Access Control Lists
When Access Control Lists, or ACLs for short, are turned on, you will be able to control who may do what on or with a wiki page.
1. Contents
Contents
2. Basics
Using ACLs in moin is as easy as including a control line at the top of the page you want to control, like the following one:
#acl SomeUser:read,write All:read
This will allow SomeUser to read and write on that page, while every other user will be able to read but not edit it (unless you've done some special setup in the site configuration).
3. Syntax
The syntax for each line is as follows:
#acl [+-]User[,SomeGroup,...]:[right[,right,...]] [[+-]OtherUser:...] [[+-]Trusted:...] [[+-]Known:...] [[+-]All:...] [Default]
Where:
User is a user name and triggers only if the user matches.
SomeGroup is a page name matching page_group_regex (see #Configuration) with some lines in the form " * Member" (see #Groups).
Trusted is a special group containig all authenticated users (like when using password login).
Known is a special group containing all valid users (like when using the cookie).
All is a special group containing all users (known and anonymous users).
Default is a special entry which inserts at the given place the entries from acl_rights_default (see #Default).
right may be an arbitrary word like read, write, delete, revert, admin. Only words in acl_rights_valid are accepted, others are ignored. It is allowed to specify no rights, which means that no rights are given.
4. Available rights
These are the available rights you can use in an ACL entry:
- read
- Given users will be able to read text of this page.
- write
- Given users will be able to write (edit) text of this page.
- delete
- Given users will be able to delete this page and its attachments.
- revert
- Given users will be able to revert this page to an older version.
- admin
- Given users will have admin rights for this page. It means users will be able to change ACL settings, including granting "admin" to others and revoking "admin" from others.
5. Processing logic
When some user is trying to access some ACL-protected resource, the ACLs will be processed in the order they're found. The first matching ACL will tell if the user has access to that resource or not.
Due to that first match algorithm, you should sort your ACLs: first single usernames, then special groups, then more general groups, then Known and at last All.
For example, the following ACL tells that SomeUser is able to read and write the resources protected by that ACL, while any member of SomeGroup (besides SomeUser, if part of that group) may also admin that, and every other user is able to read it.
#acl SomeUser:read,write SomeGroup:read,write,admin All:read
To make the system more flexible, there are also two modifiers: the prefixes '+' and '-'. When they are used, the given ACL entry will only match if the user is requesting the given rights. As an example, the above ACL could also be written as:
#acl -SomeUser:admin SomeGroup:read,write,admin All:read
Or even:
#acl +All:read -SomeUser:admin SomeGroup:read,write,admin
Notice that you probably won't want to use the second and third examples in ACL entries of some page. They're very useful on the site configuration entries though.
6. Inheriting from defaults
Sometimes it might be useful to give rights to someone without affecting too much the default rights. For example, let's suppose you have the following entries in your configuration:
acl_rights_default = "TrustedGroup:read,write,delete,revert All:read" acl_rights_before = "AdminGroup:admin,read,write,delete,revert +TrustedGroup:admin"
Now, you have some page where you want to give the "write" permission for SomeUser, but also want to keep the default behavior about All and TrustedGroup. You can easily do that using the Default entry:
#acl SomeUser:read,write Default
This will insert the entries from acl_rights_default in the exact place where the Default word is placed. In other words, the entry above, with the given configuration, is equivalent to the following entry:
#acl SomeUser:read,write TrustedGroup:read,write,delete,revert All:read
While they represent the same thing, inheriting from the defaults has the advantage of automatically following any further change introduced in the defaults.
7. Configuration
These are the configuration items used to setup ACLs on a moin site.
Entry |
Default |
Description |
acl_enabled |
0 |
If true will enable ACL support. |
acl_rights_before |
"" |
applied before page or default ACLs |
acl_rights_after |
"" |
applied after page or default ACLs |
acl_rights_default |
"Trusted:read,write,delete,revert Known:read,write,delete,revert All:read,write" |
only used when no other ACLs are given on the page being accessed |
acl_rights_valid |
["read", "write", "delete", "revert", "admin"] |
These are the acceptable (known) rights (and the place to extend, if necessary). |
So you know now what it does, but what does it mean?
"before" means forcing stuff (this is because of first match algorithm)
"after" means not forgetting stuff accidently (like maybe giving read rights to all)
"default" means what is done if no ACLs are used on the page. It is equivalent to writing exactly these ACLs onto a page.
