wiki:acl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
wiki:acl [2007/08/16 12:37] – jas | wiki:acl [2007/08/24 09:51] (current) – jas | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Access Control ====== | ====== Access Control ====== | ||
- | In order to understand how to control access to your Wiki site, you need to understand DokuWiki authentication | + | Access Control is broken down into Authentication, and Authorization. Authentication determines who can access your Wiki site, and Access Control |
===== Authentication ===== | ===== Authentication ===== | ||
- | DokuWiki has been setup by default | + | By default, all local Wikis have been setup to allow everyone with a CSE account to login. |
- | ===== Groups | + | ===== Authorization |
+ | |||
+ | Authorization can be broken down into two areas -- groups and access control lists (ACLs). | ||
+ | |||
+ | ==== Groups | ||
DokuWiki users can be placed into groups. | DokuWiki users can be placed into groups. | ||
Line 13: | Line 17: | ||
^Group^Description^ | ^Group^Description^ | ||
|cse|Any user who has a CSE system account is in the cse group.| | |cse|Any user who has a CSE system account is in the cse group.| | ||
- | |wiki|Any user that you create locally on your wiki is in the wiki group.| | + | |wiki|Any user that you create locally on your Wiki is in the wiki group.| |
- | |ALL|This group includes all users on your wiki - those in the cse group, wiki group, and even those who haven' | + | |ALL|This group includes all users on your Wiki - those in the cse group, wiki group, and even those who haven' |
- | |user|This group contains all self-registered users on your wiki.| | + | |user|This group contains all self-registered users on your Wiki.| |
- | You can manually add users to groups through the User Manager in the Admin menu. You cannot remove users from the cse, wiki, or ALL groups. | + | You can manually add users to groups through the User Manager in the Admin menu. You cannot remove users from the cse, wiki, or ALL groups. |
- | https://wiki.cse.yorku.ca/dept/test/group:newgroup | + | Each group is represented by a Wiki page in the ":group" namespace. A group page contains a list of users, one user per line. That is, user //X// is in group // |
- | Now you can "Create" the group. | + | There are two ways to add a user to a group. |
- | In addition to being able to modify | + | To edit an existing |
- | ==== System Groups | + | https:// |
+ | |||
+ | When you visit the URL, and click the " | ||
+ | |||
+ | In addition to being able to modify group files manually, you can use some special syntax in order to allow you to include system groups (like ugrad or faculty), class distribution lists, other Wiki groups, or even combinations of all of the above. | ||
+ | |||
+ | === System Groups === | ||
In order to manually add a system group to your group file: | In order to manually add a system group to your group file: | ||
Line 35: | Line 45: | ||
include: | include: | ||
- | ==== Class Distribution Lists ==== | + | === Class Distribution Lists === |
In order to manually add a class distribution list to your group file: | In order to manually add a class distribution list to your group file: | ||
Line 45: | Line 55: | ||
include: | include: | ||
- | ==== Other Wiki Groups | + | === Other Wiki Groups === |
- | You can manually add other wiki groups to your group file: | + | You can manually add other Wiki groups to your group file: |
include: | include: | ||
Line 55: | Line 65: | ||
include: | include: | ||
- | ===== Access Control Lists ===== | + | ==== Access Control Lists ==== |
- | In general, | + | In general, |
- | [However sometimes it makes sense to restrict access to certain or all pages. This is when //Access Control Lists// (ACL) come to play. This page should give you an overview how ACL works in DokuWiki and how they are configured. | + | |
- | + | Access restrictions can be bound to pages and namespaces. There are five permissions: | |
- | For more information and questions go to --> [[wiki: | + | |
- | + | ||
- | :!: **WARNING: | + | |
- | + | ||
- | ===== Configuration ===== | + | |
- | + | ||
- | To enable ACL in DokuWiki, you need at least one default ACL. Simply copy the example files '' | + | |
- | + | ||
- | You also need to set some [[config]] options. Let's have a look at a sample you could add to your '' | + | |
- | + | ||
- | <code php> | + | |
- | $conf[' | + | |
- | $conf[' | + | |
- | </ | + | |
- | + | ||
- | [[config# | + | |
- | " | + | |
- | + | ||
- | At this point, an additional security feature can be enabled. To disallow users to register themselves add ' | + | |
- | <code php> | + | |
- | $conf[' | + | |
- | </ | + | |
- | + | ||
- | The old way of doing this was the [[wiki: | + | |
- | + | ||
- | If this behaviour is desired, users can only be added by an admin (either through the admin web interface or by editing | + | |
- | '' | + | |
- | + | ||
- | There are some additional configuration options which allow control over other aspects of ACL but for which many will find the default settings satisfactory. | + | |
- | + | ||
- | <code php> | + | |
- | $conf[' | + | |
- | $conf[' | + | |
- | $conf[' | + | |
- | $conf[' | + | |
- | $conf[' | + | |
- | </ | + | |
- | + | ||
- | * Change [[config# | + | |
- | * [[config# | + | |
- | * [[config# | + | |
- | * Set [[config# | + | |
- | * DokuWiki can use different ways to access user and group data. By default it uses its own [[.auth: | + | |
- | + | ||
- | ... | + | |
- | + | ||
