Section 4.1 - Introduction to ACLs

Now we're going to get into one of the most powerful and advanced features of Enano, around which most capabilities are based: Access Control Lists. Enano allows you to customize what users are allowed to do based on certain conditions by using rules, or one set of permissions.

Basic concepts

ACLs allow very fine-grained control of what users can do. Nearly every action that a user can perform can be restricted using one or more ACL rules.

Rule scope

An ACL rule can be set such that only one page will fall under it, several pages will fall under it, or the entire site will be affected by it. (We'll show you how to group pages in the next section.) A rule can affect only one user or everyone within a certain usergroup, including a meta-group called "Everyone".

Types of permissions

There are four possible rulings of permissions: Allow, Wiki Mode, Disallow, and Deny. Each action will have one ruling selected.

  • Allow means that the user is allowed full access to the page for that action.
  • Wiki Mode means that the user is only allowed to use an action if Wiki Mode is enabled for that page.
  • Disallow means that the user can't perform the action. A Disallow ruling can be overridden if there is another rule that presides over the rule with the Disallow entry.
  • Deny means that no matter what, the user can't perform the action. Deny rulings cannot be overridden - they always take highest precedence.

Creating a new ACL rule

By default, there are only two ACL rules in a new Enano installation: a rule that grants administrators the ability to do everything, and a rule that gives moderators some elevated powers. In all other places, default values are used.

Default values

The following default values are used when there is no rule in effect at all. These defaults are hard-coded but may be easily overridden by creating a new ACL rule that affects Everyone and all pages.

  • Read page(s) - Allow
  • Post comments - Allow
  • Edit own comments - Allow
  • Edit page - Wiki Mode
  • (1.1.x only) Use graphical editor - Allow. Depends on Edit Page. This is very weak and SHOULD NOT be relied upon for security. This is because the switch to the graphical editor is performed client-side, and the user can easily call the Dynano API to switch the editor over, sometimes without even needing a Javascript debugging tool.
  • View source - Wiki Mode (Edit page depends on this - if the user can't view the page source, they're not allowed to edit either)
  • Moderate comments - Disallow
  • View history/diffs - Wiki Mode
  • Rollback history - Disallow (If set to allow, this still depends on what you're rolling back. For example rolling back a rename requires Rename rights)
  • Undelete page(s) - Disallow
  • Protect page(s) - Disallow
  • Rename page(s) - Wiki Mode
  • Clear page logs - Disallow
  • Vote to delete - Wiki Mode
  • Reset delete votes - Disallow
  • Delete page(s) - Disallow
  • Tag page(s) - Allow
  • Remove own page tags - Allow
  • Remove others' page tags - Disallow
  • Set per-page wiki mode - Disallow
  • Set password - Disallow
  • Disable/reset password - Disallow
  • Super moderator (generate SQL backtraces, view IP addresses, and send large numbers of private messages) - Disallow
  • Edit categorization - Wiki Mode
  • Allow editing, renaming, and categorization even when protected - Disallow
  • Upload files - Disallow
  • Upload new versions of files - Wiki Mode (depends on Upload Files)
  • Create pages - Wiki Mode
  • (1.1.x only) Embed HTML code in pages - Disallow - This refers to unfiltered HTML. Anyone that can edit a page can use a restricted subset of HTML based on a whitelist of tags and attributes.
  • Embed PHP code in pages - Disallow - In 1.0.x this controls both PHP and unfiltered HTML. In 1.1.x, this only controls PHP. Also, Enano 1.0.x allows you to change this during installation, while 1.1.x defaults to leaving it off.
  • Edit access control lists - Disallow

Using the ACL editor interface

You can pull up the ACL editor by going to More Options → Manage Page Access on every single page on your site. Why every single page? Because even Special, System, and Administration pages can be controlled with ACL rules! Select who you want your rule to affect and whether you want your rule to be over only the current page, all pages in a specific group, or every page on the site. Click Next. You'll see the main editor window. If you are creating a new rule it will saying "Create new rule" at the top - otherwise it will say "Editing Permissions" and there will be a red link that says "Delete this rule" at the bottom of the editor window. You can click one of the blue headings that say "Allow", "Wiki Mode", "Disallow", or "Deny" at the top of the table showing the rule to change all the actions to that ruling. Don't forget that you can scroll down to see more actions. When you're done, click Save.

Note: Because of compatibility issues, users of Windows Internet Explorer or Internet Explorer for Mac will experience the HTML version of the ACL editor. It provides almost the same feature set as the Javascript and AJAX-based one, except that it is compatible with a much wider range of browsers.

Next we'll take a look at precedence and a more in-depth look at scope.

Previous Section 4.1 - Introduction to ACLs Next
Categorizing pages Up one level Access rule scope and precedence