1 Date: Thu, 9 Dec 2010 14:51:45 +0000
2 Mime-Version: 1.0 (Produced by PhpWiki 1.4.0)
3 Content-Type: application/x-phpwiki;
4 pagename=Help%2FPagePermissions;
5 flags=PAGE_LOCKED%2CEXTERNAL_PAGE;
8 Content-Transfer-Encoding: binary
10 == Full recursive ACL page permissions support (Solaris / Windows style) ==
12 Boolean permissions per page and action (**granted** or **denied**) based on the current users
13 group membership is implemented with ACL's (Access Control Lists).
14 Opposed to the simplier unix like ugo:rwx system. \\
15 The previous system was only based on action and current user, independent of pages.
17 A individual page permission may be inherited from its parent pages, and
18 from an optional master page ("." or _dotpage'). \\
19 Use predefined default permissions, if a "." page does not exist. \\
20 Pagenames starting with "." have tighter default permissions. (edit, change, list disallowed)
22 === Order of Evaluation (denial overrides granted, or vice versa?) ==
24 The array of permissions is evaluated from top to bottom. \\
25 Access is granted if the next matching **group membership** returns true, denied if false. \\
26 If the group membership is false, the next group is tried. \\
27 If no group membership matches the upper permissions are tried recursively: \\
28 current page => basepage => "." page => default perms. \\
29 If no group-perm pair grants access, access is denied.
31 Consider the following perm:
33 'change' => array(ACL_ADMIN => false,
36 => "Members of ADMIN may not change, the owner may change."
40 For Authentication see ~WikiUserNew.php, ~WikiGroup.php and main.php
42 I suspect ACL page permissions to degrade performance by 10%
44 Enable/Disable it in config/config.ini:
46 ENABLE_PAGEPERM = true
48 The defined (and extendable) main.php actions map to simplier access types:
52 create => edit or create
56 list in PageList => list
59 For simplicity we also map the ACL to the posix-style _owner_, _group_ and _world_ groups
60 and _read_, _write_, _execute_ perms, in cygwin fashion.
62 == Groups - definition of group membership ==
64 See ~WikiGroup how to enable and where to store user-specific group membership.
65 Group methods: database, file, ldap, wikipage, none
67 To do: _explain better._
69 The following special groups are always predefined, even if no other group methods are provided:
80 Those special groups are stored in a page acl as locale-independent string.
82 **To do**: See the available translations for these special groups.
84 Other group names are safed as defined by the group methods. (e.g. "Other Users")
86 == Perms - mapping of actions to permissions ==
88 ~PhpWiki supports individual actions, the default is browse. To simplify ACL's these
89 actions are mapped to some special permissions (vulgo _'perms'_).
91 We currently support the following permissions which can be stored in every page, for every group.
93 |= list | List this page and all subpages (for PageList)
94 |= view | View this page and all subpages
95 |= edit | Edit this page and all subpages
96 |= create | Create a new (sub)page
97 |= dump | Download the page contents
98 |= change | Change page attributes
99 |= remove | Remove this page
101 There are no plans to support additional custom perms. The API can handle that, but there's no UI,
102 and it would be only specific for certain plugins, which check permissions by their own.
104 === Action <=> Perm mapping ===
106 Those perms are mapped to those actions. [[Help:ActionPage|Action Pages]] (plugins) check their access restrictions by themselves.
108 |= list | //none, 'list' is checked for every pagename listed in PageList, to prevent from being listed in AllPages.//
109 |= view | browse, viewsource, diff, select, xmlrpc, search, pdf
110 |= dump | zip, ziphtml, dumpserial, dumphtml
111 |= edit | revert, edit
112 |= create | //edit or create, if the page doesn't exist yet//
113 |= change | upload, loadfile, remove, lock, unlock, upgrade, chown, setacl, setaclsimple, rename. \\ All other actionpages which are not wikiwords.
115 === Default Permissions ===
118 $perm = array('view' => array(ACL_EVERY => true),
119 'edit' => array(ACL_EVERY => true),
120 'create' => array(ACL_EVERY => true),
121 'list' => array(ACL_EVERY => true),
122 'remove' => array(ACL_ADMIN => true,
124 'change' => array(ACL_ADMIN => true,
127 $perm['dump'] = array(ACL_ADMIN => true,
130 $perm['dump'] = array(ACL_EVERY => true);
132 if (!ALLOW_ANON_USER) {
133 if (!ALLOW_USER_PASSWORDS)
134 $perm['view'] = array(ACL_SIGNED => true);
136 $perm['view'] = array(ACL_AUTHENTICATED => true);
137 $perm['view'][ACL_BOGOUSER] = ALLOW_BOGO_LOGIN ? true : false;
140 if (!ALLOW_ANON_EDIT) {
141 if (!ALLOW_USER_PASSWORDS)
142 $perm['edit'] = array(ACL_SIGNED => true);
144 $perm['edit'] = array(ACL_AUTHENTICATED => true);
145 $perm['edit'][ACL_BOGOUSER] = ALLOW_BOGO_LOGIN ? true : false;
146 $perm['create'] = $perm['edit'];
153 [[PhpWikiDocumentation]]