Access Controls

Access Controls

DokuWiki – jak większość Wikis – jest domyślnie otwarty.Każdy może tworzyć, edytować i usuwać strony.Jednak czasami przydało by się zabezpieczyć dostęp do niektorych lub wszystkich stron. W takim przypadku Access Control Lists (ACL) wchodzi do gry. Ta strona powinna dać ci ogólny pogląd na to jak ACL w DokuWiki pracuje i jak to sie konfiguruje.

Więcej informacji znajdziesz na –> discussion:acl

:!: UWAGA: DokuWiki's ACL jest standardowo dołączany i powinien być stabilny. Jeśli jednak jesteś zaniepokojony ryzykiem dostępu to twoich informacji w wiki przez nieautoryzowanych użytkowników, nie powinieneś w ogóle umieszczać tych danych w Internecie …

Configuration

Aby włączyć ACL w DokuWiki, potrzebujesz co najmniej jednego domyślnego ACL. Poprostu skopiuj przykładowe pliki conf/acl.auth.php.dist i conf/users.auth.php.dist do conf/acl.auth.php i conf/users.auth.php w kolejności, i logowanie powinno działać. Jeśli dostaniesz komunikat “No ACL setup yet! Denying access to everyone.” (ACL nie ustawiomy, brak dostępu dla wszystkich) wtedy upewnij się że tekst na początku pliku acl.auth.php czyta acl.auth.php a nie users.auth.php.

Musisz ustawić pewne opcje config konfiguracyjne. Popatrz na przykład który możesz dodawać do local.php aby włączyć domyślny tekstowy sposób autoryzacji z publiczna rejestracją:

  $conf['useacl']       = 1;        // to włącza ACL 
  $conf['superuser']    = '@admin'; // admin group is superuser - admin jest grupą superuser

useacl włącza dodatek ACL. Wreszcie dodatek jest aktywny , przycisk logowania pojawia się na dole każdej ze stron Wiki, i użytkownicy mogą się rejestrować. Opcja superuser okresla kto może zrobić wszystko w DokuWiki (włączając w to dodawanie uprawnień ACL) - może to być pojedynczy użytkownik lub grupa (oznaczona na początku znakiem @).Kiedy instalujesz dokuwiki z instalatora, za pomocą przeglądarki wciśnij przycisk 'Login” i podążaj za linkiem “register”, i zarejestruj przynajmniej jednego użytkownika. (Jeśli nie widzisz linku rejestracyjnego ustawienia uprawnień do plików conf/users.auth.php conf/acl.auth.php są błędne i nie mogą być do nich zapisywane nowe dane) Wtedy edytuj conf/users.auth.php i zmień uprawnienia jednego użytkownia z “user” na “admin”. Od tąd powinien pojawiać się dodatkowy przycisk “Admin” dostepny jesli jesteś zalogowany jako użytkownik należący do grupy “admin”.

At this point, an additional security feature can be enabled. To disallow users to register themselves add 'register' to the disableactions option:

  $conf['disableactions'] = 'register';        // users are no longer allowed to register themselves

The old way of doing this was the openregister option which is deprecated.

If this behaviour is desired, users can only be added by an admin (either through the admin web interface or by editing conf/users.auth.php directly).

There are some additional configuration options which allow control over other aspects of ACL but for which many will find the default settings satisfactory.

$conf['autopasswd']  = 1;                //autogenerate passwords and email them to user
$conf['passcrypt']   = 'smd5';           //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411)
$conf['defaultgroup']= 'user';           //Default groups new Users are added to
$conf['profileconfirm'] = '1';           //Require current password to confirm changes to user profile
$conf['authtype']     = 'plain';         // plaintext backend (default)

Change autopasswd to 0 to allow users to select their own password when registering. This has the side-effect of removing the guarantee that the user has registered with a valid email address.
passcrypt determines the method of encryption used for storing passwords.
defaultgroup is fairly self-explanatory: all new users will be added to this group by default.
Set profileconfirm to 0 to allow a logged in user to change their profile (full name, password and email address) without having to confirm their current password.
DokuWiki can use different ways to access user and group data. By default it uses its own plaintext backend. The backend is chosen by setting the authtype option. Have a look at the backends page to see which options are available.

…

User management

Users can be added, removed and edited through the usermanager. For info on manually adding users see the descriptions in the plain backend documentation. By default users can register themselves as well.

Access Restrictions

Access restrictions can be bound to pages and namespaces. There are five permissions: read, edit, create, upload and delete. Each higher permission contains the lower ones, with read being the lowest and delete the highest one. You should note that create, upload and delete permissions can only be assigned to namespaces.

When DokuWiki checks which rights it should give to a user, it uses all rules matching the user's name or the groups he is in. The rule which gives the highest permission is used. Permissions are checked for the page first, then all upper namespaces are checked until a matching rule is found.

To add a restriction rule, browse to the page you want to restrict and enter the administration interface by pressing the Admin button (only available to the superuser). There select Access Control List Management. You're then presented with a table like the following, showing you all restrictions relevant to the current page.

Restrictions are added in the top row of the table. You need to select the scope, which can be either the current page itself, or one of the namespaces it is in ¹⁾. You also need to choose who you want to give (or deny) access to; this can either be a group or a user. And finally, you need to select the actual permissions you want. Selecting none effectivly locks out the specified user or group from the page or namespace..

Note: The delete permission affects media files only. Pages can be deleted (and restored) by everyone with at least edit permission. Someone who has upload permissions but no delete permissions can not overwrite existing media files anymore.

Special Groups

ALL. Everyone, even users not logged in, is a member of the ALL group. You can use this group to restrict access for all users (as a default setting) and then relax the permissions for some selected users. For example, in the screenshot above, no one is allowed to upload, except members of the upload group.

user. All self-registered users are by default automatically a member of the group 'user'. Use this to give permissions to 'logged-in' users. The name of this group is configured through the defaultgroup option. Other than the virtual “ALL” group, the “user” group is a real group to which all users are added automatically when using the plain auth backend. If you use another backend you need to use the groups provided by this backend.

Background Info

Access restrictions are saved in a file called conf/acl.auth.php, which should be writable by the webserver if you want to use the ACL admin interface. :!: It is not recommended to edit this file manually. Use the admin interface instead.

Empty lines and shellstyle comments are ignored. Each line contains 3 whitespace separated fields:

The resource to restrict. This can either be a pagename or a namespace. Namespaces are marked by an additional asterisk (see examples below)
A group or user name. Groupnames are marked by a leading @ character
A permission level (see below)

There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the admin permission of 255 should never be used in the conf/acl.auth.php file. It is only used internally by matching against the superuser option.

Name	Level	applies to	Permission	DokuWiki constant
none	0	pages, namespaces	no permission – complete lock out	AUTH_NONE
read	1	pages, namespaces	read permission	AUTH_READ
edit	2	pages, namespaces	existing pages may be edited	AUTH_EDIT
create	4	namespaces	new pages can be created	AUTH_CREATE
upload	8	namespaces	mediafiles may be uploaded	AUTH_UPLOAD
delete	16	namespaces	mediafiles may be overwritten or deleted	AUTH_DELETE
admin	255	admin plugins	superuser²⁾ can change admin settings	AUTH_ADMIN

Here is an example:

*                     @ALL        4
*                     bigboss    16
start                 @ALL        1
marketing:*           @marketing  8
devel:*               @ALL        0
devel:*               @devel      8
devel:*               bigboss    16
devel:funstuff        bigboss     0
devel:*               @marketing  1
devel:marketing       @marketing  2

Lets go through it line by line (though see below for more):

This sets permission for the main namespace. Allowing everybody to edit and create pages. However upload is not allowed.
User bigboss is given full rights
The permissions for the start page are restricted to readonly for everyone
Then the permissions for the namespace marketing are set. All members of the marketing group are allowed to upload there - other users will be matched by line 1 so they can still create and edit. bigboss inherits his rights from line 2 so he can upload and delete files.
Now the access for the devel namespace is restricted. Nobody is allowed to do anything.
Well not nobody really – we give members of the devel group full rights here
And of course bigboss is allowed, too – and he's the only who can delete uploaded files
However the devel guys don't want their boss to see the funstuff page – remember exact pagematches override namespace permissions
And the marketing team may read everything in the devel namespace, too
And finally the marketing guys are allowed to edit the devel:marketing page as well.

Please note, that order does not matter in the file. The file is parsed as whole, then a perfect match for the current page/user combo is searched for. When a match is found further matching is aborted. If no match is found, group permissions for the current page are checked. If no match is found the check continues in the next higher namespace.

You can see this in the above example on the permissions for user bigboss. He is given full access in line 2, but needs to get full access for the devel:* namespace in line 7 again. If this line weren't there, the first match for user bigboss for a page inside the devel namespace would be line 5, because bigboss is member of the magic ALL group.

Note: To configure users or groups with special chars (like whitespaces) you need to URL escape them. This only applies to specialchars in the lower 128 byte range. The ACL file uses UTF-8 encoding so any multibytechars can be written as is. This only applies when a backend different from the plain one is used – the plain backend does not allow any special chars anyway.

¹⁾ the top-most namespace is called *

²⁾ see superuser