[Moin-user] Questions on the capabilities of Moin ACLs

Thomas Waldmann tw-public at gmx.de
Thu Oct 7 07:53:17 EDT 2004 

> My wiki is currently still just a sparkle in my eye and I'm shopping 
> around to find the right wiki engine to build it upon.

You have found it. <g>

> Ideally, I'd like to give each user his own 
> personal subspace that is editable only by him, to allow him to post his 
> own personal stories without having to worry about monitoring them for 
> vandalism and such.

If you gave every author "admin" rights ("admin" means being able to set 
or change ACLs) by acl_rights_default, he could change ACLs on pages not 
already having ACLs disallowing that change.

But be aware that this is a bit dangerous. If you give that right to an 
idiot, he can put new pages on the wiki (or change unprotected pages), 
so that they can't be changed/reverted/deleted by other people except 
the wiki admin himself.

> For example, if I were to sign on to the wiki with the username Bryan, 
> then the following pages should be editable only by myself (and admins):
> 
> Bryan
> Bryan/Richard III
> Bryan/Richard III/Act 6

There is no ACL inheritance yet.

Even the pages you see as "sub"pages are on the same level in reality 
(see data/text/ content).

So, except that's what set in moin_config, you have to set ACLs on every 
page individually (if needed).

Can be done, but also easily forgotten maybe.

> I've given http://moinmoin.wikiwikiweb.de/HelpOnAccessControlLists a 
> read-through and it looks like there are some wonderfully fine-grained 
> controls, but I don't see any way to apply different default ACLs to 
> pages based on their title.

This is not possible. Maybe some day we have ACL inheritance, but not in 
1.2 and not in early 1.3, definitely.

> Can I set up an ACL so that a non-admin user can set his own ACL 
> on a _new_ page, but not on one that already exists?

There is not really a wiki admin in moin. It is just usually called like 
that, when you make some specific user have admin rights (and all 
others) by moin_config.

Try that:

Make an AdminGroup page (== contains people having admin right)

acl_rights_default = "AdminGroup:+admin Known:read,write All:read"
acl_rights_before = "BryanDerksen:admin,read,write,delete,revert"

If there are usually no secret pages, use this additionally:
acl_rights_after = "All:read"
So you don't need to specify it on pages having ACLs. If you want to 
make a page secret, you still can write "#acl .... All:" onto it.

If a new trustworthy author JoeDoe joins, put him onto AdminGroup and 
tell him to put that onto page JoeDoe and subpages (and all other stuff 
"owned" by him):
#acl JoeDoe:admin,read,write,delete,revert

Except BryanDerksen, nobody will be able to change those ACLs or do more 
on the page than "read".

Please test that, I didn't try it out. :)

> would still be able to "claim" pages to put their stories on, but 
> wouldn't allow them to override each other's ACLs or lock people out of 
> existing public pages (I expect them to be well-behaved but it only 
> takes one bad apple to make a mess :).

If a page has no ACL on it, AdminGroup people will be able to do bad 
things. So at least on FrontPage, RecentChanges and other important 
pages, I would put some page ACLs...

> acl_rights_default = "AuthorGroup:read,write"
> acl_rights_after = "AuthorGroup:admin,read,write"

If JoeDoe makes a new page, he will not get admin rights this way. ACL 
processing stops on first hit, except +- is used.

> Am I right in believing that on pages that don't exist yet only 
> acl_rights_after applies, and as soon as they're created (and assuming 
> the new page wasn't given an ACL of its own by the page creator) 
> acl_rights_default comes into effect too?

Not quite.

"default" applies to any page not having ACLs defined on it.
"before" and "after" are just processed before/after the page or default 
acls are processed.

> right, this would result in "default" AuthorGroup rights overriding 
> "after" AuthorGroup rights only on pages that already exist, not on 
> newly-created ones.

I am not totally sure, but I think this is not true.

If you succeed, make a usage case on MoinMaster:HelpOnAccessControlLists

Thomas

More information about the Moin-user mailing list