[dokuwiki] SV: Re: SV: Re: ACL: What if "none" always prevails?
- From: "Lindgren Daniel" <daniel.lindgren@xxxxxxxxxxxxx>
- To: <dokuwiki@xxxxxxxxxxxxx>
- Date: Wed, 21 Jan 2009 16:58:25 +0100
> Though I see the usecase I don't like to change the ACLs since most
users are already confused by its complexity and
> the ACLs are flexible enough for 99% of the cases (yes I'm making up
that figure).
I can understand that, but I actually think that making "none" always
mean "none" makes it clearer and less complex.
> One could argue that the problem is not within DokuWiki's ACLs but the
setup of your Active Directory ;-).
You could, but you'd be wrong ... ;)
I think that most AD's are built with the notion that you use "Domain
Users" (similar to DokuWikis @ALL) to set read only permissions, create
smaller groups to set higher permissions and, if necessary, specific
(and often very small) groups to explicitly deny.
DokuWiki's ACL system is very close to NTFS (basic) file permissions,
with the exception of how "none"/deny works.
> Users always get the highest permission assigned to the same
> namespace. So if you give read access to @ALL on the root namespace,
> then you can do restrictions only for sub namespaces. Eg. this would
> restrict access for guest users on the secret namespace. All other
> users would still have read access (or upload if they belong to the
> @users group).
>
> * @ALL 1
> * @users 8
> secret:* @guests 0
> secret:* @users 8
>
May I just add that the above permissions can quite easily (and
inadvertently) be compromised. As described above, the @guests group can
not access the "secret" namespace with the above ACL's.
Let's say that someone decides that read access for @ALL isn't enough in
"secret", @ALL should be allowed to edit pages in that namespace and
adds this:
secret:* @ALL 2
Now you have opened upp the entire "secret" namespace to @guests too ...
That is illogical to me, that a group that explicitly has "none"
permissions now actually has edit permissions, but I am used to
Windows/NTFS security settings, where "deny" always prevails.
In a very small setting, with a a few namespaces and a handful of users,
the current DokuWiki ACL functionality isn't a problem. You can create
new exclusive groups (where users are never part of two groups), move
users between groups and move ACL's around a bit to make it work like
you want, but it is not practical when you have thousands of users,
hundreds of groups and thousands of pages.
I'd greatly prefer if "none" always means "none", that way you can use
@ALL for basic (mostly "read") ACL settings, some AD groups for higher
permissions and sprinkle some "none" ACL's where appropriate, knowing
that you really have shut the affected users/groups out from those
sections.
BTW, in DokuWiki 2008-05-05, the ACL's are incorrectly previewed on the
management page, at least if you use AD groups. If, in your original
example, you choose "Permissions for" the @guests AD group and check
permissions on "secret", it will say that they have "Read" permissions
(inherited) when in reality they have "None". If you add "Edit" for @ALL
on "secret" (as in my example) it will correctly show "Read, Edit" for
@guests.
/Daniel
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
- » [dokuwiki] SV: Re: SV: Re: ACL: What if "none" always prevails? - Lindgren Daniel
