Access Control Lists

Also available in Deutsch, Español, Française, Русский, Polski, 简体中文



1. Access rights

Every page has five access control lists (ACLs), read, write, comment, create and upload, which can be modified by the page owner (usually the user who created the page). read defines who is allowed to view the page, write defines who is allowed to edit it, and comment defines who is allowed to attach comments.


All ACLs are plain text lists containing a number of user names or the * placeholder representing "everyone". Entries can be inverted by appending them with an exclamation mark. For example, while * means "everybody has access", !* means "nobody has access". The exclamation mark modifier works with user names, too, of course.


An empty list implies "nobody has access". For example, if the write ACL only contains the line SomeGuy, only the SomeGuy user has access, but no one else. If it contains a line with * and another line with !SomeGuy, it means everybody has access except SomeGuy.


The read, write, comment, create and upload ACLs are available for every page on the site; Custom page handlers can introduce extra ACLs as needed.


In WackoWiki you can edit the ACL for every page.


an ACL consists of the following permissions

  • read
  • write
  • comment
  • create
  • upload

The values for each permission are:

* everyone is allowed
$ only registered users
! a preceding exclamation mark denies the respective right
[UserName] names of allowed users
[GroupName] names of allowed usergroup (alias)
(an empty list) only the page owner has access

page permissions handler

2. Inheritance

Access rights are inherited. In other words, if you create a new page below an existing (i.e. a child page), this new page will have the same access rights as the parent document for it. Inheritance happens when you create a page, and in consequence the rights of the child or the parent documents can be changed without detriment to each other.


One exception to the inheritance rules is the right to edit the document, which is inherited from the ACL on the creation of sub-pages. That is, for example, if you create sub-pages below this can only Boris and Anna, then, by creating sub-pages, only they will be able to edit it.

3. Groups

Groups can be administered via the Admin panel.


user group management


WackoWiki supports groups of users (aliases). Only site administrator can create and edit aliases.


Names of aliases are case independent.


Alias Admins is special. All of its members are admins, and, for example, can delete or rename any page.

4. Defaults

After installing the default value for every action is set as defined in config_default.php.


To change the default ACL settings, go to the Settings -> Permissions section in the Admin panel.


default ACL settings in the Admin Panel


The defaults are stored in Secondary Config:


  1. default_read_acl
  2. default_write_acl
  3. default_comment_acl
  4. default_create_acl
  5. default_upload_acl

eg: if you want only registered users to be able to edit a page change the default values to:

'default_read_acl' => '*',
'default_write_acl' => '$',
'default_comment_acl' => '$',
'default_create_acl' => '$',
'default_upload_acl' => 'Admins',	

Note

Changing the defaults will only affect new created pages.
Pages which were created before changing the defaults will keep their original ACL.

If you want to change all acls you could do it with a simple sql query:

UPDATE wacko_acl SET list = '$' WHERE privilege = 'write';	

If some of the acl's have been set to specific users, it will be better to only update those pages where write privileges are currently set to 'allow all'

 UPDATE wacko_acl SET list = '$' WHERE privilege = 'write' AND list = '*';	

For comments:

 UPDATE wacko_acl SET list = '$' WHERE privilege = 'comment' AND list = '*';	

Note that the prefix wacko_ may need to be replaced by the current one in your wiki.


Attention:

The page Login must always be set to * for Read, otherwise it is no longer possible to log in to the wiki.

5. Modi

5.1. Protective measures


  • Only assign rights that are really necessary.
  • Security settings

5.2. Use

Wiki -> Cluster -> Page

Open Wiki
Anyone can read and write in this wiki without registering. Typically installed on the intranet.


Semi-open wiki
Only registered users can write here. Anyone can post comments.


Protected wiki
Anyone can read in this wiki, but only users who have registered in the wiki are allowed to write.


Private Wiki
Only members of the cluster can read and write in a private wiki. If you want to participate in a private wiki, the administrator / owner must activate you.