Access Control Lists

uWiki uses Access-Control-Lists for checking permissions. One can define Groups of users and other groups. Permissions can be combined to Roles.

1. Lookup an ACL

   • When a file has an ACL then this ACL is checked

   • When a file has no ACL then the ACL of its parent dir is used

   • This is done until the topmost dir is reached

   • When no ACL is found, access is denied

2. Find an entry matching the user

   • The ACL is processed in order, top down

   • For each entry it is checked whether it is a group under _groups/ and the user is a (maybe recursive, groups may contain other groups!) member of that group.

   • If the user matches that entry directly or indirectly over group membership this entry is selected for checking the permissions.

   • If the entry does not match, the next entry is processed

   • When no entry matches, access is denied

3. Check permission on an ACL entry

   • If there is a !perm clause in the entry then access is rejected

   • If there is a perm clause in the entry, then access is granted

   • If there is no matching perm in the entry, then the ACL list is searched for the next entry matching the user.

In short: It looks up the next reachable ACL by traversing up. When a ACL is found, this ACL is used and nothing else. The ACL is processed top-down. If the permission asked is not explicitly granted it is rejected.

Each action (in _uwiki/) and each type (in _types) gives a object which is used for permission checking. There is a special execute permission which is used to indicate if the user is allowed to run any of this scipts.

For example to create a new asciidoc page one has to have execute permission for the _uwiki/create action and for the _types/asciidoc action, further the user has to have the create and asciidoc permissions for the dirs where the files shall be created.

Some actions and types may define extra permissions, like edit provides an add permission which allows only edits which add new lines to a text.

The account Anonymous is used for all unauthenticated users. Some other account names are locked, creating accounts for this names is not possible (master, mob, origin, public, test, upstream). Other accounts will be added there in future.

It is possible to check just for group membership instead for permissions on a given file. Some groups are predefined and used for special purposes.

• Known Registered users are member of this group

• All Known and Anonymous

• AccountAdmins Can revoke accounts (and later do some more things)