[dokuwiki] ACL: What if "none" always prevails?

• From: "Lindgren Daniel" <daniel.lindgren@xxxxxxxxxxxxx>
• To: <dokuwiki@xxxxxxxxxxxxx>
• Date: Wed, 21 Jan 2009 09:24:21 +0100

Hi.

I've been trying to set up ACL permissions in our internal wiki, which
mainly uses Active Directory groups for permissions. I have used the
DokuWiki group "ALL" to set generic permissions in our entire wiki to
"read". That works well since we want most of our information to be
readable by all our users, but there are certain types of users that we
want to deny access to the wiki (guests, external users). I tried using
an AD group and giving it the ACL "none" in the root of our wiki, but
they can still access all information that "ALL" has read access to. I
also tried explicitly setting the group permissions to "none" on a
namespace that also has "ALL: Read" and the result is "read".

The DokuWiki page on ACL's says this:

"When DokuWiki checks which rights it should give to a user, it uses all
rules matching the user's name or the groups he is in. The rule which
gives the highest permission is used. Permissions are checked for the
page first, then all upper namespaces are checked until a matching rule
is found."

That makes it very difficult to give "everyone except a few" access to a
wiki, unless the "none" permission always prevails. In Windows (NTFS)
file permissions, the "deny" permission always overrules any other
permissions, i e if you are a member of two groups and one has "full
control" and the other has "deny", you will be denied access. That is a
special case, in other combinations the highest permission is applied
(if you have both "read" and "change", you will have "change"
permissions).

Would it be possible to change DokuWikis ACL behaviour to make "none" a
special case that always wins? It might break some plugins that rely on
the fact that the highest permission always wins (one example is
UNDERCONSTRUCTION, it sets ALL to "none" and the editing user to "edit"
to make the page "invisible" to everyone but the creator/editor), but it
would make it possible to have very simple ACL rules if you want
"everyone but a few" access to the wiki. One possible solution to
UNDERCONSTRUCTION would be if you could deactivate permissions
inheritance for files and/or folders, that way you could remove
inheritance and only add the user to the explicit ACL for the file and
it would have the same effect.

/Daniel

• Follow-Ups:
  • [dokuwiki] Re: ACL: What if "none" always prevails?
    • From: Andreas Gohr

Other related posts:

• » [dokuwiki] ACL: What if "none" always prevails? - Lindgren Daniel
• » [dokuwiki] Re: ACL: What if "none" always prevails? - Andreas Gohr

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription