--- doc/trustee.html 2002/07/28 16:24:55 1.4 +++ doc/trustee.html 2003/06/11 03:26:29 1.8 @@ -9,12 +9,17 @@ (like notify on change)
+For each path (which can be file or directory) all trustees are +evaluated. However, deny has precedence over allow (which +is default in no trustee is specified). +
+Comments are written using hash (#) as first character in line
# this is a comment
Group can be used instead of username in all ACLs. You can't have user +
Group can be used instead of user-name in all ACL. You can't have user
which has same name as group or vice-versa. It's written using plus (+) as
first character in line.
+group:user[,user...]
-# dpavlin is admin (grant all access to members of root group) +# dpavlin is administrator (grant all access to members of root group) +root:dpavlin /:root:RWB # give read-only access to all users @@ -71,7 +77,71 @@ Which will work. +If you want to allow just one user (editor) to have write +persmissions on file one_editor.txt while all others can read it, you +could do something like: + +
+/one_editor.txt:*:DW:editor:CRWB ++ +Order of statements is not important. Trustees are always evaluated from +universal ones (e.g. ones for all users; with *) to specific for this +user (in this case, for user editor). However, this example +wouldn't work without C for user editor because deny +for write would have precidence. + +FIX write more examples, better descriptions... +
+ + +Anonymous access
+ +One of great advantages of using trustees is that you can allow +anonymous access (without login). You should pay attention to access +right, because you probably don't want anonymous users to see all files +or folders in your repository. +
+ +First, you will have to add browse trustee to anonymous user +on root directory -- docman will ignore all anonymous users if +you don't do this. +
+ /:anonymous:BO ++You really want to use flags BO and not just B because +if you specify just B anonymous users will be able to browse (see +directory names) of your whole repository. This way you can explicitly +allow (or deny) which sub-directories you want anonymous users to browse. +
For example, this will allow anonymous users to see and read everything +in /pub and to store documents in /incoming: ++ /pub:anonymous:RB + /incoming:anonymous:RWB ++You might also want to hide some directory from anonymous users, and you +can do that using: ++ /private:anonymous:DB ++If you would like to give all your users which are authenticated via +login and password all access to all files (like in old docman v1.x) you +also have to add ++ /:*:RWB ++However, that will not add all +permission to anonymous users. If you want to add all that permission +to anonymous users (which will create wiki-like community for sharing files) +you must explicitly say that you allow that to anonymous users: ++ /:anonymous:RWB ++All those setting will create environment which is very like docman v1.x, +but with anonymous users allowed to see document in /pub and +upload them in /incoming. +Default security