[Moin-user] Questions on the capabilities of Moin ACLs
Thomas Waldmann
tw-public at gmx.de
Thu Oct 7 07:53:17 EDT 2004
> My wiki is currently still just a sparkle in my eye and I'm shopping
> around to find the right wiki engine to build it upon.
You have found it. <g>
> Ideally, I'd like to give each user his own
> personal subspace that is editable only by him, to allow him to post his
> own personal stories without having to worry about monitoring them for
> vandalism and such.
If you gave every author "admin" rights ("admin" means being able to set
or change ACLs) by acl_rights_default, he could change ACLs on pages not
already having ACLs disallowing that change.
But be aware that this is a bit dangerous. If you give that right to an
idiot, he can put new pages on the wiki (or change unprotected pages),
so that they can't be changed/reverted/deleted by other people except
the wiki admin himself.
> For example, if I were to sign on to the wiki with the username Bryan,
> then the following pages should be editable only by myself (and admins):
>
> Bryan
> Bryan/Richard III
> Bryan/Richard III/Act 6
There is no ACL inheritance yet.
Even the pages you see as "sub"pages are on the same level in reality
(see data/text/ content).
So, except that's what set in moin_config, you have to set ACLs on every
page individually (if needed).
Can be done, but also easily forgotten maybe.
> I've given http://moinmoin.wikiwikiweb.de/HelpOnAccessControlLists a
> read-through and it looks like there are some wonderfully fine-grained
> controls, but I don't see any way to apply different default ACLs to
> pages based on their title.
This is not possible. Maybe some day we have ACL inheritance, but not in
1.2 and not in early 1.3, definitely.
> Can I set up an ACL so that a non-admin user can set his own ACL
> on a _new_ page, but not on one that already exists?
There is not really a wiki admin in moin. It is just usually called like
that, when you make some specific user have admin rights (and all
others) by moin_config.
Try that:
Make an AdminGroup page (== contains people having admin right)
acl_rights_default = "AdminGroup:+admin Known:read,write All:read"
acl_rights_before = "BryanDerksen:admin,read,write,delete,revert"
If there are usually no secret pages, use this additionally:
acl_rights_after = "All:read"
So you don't need to specify it on pages having ACLs. If you want to
make a page secret, you still can write "#acl .... All:" onto it.
If a new trustworthy author JoeDoe joins, put him onto AdminGroup and
tell him to put that onto page JoeDoe and subpages (and all other stuff
"owned" by him):
#acl JoeDoe:admin,read,write,delete,revert
Except BryanDerksen, nobody will be able to change those ACLs or do more
on the page than "read".
Please test that, I didn't try it out. :)
> would still be able to "claim" pages to put their stories on, but
> wouldn't allow them to override each other's ACLs or lock people out of
> existing public pages (I expect them to be well-behaved but it only
> takes one bad apple to make a mess :).
If a page has no ACL on it, AdminGroup people will be able to do bad
things. So at least on FrontPage, RecentChanges and other important
pages, I would put some page ACLs...
> acl_rights_default = "AuthorGroup:read,write"
> acl_rights_after = "AuthorGroup:admin,read,write"
If JoeDoe makes a new page, he will not get admin rights this way. ACL
processing stops on first hit, except +- is used.
> Am I right in believing that on pages that don't exist yet only
> acl_rights_after applies, and as soon as they're created (and assuming
> the new page wasn't given an ACL of its own by the page creator)
> acl_rights_default comes into effect too?
Not quite.
"default" applies to any page not having ACLs defined on it.
"before" and "after" are just processed before/after the page or default
acls are processed.
> right, this would result in "default" AuthorGroup rights overriding
> "after" AuthorGroup rights only on pages that already exist, not on
> newly-created ones.
I am not totally sure, but I think this is not true.
If you succeed, make a usage case on MoinMaster:HelpOnAccessControlLists
Thomas
More information about the Moin-user
mailing list