Access Control Lists

Also available in Deutsch, Espanol, Franšaise, Русский, Polski


1. Access rights

Every page has five access control lists (ACLs), read, write, comment, create and upload, which can be modified by the page owner (usually the user who created the page). read defines who is allowed to view the page, write defines who is allowed to edit it, and comment defines who is allowed to attach comments.


All ACLs are plain text lists containing a number of user names or the * placeholder representing "everyone". Entries can be inverted by appending them with an exclamation mark. For example, while * means "everybody has access", !* means "nobody has access". The exclamation mark modifier works with user names, too, of course.


An empty list implies "nobody has access". For example, if the write ACL only contains the line SomeGuy, only the SomeGuy user has access, but no one else. If it contains a line with * and another line with !SomeGuy, it means everybody has access except SomeGuy.


The read, write, comment, create and upload ACLs are available for every page on the site; Custom PageHandlers can introduce extra ACLs as needed.


In WackoWiki you can edit the ACL for every page.


an ACL consists of the following permissions

  • read
  • write
  • comment
  • create
  • upload

the values for each permission are:

  • * – everyone is allowed
  • $ – only registered users
  • ! – nobody is allowed
  • [UserName] – names of allowed users
  • [GroupName] – names of allowed usergroup (alias)
  • (an empty list) – only the page owner has access

page permissions handler

2. Inheritance

Access rights are inherited. In other words, if you create a new page below an existing (i.e. a child page), this new page will have the same access rights as the parent document for it. Inheritance happens when you create a page, and in consequence the rights of the child or the parent documents can be changed without detriment to each other.


One exception to the inheritance rules is the right to edit the document, which is inherited from the ACL on the creation of sub-pages. That is, for example, if you create sub-pages below this can only Boris and Anna, then, by creating sub-pages, only they will be able to edit it.

3. Groups

WackoWiki supports groups of users (aliases). Only site administrator can create and edit aliases.
To create alias, you need edit config.php like this:


$wacko_config['aliases'] = array(
'Admins' => 'RomanIvanov',
'Workgroup' => 'RomanIvanov\nAlekseyKulakov',
);


This will create alias Admins with one member RomanIvanov and alias Workgroup with RomanIvanov & AlekseyKulakov members.


Names of aliases are case independent.


Alias Admins is special. All of its members are admins, and, for example, can delete or rename any page.

4. Defaults

After installing the default value for every action is set to * – all users (even unregistered users) have access.


The defaults are stored in Secondary Config:


  1. default_read_acl
  2. default_write_acl
  3. default_comment_acl
  4. default_create_acl
  5. default_upload_acl

eg: if you want only registered users to be able to edit a page change the default values to:

'default_read_acl' => '*',
'default_write_acl' => '$',
'default_comment_acl' => '*',
'default_create_acl' => '$',
'default_upload_acl' => 'Admins',


Note: Changing the defaults will only affect new created pages!
Pages which were created before changing the defaults will keep there original ACL!.


If you want to change all acls you could do it with a simple sql query:

UPDATE wacko_acls SET list = "$" WHERE privilege = "write";


If some of the acl's have been set to specific users, it will be better to only update those pages where write privileges are currently set to 'allow all'

UPDATE wacko_acls SET list =  '$' WHERE privilege =  'write' AND list =  '*';