Not logged in. · Lost password · Register
Forum: General Help and Support General Stuff RSS
Let ACL permissions for @ALL not restrict other groups
Thomas W #1
Member since Feb 2019 · 6 posts
Group memberships: Members
Show profile · Link to this post
Subject: Let ACL permissions for @ALL not restrict other groups
We have a private wiki. Occasionally, we want to make specific namespaces public. So for that namespace, we create an ACL rule for @ALL and set it to "Read". This however results in everybody (maybe except for admins) being restricted to reading rights in that namespace.

Is there a way to make sub-namespaces accessible to not logged in users while inheriting the rights for all other users?
Avatar
MartinR #2
Member since Jul 2015 · 151 posts · Location: UK
Group memberships: Members
Show profile · Link to this post
You can specify an ACE for group @user.  for instance the ACL on my top level has:
@ALL - read
@user - upload

Which means that anyone can read the top level, but only logged in users can edit, create or upload.  If that is not fine-grained enough, in user manager you can add any group you like to those users that you wish to specify.
Thomas W #3
Member since Feb 2019 · 6 posts
Group memberships: Members
Show profile · Link to this post
That does not address the problem. To illustrate this better:

Say we have the groups @ALL, @user, @staff, @admin and @projectB.

Say I have the following rules:

*      @ALL        0 (None)
*      @user       0 (None)
*      @staff     16 (Delete)
a:b:*  @projectB   2 (Edit)

I want to make pages inside a:b:c:* public (e.g. the page a:b:c:d). I create this ACL rule:
a:b:c:*    @ALL    1 (Read)

Now, apparently everybody from all the groups is restricted to reading in a:b:c*.  I now would have to re-state all the rules:

a:b:c:*    @staff     16 (Delete)
a:b:c:*    @admin     16 (Delete)
a:b:c:*    @projectB   2 (Edit)

I'm not happy with this because

  • it litters the ACL
  • changing permissions becomes error prone because multiple rules have to be synchronized. For example, if I want to elevate @projectB's rights to upload in a:b:*, I have to make sure that I change the rule a:b:c:* for @projectB as well.
  • Also, when an admin changes the ACL, he needs to be aware if such an "inner rule" was created because the outer rule needed repeating or if it was intended as a rule in and of itself (additional documentation might be required for each rule).

Not sure if there are any existing solutions to the problem.
Avatar
MartinR #4
Member since Jul 2015 · 151 posts · Location: UK
Group memberships: Members
Show profile · Link to this post
I think you'll have to litter.  Have a look at https://www.dokuwiki.org/acl,  There is no "inheritance" per se, it is achieved by a search path:

From my "wiki_acls" page:

"At each step below the parser looks for an entry which matches the user or any group to which he belongs (including @ALL). If there is no ACE go to the next step, if one ACE then use it, and if more than one give the greatest access. For instance @admins are all also @users, so don't need duplicate entries.

The steps are:

    The specific page being requested.
    The namespace in which the page is.
    Higher namespaces in turn (if any).
    The Global settings."

As soon as you apply @ALL to the subnamespace, ALL users will match it, and the search terminates at once.

I set up an admin page with two tables:
1)  List all the groups and a description of who is in them (description, not list)
2)  List resources, groups and access and an explanation,

When I was running this in a live application it worked fairly well.  We had three categories of users (with access to their namespaces) plus an operations area.  Users could modify their areas but only read most of the rest.  Admins could modify nearly everything with only the superuser able to mess with privileged reports such as the access log.
Thomas W #5
Member since Feb 2019 · 6 posts
Group memberships: Members
Show profile · Link to this post
That is a really good explanation you quote there from 'your "wiki_acls"' page.  Is that page public?
Avatar
MartinR #6
Member since Jul 2015 · 151 posts · Location: UK
Group memberships: Members
Show profile · Link to this post
Sorry, no.  Details of ACLs were not published even to regular users, just a statement telling them what they were authorised to do.  My home system hides behind a firewall which I could open up, but haven't found a need to do so yet, particularly since it brings in the overhead of extra security and external DNS.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-08-19, 16:27:46 (UTC +02:00)