ScrewTurn Wiki 5.0 features an advanced permissions system that allows you to configure access rules for namespaces, single pages and upload directories and for some global actions.
Introduction
The permissions system in
STW is basically a custom-built ACL (Access Control Lists) engine. An ACL entry determines whether a
subject can perform an
action on a
resource.
A
subject can either be a
user or a
user group. A resource can be a
namespace, a
page, an
upload directory or a generic global resource called
globals (more on this later). Actions are resource-specific and define activities that can be performed on a resource and some actions include other actions (for example, if you allow a
write permission on a resource to a user, she is also able to
read the same resource).
Note: managing complex permissions schemes might be very difficult and, if done the wrong way, can lead to security issues in your wiki. For this reason, you should be careful not to change permissions in a way that you do not fully understand.
ScrewTurn Wiki is automatically configured with a set of safe permissions that basically allow global read-only access to anonymous users, partial write access to registered users and total access to administrators.
Users, Groups and Deny Priority¶
As said, you can assign permissions to users or groups of users. By default,
ScrewTurn Wiki defines three user groups,
Anonymous Users,
Users and
Administrators, but you are free to create other groups and assign specific permissions to them.
General Rules
- An action can either be granted (allowed) or denied (not allowed)
- Not granting an action equals denying it (in other words, all grants must be explicit, unless the same action is allowed by a higher-level action or inherited from a higher-level resource)
- If a user is not member of any group and has no specific grants, she has totally no access
- Deny entries have always priority over grant entries on the same action and resource (unless 6 is valid)
- If a user is member of one group, she inherits all permissions of the group
- If a user is member of multiple groups, denials have priority over grants for the same action on the same resource
- If a user is member of one or more groups, grants or denials assigned to the user have priority over entries assigned to the group (for example, a group can be denied an action but a specific user of the group can be granted it)
Actions/Resources Reference
General rules as described above are applied to resources and actions that are specific to
ScrewTurn Wiki.
Note:
AGB means
Also Granted By, i.e. the action is also granted by another action. All actions are, by default, also granted by
Full Control, either on the same resource or on
Globals:
Full Control is therefore omitted from
AGB lists for brevity.
Globals
The following actions are valid for global permissions. Global permissions are assigned to users or groups and are not mapped to any specific resource.
Full Control | Full control on the wiki | n/a |
Manage Accounts | Create, Edit, Delete user accounts | n/a |
Manage Groups | Create, Edit, Delete user groups | n/a |
Manage Pages and Categories | Create, Edit, Delete, Rename, Rollback pages and categories | n/a |
Manage Page Discussions | Post, Edit, Delete messages in page discussions (including other users' messages) | n/a |
Manage Namespaces | Create, Edit, Delete namespaces | n/a |
Manage Configuration | Change the wiki configuration | n/a |
Manage Providers | Upload, Configure, Enable/Disable providers | n/a |
Manage Files and Directories | Upload, Rename, Delete files and attachments, Create, Rename, Delete directories | n/a |
Manage Snippets and Templates | Create, Edit, Delete snippets and templates | n/a |
Manage Navigation Paths | Create, Edit, Delete navigation paths | n/a |
Manage Meta-Files | Edit meta-files (also known as content, see Content Editing administration page) | n/a |
Manage Permissions | Change permissions of users and groups | n/a |
Namespaces
The following actions are valid for namespaces.
Note: by default, sub-namespaces inherit permissions from the
root namespace.
Full Control | Full control on the namespace | n/a | n/a |
Read Pages | Read pages | Modify Pages, Create Pages, Delete Pages, Manage Pages | Manage Pages and Cat., Manage Namespaces |
Modify Pages | Edit pages | Manage Pages | Manage Pages and Cat., Manage Namespaces |
Create Pages | Create new pages | Manage Pages | Manage Pages and Cat., Manage Namespaces |
Delete Pages | Delete, Rename pages | Manage Pages | Manage Pages and Cat., Manage Namespaces |
Manage Pages | Create, Edit, Delete, Rename pages | n/a | Manage Pages and Cat., Manage Namespaces |
Read Page Discussions | Read page discussions | Post Msg. in Page Disc., Manage Page Disc. | Manage Page Disc. |
Post Messages in Page Discussions | Post messages in page discussions | Manage Page Disc. | Manage Page Disc. |
Manage Page Discussions | Edit, Delete other users' messages in page discussions | Manage Pages | Manage Page Disc. |
Manage Categories | Modify category bindings of pages, create and delete categories | Full Control | Manage Pages and Cat. |
Download Attachments | Download page attachments | Upload Attachments, Delete Attachments | Manage Files |
Upload Attachments | Upload page attachments | Delete Attachments | Manage Files |
Delete Attachments | Delete, Rename page attachments | n/a | Manage Files |
Pages
The following actions are valid for pages.
Note: by default, pages inherit permissions from their namespace.
Full Control | Full control on the page | n/a | n/a | n/a |
Read Page | Read the page | Modify Page, Manage Page | Read Pages, Modify Pages, Create Pages, Manage Pages, Delete Pages | Manage Pages and Cat., Manage Namespaces |
Modify Page | Edit the page | Manage Page | Modify Pages, Create Pages, Manage Pages, Delete Pages | Manage Pages and Cat., Manage Namespaces |
Manage Page | Delete, Rename the page | n/a | Manage Pages | Manage Pages and Cat., Manage Namespaces |
Read Page Discussion | Read the page discussion | Post Msg. in Page Disc., Manage Page Disc. | Read Page Disc., Post Msg. in Page Disc., Manage Page Disc. | Manage Page Disc. |
Post Messages in Page Discussion | Post messages in the page discussion | Manage Page Disc. | Post Msg. in Page Disc., Manage Page Disc. | Manage Page Disc. |
Manage Page Discussion | Edit, Delete other users' messages in the page discussion | Manage Page | Manage Page Disc. | Manage Page Disc. |
Manage Categories | Change page category binding | n/a | Manage Categories | Manage Pages and Cat. |
Download Attachments | Download attachments | Upload Attn., Delete Attn. | Download Attn., Upload Attn., Delete Attn. | Manage Files |
Upload Attachments | Upload attachments | Delete Attn. | Upload Attn. | Manage Files |
Delete Attachments | Delete, Rename attachments | n/a | Delete Attn. | Manage Files |
Upload Directories
The following actions are valid for upload directories, i.e. directories managed with the
File Management interface.
Note: directories inherit permissions from their parent.
Full Control | Full control on the directory | n/a | n/a |
List Contents | List the contents of the directory | Download Files, Upload Files, Delete Files, Create Directories, Delete Directories | Manage Files |
Download Files | Download files | Upload Files, Delete Files, Create Directories, Delete Directories | Manage Files |
Upload Files | Upload files | Delete Files | Manage Files |
Delete Files | Delete, Rename files | n/a | Manage Files |
Create Directories | Create directories | Delete Directories | Manage Files |
Delete Directories | Delete, Rename directories | n/a | Manage Files |