acl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
acl [2020-11-22 03:02] – [ACLs by Example] Fred23 | acl [2024-01-13 11:44] (current) – old revision restored (2023-06-28 11:12) Aleksandr | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Access Control Lists (ACL)s ====== | ||
+ | [[DokuWiki]] --- like most wikis --- is very open by default. Everyone is allowed to create, edit and delete pages. However sometimes it makes sense to restrict access to certain or all pages. This is when the //Access Control List// (ACL) comes into play. This page gives an overview of how ACLs work in DokuWiki and how they are configured. | ||
+ | ===== Configuration and Setup ===== | ||
+ | |||
+ | ACLs can be enabled in the [[installer]] and an initial ACL policy is set there as well. To manually enable ACLs, switch on the [[config: | ||
+ | |||
+ | |||
+ | Example of a minimal '' | ||
+ | |||
+ | <file php conf/ | ||
+ | # login: | ||
+ | |||
+ | admin: | ||
+ | </ | ||
+ | ==== See also ===== | ||
+ | |||
+ | There are a few more config options and features that relate to authentication, | ||
+ | |||
+ | * Config option [[config: | ||
+ | * Config option [[config: | ||
+ | * Config option [[config: | ||
+ | * [[plugin: | ||
+ | * [[auth|Authentication Backends]] -- identify users from different data sources | ||
+ | * [[faq: | ||
+ | |||
+ | :!: **WARNING: | ||
+ | |||
+ | ===== Access Restrictions ===== | ||
+ | |||
+ | Access restrictions can be bound to [[pagename|pages]] and [[namespaces]]. There are seven permissions: | ||
+ | |||
+ | Rules that were set to namespaces apply on media namespaces as well as for page namespaces. | ||
+ | |||
+ | When DokuWiki checks which rights it should give to a user, it uses all rules matching the user's name or the groups he or she is in. The rule that provides a user's permission is chosen according to the following process: | ||
+ | |||
+ | * Rules which match closer to the namespace: | ||
+ | * When more than one rule matches at the same level, the rule giving the highest access level is preferred. | ||
+ | |||
+ | Users are in the groups they were assigned to in the user manager (or the auth backend). However there are two **groups** that are somewhat special: | ||
+ | |||
+ | * **@ALL** Everyone, even users not logged in, is a member of the ALL group. You can use this group to restrict access for all users (as a default setting) and then relax the permissions for some selected users. | ||
+ | * **@user** All self-registered users are by default automatically a member of the group ' | ||
+ | |||
+ | Groups are represented internally and in the ACL manager by a prepended '' | ||
+ | |||
+ | ==== Editing ACLs ==== | ||
+ | |||
+ | To easily add new or change existing access rules, you should use the [[plugin: | ||
+ | |||
+ | Basically there are three steps to add a new ACL rule: | ||
+ | |||
+ | - select the namespace or page to restrict from the upper left tree navigation | ||
+ | - choose to whom the ACL rule should apply | ||
+ | * by selecting a known group or user from the dropdown menu | ||
+ | * or by selecting " | ||
+ | - set the appropriate permissions | ||
+ | |||
+ | Existing rules can be modified or deleted in the table at the bottom of the ACL manager. | ||
+ | |||
+ | ==== ACLs by Example ==== | ||
+ | |||
+ | In this section we will explain how access rules work, using a fictional example setup that looks like this in the ACL manager: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Let's have a look at each line: | ||
+ | |||
+ | - This sets permission for everyone in the main namespace, allowing everybody to edit and create pages. However upload is not allowed. | ||
+ | - User //bigboss// is given full rights. | ||
+ | - Now the access for the '' | ||
+ | - Well not nobody really---we give members of the //devel// group almost full rights here. Deleting files however is not allowed. | ||
+ | - User //bigboss// however is allowed full access to the '' | ||
+ | - The // | ||
+ | - However the devel team doesn' | ||
+ | - And finally the // | ||
+ | - Then the permissions for the namespace '' | ||
+ | * other users will be matched by line #1 so they can still create and edit. | ||
+ | * Rights for //bigboss// are inherited from line #2 so this user can still upload and delete files. (No wonder that everyone would like to be the // | ||
+ | - The last line finally restricts the start page to readonly for everyone. Even for // | ||
+ | |||
+ | Let's have a look at a second example to better understand **specific matching**: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | This time we look what rules will match for different users when trying to access the page '' | ||
+ | |||
+ | - abby, a regular user | ||
+ | * three rules match, #1, #2, #4 | ||
+ | * rule #4 is closest, it matches at the namespace level so it takes precedence over the other three | ||
+ | * abby's permissions level is '' | ||
+ | - bob, a regular user | ||
+ | * four rules match, #1, #2, #4, #6 | ||
+ | * rule #6 wins as its an exact match | ||
+ | * bob's permission level is '' | ||
+ | - bob forgets to login and tries to access his page | ||
+ | * two rules match, #1 & #4 | ||
+ | * rule #4 is closer, it wins | ||
+ | * bob's permission level while not logged in is '' | ||
+ | - charlie, a staff member | ||
+ | * five rules match, #1--#5 | ||
+ | * two rules match at namespace level, #5 gives charlie the higher permission so it wins | ||
+ | * charlie' | ||
+ | |||
+ | Note rule #5, which appears to duplicate rule #3. Without it, staff members wouldn' | ||
===== Background Info ===== | ===== Background Info ===== | ||
Line 41: | Line 146: | ||
Please note that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. | Please note that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. | ||
- | :!: **Note: | + | :!: **Note: |
+ | |||
+ | ==== User/Group Encoding ==== | ||
+ | |||
+ | Because the ACL configuration uses a few special | ||
+ | |||
+ | When you use the ACL Manager you don't have to think about this, it will do it automatically for you. | ||
+ | |||
+ | When manually editing ACLs, user and group names need to be encoded. Internally this is done using the [[xref> | ||
+ | |||
+ | The encoding uses URL encoding for all non-letter/ | ||
+ | |||
+ | Example: '' | ||
- | :!: **Note:** When using $conf[' | ||
- | :!: **Note:** The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can only overwrite existing media files if the [[config: | ||
==== User Wildcards ==== | ==== User Wildcards ==== |
acl.1606010536.txt.gz · Last modified: 2020-11-22 03:02 by Fred23