8. Groups
User groups make it easier to specify rights for bigger groups.
Only SomeUser's friends can read and edit this page:
#acl SomeUser:read,write SomeUser/FriendsGroup:read,write
SomeUser/FriendsGroup would be a page with each top-level list item representing a wiki username in that group:
#acl SomeUser:read,write,admin,delete,revert * JoeSmith * JoeDoe * JoeMiller
A page named AdminGroup (matching config.page_group_regex) could define a group of that name and could be also protected by ACLs:
#acl AdminGroup:admin,read,write All:read * SomeUser * OtherUser * This is currently ignored. Any other text not in first level list will be ignored.
You can configure which page names are considered as group definition pages (e.g. for non-english wikis):
page_group_regex = '.*Group$' # this is the default
9. Usage cases
9.1. Public community Wiki on the Internet
The most important point here is to use ACLs only in cases where really needed. Wikis depend on openness of information and free editing. They use soft security to clean up bad stuff. So there is no general need for ACLs. If you use them too much, you might destroy the way wiki works.
This is why either ACLs should not be used at all (default) or, if used, the moin_config.py should look similar to that:
acl_rights_before = 'WikiEditorName:read,write,admin,delete,revert +AdminGroup:admin BadGuy:'
The default acl_rights_default option should be ok for you:
acl_default = 'Known:read,write,delete,revert All:read,write'
A good advice is to have only a few and very trusted admins in AdminGroup (they should be very aware of how a wiki works or they would maybe accidently destroy the way the wiki works: by its openness, not by being closed and locked!).
If using AdminGroup, you should make a page called AdminGroup and use it to define some people who get admin rights.
Specifing BadGuy like shown above basically locks him out - he can't read or edit anything with that account. That makes only sense if done temporarily, otherwise you also could just delete that account. Of course, this BadGuy can also work anonymously, so this is no real protection (this is where soft security will apply).
9.2. Wiki as a simple CMS
If you want to use a wiki to easily create web content, but if you don't want edits by the public (but only by some webmasters), you maybe want to use that in your moin_config.py:
acl_rights_default = 'All:read' acl_rights_before = 'WebMaster,OtherWebMaster:read,write,admin,delete,revert'
So everyone can read, but only the Webmasters can do anything else. As long as they still work on a new page, they can put
#acl All:
on it, so nobody else will be able to see the unready page. When being finished with it, don't forget to remove that line again, so that acl_rights_default will be used.
Some page(s) could also allow public comments (like one being called PublicComments), so you give more rights on that page:
#acl All:read,write
9.3. Wiki on Intranet
If you want to use a wiki on your intranet and you trust your users (not doing hostile stuff like locking others out or hijacking pages) to use the admin functionality in a senseful way, you maybe want to use that:
acl_rights_default = 'Known:admin,read,write,delete,revert All:read,write' acl_rights_before = 'WikiAdmin,BigBoss:read,write,admin,delete,revert'
So everyone can read, write and change ACL rights, WikiAdmin and BigBoss are enforced to be able to do anything, known users get admin rights by acl_rights_default (so they get it as long as no other ACL is in force for a page).
Consequences:
- on a new page, the page creator can put any ACLs he wants
- on existing pages, not having ACLs yet, any known user can set up any ACLs he wants
all people (except WikiAdmin and BigBoss) can be locked out by anybody ("known") else on pages without ACLs
9.4. Wiki as a public company page
If you want to use a wiki as the company page, and don't want every user being able to change the company page content, you may want to use something like this:
acl_rights_default = "TrustedGroup:admin,read,write,delete,revert All:read" acl_rights_before = "AdminGroup:admin,read,write,delete,revert +TrustedGroup:admin"
This means that:
- by default known and anonymous users are only allowed to read pages
on a new page, users in TrustedGroup can put any ACLs they want
on existing pages, not having ACLs yet, any user in TrustedGroup user can set up any ACLs he wants
all people, except people in AdminGroup, can be locked out by other admins or trusted users
people in TrustedGroup get use their admins rights on any page they're able to write, even if there are specific ACLs
9.5. Comments on read-only page
You can easily add a comments section to a read-only page by using a writable subpage, and allowing users to write on it. For example, you can define SomePage like this:
#acl SomeUser:read,write All:read '''Some read-only content''' ... ''' User comments ''' [[Include(SomePage/Comments)]]
And SomePage/Comments like this:
#acl All:read,write Add your comments about SomePage here.