- | ===== User management ===== | + | |
- | + | ||
- | Users can be added, removed and edited through the [[plugin: | + | |
- | + | ||
- | ===== Access Restrictions ===== | + | |
- | + | ||
- | Access restrictions can be bound to [[pagename|pages]] and [[namespaces]]. There are five permissions: | + | |
When DokuWiki checks which rights it should give to a user, it uses all rules matching the user's name or the groups he is in. The rule which gives the highest permission is used. Permissions are checked for the page first, then all upper namespaces are checked until a matching rule is found. | When DokuWiki checks which rights it should give to a user, it uses all rules matching the user's name or the groups he is in. The rule which gives the highest permission is used. Permissions are checked for the page first, then all upper namespaces are checked until a matching rule is found. | ||
- | To add a restriction rule, browse to the page you want to restrict and enter the administration interface by pressing | + | ACLs can be added in two ways. DokuWiki comes with the '' |
- | + | ||
- | {{wiki: | + | |
- | + | ||
- | Restrictions are added in the top row of the table. You need to select the scope, which can be either the current page itself, or one of the namespaces it is in ((the top-most namespace is called '' | + | |
- | + | ||
- | Note: The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore. | + | |
- | + | ||
- | === Special Groups === | + | |
- | + | ||
- | **ALL**. Everyone, even users not logged | + | |
- | + | ||
- | **user**. All self-registered users are by default automatically a member of the group ' | + | |
- | + | ||
- | ===== Background Info ===== | + | |
- | + | ||
- | Access restrictions | + | |
- | + | ||
- | Empty lines and shellstyle comments are ignored. Each line contains 3 whitespace separated fields: | + | |
- | + | ||
- | | + | |
- | | + | |
- | * A permission level (see below) | + | |
- | + | ||
- | There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the //admin// permission of //255// should never be used in the '' | + | |
- | + | ||
- | ^ Name ^ Level ^ applies to ^ Permission | + | |
- | | none | + | |
- | | read | + | |
- | | edit | + | |
- | | create | 4 | namespaces | + | |
- | | upload | 8 | namespaces | + | |
- | | delete | 16 | namespaces | + | |
- | | admin | 255 | admin plugins | + | |
- | + | ||
- | Here is an example: | + | |
- | + | ||
- | < | + | |
- | * @ALL 4 | + | |
- | * bigboss | + | |
- | start | + | |
- | marketing: | + | |
- | devel: | + | |
- | devel: | + | |
- | devel: | + | |
- | devel: | + | |
- | devel: | + | |
- | devel: | + | |
- | </ | + | |
- | + | ||
- | Lets go through it line by line (though see below for more): | + | |
- | + | ||
- | - This sets permission for the main namespace. Allowing everybody to edit and create pages. However upload is not allowed. | + | |
- | - User //bigboss// is given full rights | + | |
- | - The permissions for the start page are restricted to readonly for everyone | + | |
- | - Then the permissions for the namespace '' | + | |
- | - Now the access for the '' | + | |
- | - Well not nobody really -- we give members of the //devel// group full rights here | + | |
- | - And of course //bigboss// is allowed, too -- and he's the only who can delete uploaded files | + | |
- | - However the devel guys don't want their boss to see the '' | + | |
- | - And the // | + | |
- | - And finally the // | + | |
- | Please note, that **order does not matter** in the file. The file is parsed as whole, then a perfect match for the current page/user combi is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. | + | To add a restriction rule, enter the administration interface by pressing the '' |
- | You can see this in the above example on the permissions for user // | + | {{wiki:acladmin.jpg|Example |
- | Note: To configure users or groups with special chars (like whitespaces) you need to URL escape them. This only applies to specialchars in the lower 128 byte range. The ACL file uses UTF-8 encoding so any multibytechars can be written as is. This only applies when a backend different from the [[.auth: | + | Under '' |
- | The DokuWiki manual describes | + | After you have selected a namespace, under '' |
- | DokuWiki has been configured to | + | |
- | In order to allow/ | + | |
- | DokuWiki has | + | |
- | * authentication of CSE users | + | |
- | * built-in " | + | |
- | * " | + | |
- | * groups can contain CSE users, system groups, or distribution lists | + | |
- | * include: | + | |
- | * include: | + | |
- | * include: | + | |
+ | If you wish to add an ACL entry to the selected namespace, go to the '' | ||
+ | Please note the following: | ||
- | By default, any user in the world has the ability to view all the content in your Wiki. | + | * The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore. |
- | If you need to restrict content on your site, you will be able to restrict content to groups that you create. These groups can include system groups (eg. tech, faculty, ugrad), class lists, or even other wiki groups. | + | * **order does not matter** in the ACL. The ACL is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found, further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace. |
- | ALL cse users are automatically registered with your Wiki and have the ability | + | * The admin of the site has access |
+ | * By default, nobody has access to the '' | ||
+ | |
wiki/acl.1187282227.txt.gz · Last modified: 2007/08/16 12:37 by jas