowed to edit the ''devel:marketing'' page as well. +  - And finally the //marketing// group is allowed to edit the ''devel:marketing'' page as well. (This page could however not have been created by them.) 
-  - Then the permissions for the namespace ''marketing'' are set. All members of the //marketing// group are allowed to upload there---other users will be matched by line 1 so they can still create and edit. //bigboss// inherits their rights from line 2 so they can still upload and delete files. +  - Then the permissions for the namespace ''marketing'' are set. All members of the //marketing// group are allowed to upload there  
-  - The last line finally restricts the start page to readonly for everyone. Only superusers will be able to ever edit that page.+    * other users will be matched by line #1 so they can still create and edit.  
 +    * Rights for //bigboss// are inherited from line #2 so this user can still upload and delete files. (No wonder that everyone would like to be the //bigboss//.) 
 +  - The last line finally restricts the start page to readonly for everyone. Even for //bigboss//. Only superusers will be able to ever edit that page.
  
 Let's have a look at a second example to better understand **specific matching**: Let's have a look at a second example to better understand **specific matching**:
Line 77: Line 86:
 {{:aclexample2.png}} {{:aclexample2.png}}
  
-FIXME - Should the group be changed to @user in the table, which I thought was the default group? 
  
 This time we look what rules will match for different users when trying to access the page ''private:bobspage''. This time we look what rules will match for different users when trying to access the page ''private:bobspage''.
Line 138: Line 146:
 Please note that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. Please note that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace.
  
-:!: **Note:** To configure users or groups with special chars (like whitespacesyou need to URL escape themThis only applies to specialchars in the lower 128 byte range. The ACL file uses UTF-8 encoding so any multibytechars can be written as is.+:!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can only overwrite existing media files if the [[config:mediarevisions|media revisions]] option is enabled. 
 + 
 +==== User/Group Encoding ==== 
 + 
 +Because the ACL configuration uses a few special characters to denote special functionality (like ''@'' prefixes, spaces, etc), user and group names need to be encoded when they contain certain characters to avoid clashes 
 + 
 +When you use the ACL Manager you don't have to think about this, it will do it automatically for you. 
 + 
 +When manually editing ACLs, user and group names need to be encoded. Internally this is done using the [[xref>auth_nameencode()]] method. 
 + 
 +The encoding uses URL encoding for all non-letter/number ASCII chars (special chars in the lower 128 byte range). UTF-8 Multibytechars are not encoded. 
 + 
 +Example: ''Herbert.Müller'' becomes ''Herbert%2eMüller'' 
  
-:!: **Note:** When using $conf['authtype'] = 'ad'; and groups names with spaces needing to be written in the acl.auth.php with a "%5f" replacing the spaces instead of "%20". This is because Group names with spaces are first converted into underscores "_" which are "%5f". 
  
-:!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore. 
  
 ==== User Wildcards ==== ==== User Wildcards ====
Line 168: Line 187:
 # #
 # Allow members of 'group' to edit pages in the 'group' namespace. # Allow members of 'group' to edit pages in the 'group' namespace.
-be careful, if you have a user namespace, all members of the default group  +BE CAREFUL, if you have a 'usernamespace, all members of the default group  
-# will gain access to it+# will gain access to it since %GROUP% will be replaced literally
 %GROUP%:              %GROUP% 2 %GROUP%:              %GROUP% 2
 </file> </file>
acl.1497129265.txt.gz · Last modified: 2017-06-10 23:14 by dedeibel

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki