DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace: acl
acl

This is an old revision of the document!

Background Info

Access restrictions are saved in a file called conf/acl.auth.php, which should be writable by the webserver if you want to use the ACL admin interface described above. It is not recommended to edit this file manually. Use the admin interface instead.

Empty lines and shell-style comments are ignored. Each line contains 3 whitespace separated fields:

  • The resource to restrict. This can either be a pagename or a namespace. Namespaces are marked by an additional asterisk (see examples below).
  • A group or user name. Groupnames are marked by a leading @ character.
  • A permission level (see below).

There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the admin permission of 255 can not be used in the conf/acl.auth.php file. It is only used internally by matching against the superuser option.

Name Level applies to Permission DokuWiki constant
none 0 pages, namespaces no permission—complete lock out AUTH_NONE
read 1 pages, namespaces read permission AUTH_READ
edit 2 pages, namespaces existing pages may be edited AUTH_EDIT
create 4 namespaces new pages can be created AUTH_CREATE
upload 8 namespaces mediafiles may be uploaded AUTH_UPLOAD
delete 16 namespaces mediafiles may be overwritten or deleted AUTH_DELETE
admin 255 admin plugins superuser1) can change admin settings AUTH_ADMIN

Here is an example setup matching the first example given above: 

*                     @ALL        4
*                     bigboss    16
devel:*               @ALL        0
devel:*               @devel      8
devel:*               bigboss    16
devel:*               @marketing  1
devel:funstuff        bigboss     0
devel:marketing       @marketing  2
marketing:*           @marketing  8
start                 @ALL        1

Please note that order does not matter in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace.

:!: Note: To configure users or groups with special chars (like whitespaces) you need to URL escape them. This only applies to specialchars in the lower 128 byte range. The ACL file uses UTF-8 encoding so any multibytechars can be written as is.

:!: Note: When using $conf['authtype'] = 'ad'; and groups names with spaces needing to be written in the acl.auth.php with a “%5f” replacing the spaces instead of “%20”. This is because Group names with spaces are first converted into underscores “_” which are “%5f”.

:!: Note: The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can only overwrite existing media files if the media revisions option is enabled.

User Wildcards

It is possible to use user and group wildcards in the ACLs. This can be useful for Wikis with many registered users, if you want to give each user or group a personal namespace where only he/she has write access, and you don't want to edit the ACLs for each of them. To accomplish that %USER% is replaced by the username of the currently logged in user and %GROUP% by all the groups of this user.

In the following example a logged-in user gains full access (upload/delete) permissions for the user's namespace user:<username>:* and revoke all access from other namespaces located in user:*.

In this case logged-in user has access to own namespace only and have not access to users namespaces (even view names of namespaces) of other users. 

#
# Grant full access to logged in user's namespace
user:%USER%:*          %USER%  16
#
# Allow to browse own namespace via the index
user:                  %USER%  1
#
# Allow read only access to start page located in "user" namespace 
user:start             %USER%  1
#
# Disable all access to user's home namespaces not owned by logged in user 
# (include view namespaces via the index) 
user:*                 @user   0
#
# Allow members of 'group' to edit pages in the 'group' namespace.
# BE CAREFUL, if you have a 'user' namespace, all members of the default group 
# will gain access to it since %GROUP% will be replaced literally
%GROUP%:*               %GROUP% 2

:!: Note: version 2009-12-25c “Lemming” has some caveat. If you add, update or remove ACL entries from the admin interface then DokuWiki will replace %USER% in the second field of the ACL to %25USER%25 (this is bug FS#1955). To avoid this, change permissions manually only (by editing: conf/acl.auth.php) or correct them manually after each operation in the admin interface because %25USER%25 does not work as expected, only %USER% should be used in the conf/acl.auth.php. This bug is fixed in newer versions.

:!: Note: The wildcard changed from @ to % in December 2008 – if you are upgrading from an older version you need to adjust your ACL setup accordingly.

1)
see superuser
acl.1606010536.txt.gz · Last modified: 2020-11-22 03:02 by Fred23
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links