User Tools

Site Tools


wiki:acl

Access Control

Access Control is broken down into Authentication, and Authorization. Authentication determines who can access your Wiki site, and Access Control determines what they can access on your site.

Authentication

By default, all local Wikis have been setup to allow everyone with a CSE account to login. Similarly, by default, all content is viewable by anyone in the world. If you are a site admin, you can add your own custom non-CSE accounts through the User Manager in the Admin menu. This means that if you are collaborating on a project with someone who does not have a CSE account, you can create a Wiki account for them. You can also enable registration on your Wiki in order to allow outside users to register for an account on your Wiki. The registration process is completely automated in that the user will be sent a registration validation message, and will need to access a particular URL in order to activate their Wiki account. Spammers abuse these types of systems. Due to spam activity, this mode of operation is highly discouraged.

Authorization

Authorization can be broken down into two areas – groups and access control lists (ACLs).

Groups

DokuWiki users can be placed into groups. The following groups come preconfigured with our DokuWiki installation:

GroupDescription
cseAny user who has a CSE system account is in the cse group.
wikiAny user that you create locally on your Wiki is in the wiki group.
ALLThis group includes all users on your Wiki - those in the cse group, wiki group, and even those who haven't logged in.
userThis group contains all self-registered users on your Wiki.

You can manually add users to groups through the User Manager in the Admin menu. You cannot remove users from the cse, wiki, or ALL groups.

Each group is represented by a Wiki page in the “:group” namespace. A group page contains a list of users, one user per line. That is, user X is in group mygroup, then :group:mygroup will contain “X”.

There are two ways to add a user to a group. You can add users to groups using the “User Manager” which is available by clicking on the “Admin” button. Alternatively, if you need to bulk add users, you can simply access the groups Wiki page through the Wiki interface, and edit the file directly, even cutting and pasting from other sources. cse, wiki, and ALL groups discussed above do not have respective Wiki pages because they are implicit groups.

To edit an existing group through the Wiki system, you can visit the group namespace through the Wiki “Index”, and then choose the “Edit page” button. If you wish to create a new group that has not already been created through the User Manager, you must visit the URL directly like this:

https://wiki.cse.yorku.ca/mywiki/group:newgroup

When you visit the URL, and click the “Create this page” button, you will be creating the group newgroup.

In addition to being able to modify group files manually, you can use some special syntax in order to allow you to include system groups (like ugrad or faculty), class distribution lists, other Wiki groups, or even combinations of all of the above.

System Groups

In order to manually add a system group to your group file:

include:system:<GROUP>

For example:

include:system:faculty

Class Distribution Lists

In order to manually add a class distribution list to your group file:

include:dist:<SESSION>:<TERM>:<FILE>

For example:

include:dist:2006-07:f:cse1020

Other Wiki Groups

You can manually add other Wiki groups to your group file:

include:wiki:<GROUP>

For example:

include:wiki:mygroup

Access Control Lists

In general, most Wikis are very open by default. However, sometimes it makes sense to restrict access to certain or all pages. This is when Access Control Lists (ACL) come to play. This page should give you an overview of how ACLs work in DokuWiki and how they are configured.

Access restrictions can be bound to pages and namespaces. There are five permissions: read, edit, create, upload and delete. Each higher permission contains the lower ones, with read being the lowest and delete the highest one. You should note that create, upload and delete permissions can only be assigned to namespaces.

When DokuWiki checks which rights it should give to a user, it uses all rules matching the user's name or the groups he is in. The rule which gives the highest permission is used. Permissions are checked for the page first, then all upper namespaces are checked until a matching rule is found.

ACLs can be added in two ways. DokuWiki comes with the Access Control List Management plugin which allows you to add restrictions to namespaces, and pages, but you must be on a page in the namespace that you wish to restrict in order to add restrictions to it. Alternatively, our local DokuWiki installation has another plugin installed called “SuperACL” which lets you handle ACL restrictions for any page or namespace from one plugin, no matter where you are in the Wiki. SuperACL is the recommended plugin to use for Access Control List management. The rest of these instructions will focus on using the Super ACL plugin.

To add a restriction rule, enter the administration interface by pressing the Admin button. Next, select Super ACL View. You are then presented with a table like the following, showing you all restrictions relevant to the current page.

Example of an ACL-Restriction

Under Select namespace to administrate, select the namespace that you will be configuring. The top-most namespace is called *.

After you have selected a namespace, under Permissions for Namespace, you will see all the permissions that have been defined for the select namespace. Here, you can change the permissions or delete them. If you change the permissions without clicking the Update button, the permissions will not be saved. If you wish to delete permissions, click the Delete button on the line of the permissions that you wish to delete.

If you wish to add an ACL entry to the selected namespace, go to the Add new Entry field. Select User or Group, enter the user/group in the field provided (eg. ALL) , select the permissions, and click the Save button. Selecting no permission effectively locks out the specified user or group from the page or namespace.

Please note the following:

  • The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore.
  • order does not matter in the ACL. The ACL is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found, further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace.
  • The admin of the site has access to everything on the site, no matter what the ACL says.
  • By default, nobody has access to the group namespace (except admins). For security reasons, please be careful to ensure that you do not remove this restriction.
wiki/acl.txt · Last modified: 2007/08/24 09:51 by jas