Understanding ACLs

One of the confusing things about our wiki pages (even to me!) is understanding how access control lists (ACLs) work.

ACLs tell the wiki server who has access rights to any given wiki page. There are five types of access rights that can be assigned:

read - read access to a wiki page

write - write (ie: editing) rights to a wiki page

delete - the ability to delete a wiki page

revert - the ability to return a wiki page to an earlier version

admin - admin rights to a page, which realistically means the ability to create new pages

These rights can be assigned to a single user, a group of users, or to "All" (which in practical terms means "everybody else").

All members of any given lab who have an account on the wiki server are a member of the lab's group. For example, if Joe Blow is a member of the HLP lab and has an account on the wiki server, he's typically made a member of the "HlpLabGroup". This is done primarily to make it easy to give people access rights to the wiki.

The entire wiki site belonging to a lab is called a wiki instance. Each instance has a configuration file that I set up, and that configuration file contains the default ACLs for that wiki instance. Our wikis specify three types of default access rights:

• I (Chris) as administrator have full access to all pages on a wiki. You cannot change these rights.
• You, as a member of your lab's group, have full access rights to any wiki page in your lab's wiki instance.

• "All" (ie: everybody else) either has read-only rights, or no rights at all. Each lab decides how they want this set.

If you create a new wiki page and the default access rights for your lab are appropriate for that page, you don't need to do anything special in the way the wiki page is written. The server will simply apply the default rights for your wiki instance.

If the default access rights are NOT appropriate and you want to modify them, you do this by adding a special line of code at the very top of the wiki page that explicitly defines the access rights for that page. It *must* be the very first line in the wiki page's code.

The syntax for this special line of code is:

#acl <whatever rights you want to set>

The rights specified in a #acl line supercede the wiki instance's default rights.

For example, let's say that the default rights for your instance are set so the group "LabGroup" has full access rights, and everybody else (ie: "All") have read-only access. You create a page that you do NOT want the general public to be able to read. As such, you would add an ACL line at the very top of the page that looks like this:

#acl LabGroup:read,write,delete,revert,admin All:

Here, you've specified that "LabGroup" has all five of the necessary access rights for full access, and "All" has *no* rights. As such, the server will assign everybody who is a member of "LabGroup" full access rights, and everybody else has no rights at all. (I as administrator automatically get full access rights...the #acl line has no effect on this.)

Now, let's say that Joe Blow creates a wiki page, and he wants to be the only one who has any access rights to it. As such, Joe would add this ACL line at the top of his wiki page:

#acl JoeBlow:read,write,delete,revert,admin All:

Here, Joe has assigned himself full rights, and everybody else no rights. "LabGroup" is part of "All" in this case because no explicit rights for "LabGroup" were specified, so all of the members of "LabGroup", except for Joe Blow, have no rights to this page.

The important concept to understand with ACLs is that the server reads ACL lines from left to right, looking to match you to an entry in the line. As soon as it finds a match, it will apply the access rights it finds for you and stop looking for more access rights. As such, when you create an "#acl" line, the order in which you list users must go from most specific to least specific to ensure that all users get the correct rights.

For example, if you were going to explicitly assign access rights to an individual user, your lab's group, and the general public, then your ACL line should be in this order:

#acl IndividualUser:<rights> LabGroup:<rights> All:<rights>

This guarantees that each person gets the correct rights. If you were to write the ACL like this:

#acl All:<rights> LabGroup:<rights> IndividualUser:<rights>

Then everybody would get the rights for "All", because the server first checks to see if you match "All", and everybody matches "All". It stops looking for more ACLs for you, and thus skips over the rest of the line.

Now let's say that Marge Simpson is a member of "LabGroup", and wants to create a wiki page that everybody in "LabGroup" can access EXCEPT for Joe Blow. She also wants to make sure the general public can't read the page. To accomplish this, her ACL line would look like this:

#acl JoeBlow: LabGroup:read,write,delete,revert,admin All:

Here, she explicitly gives Joe no access rights first, and the server will deny him access based on this. All other members the group match the "LabGroup" entry, so everybody else in the group gets full rights. Finally, everybody else matches "All", so they get no rights.