| 5 |
<zavadsky@braysystems.com> |
<zavadsky@braysystems.com> |
| 6 |
</p> |
</p> |
| 7 |
|
|
| 8 |
<p>Trustiees are used to controll access right, and special fetures |
<p>Trustees are used to control access right, and special features |
| 9 |
(like notify on change) |
(like <a href="notify.html">notify on change</a>) |
| 10 |
</p> |
</p> |
| 11 |
|
|
| 12 |
<h2>Format of trustee file</h2> |
<h2>Format of trustee file</h2> |
| 14 |
<p>Comments are written using hash (#) as first character in line |
<p>Comments are written using hash (#) as first character in line |
| 15 |
<br><tt># this is a comment</tt></p> |
<br><tt># this is a comment</tt></p> |
| 16 |
|
|
| 17 |
<p>Group can be used instead of username in all ACLs. You can't have user |
<p>Group can be used instead of user-name in all ACL. You can't have user |
| 18 |
which has same name as group or vice-versa. It's written using plus (+) as |
which has same name as group or vice-versa. It's written using plus (+) as |
| 19 |
first character in line. |
first character in line. |
| 20 |
<br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p> |
<br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p> |
| 25 |
Valid modifiers: |
Valid modifiers: |
| 26 |
<ul> |
<ul> |
| 27 |
<li><tt>!</tt> trustee applies to all except user or group |
<li><tt>!</tt> trustee applies to all except user or group |
| 28 |
<li><tt>C</tt> clear the persmission (default is to set) |
<li><tt>C</tt> clear the permission (default is to set) |
| 29 |
<li><tt>D</tt> deny access (default is grant) |
<li><tt>D</tt> deny access (default is grant) |
| 30 |
|
<li><tt>O</tt> one-level trustee only <small>(this means that those permissions |
| 31 |
|
will not be inherited on directories and files downwards from current |
| 32 |
|
level -- it's useful for <a href="#anonymous">anonymous access</a>) |
| 33 |
|
</small> |
| 34 |
</ul> |
</ul> |
| 35 |
|
|
| 36 |
Valid permissions: |
Valid permissions: |
| 38 |
<li><tt>R</tt> read (file) |
<li><tt>R</tt> read (file) |
| 39 |
<li><tt>W</tt> write (file) |
<li><tt>W</tt> write (file) |
| 40 |
<li><tt>B</tt> browse (directory) |
<li><tt>B</tt> browse (directory) |
| 41 |
<li><tt>N</tt> notify (e-mail change) |
<li><tt>N</tt> <a href="notify.html">notify</a> (e-mail change) |
| 42 |
</ul> |
</ul> |
| 43 |
|
|
| 44 |
<h2>Examples</h2> |
<h2>Examples</h2> |
| 45 |
|
|
| 46 |
<pre> |
<pre> |
| 47 |
# dpavlin is admin (grant all access to members of root group) |
# dpavlin is administrator (grant all access to members of root group) |
| 48 |
+root:dpavlin |
+root:dpavlin |
| 49 |
/:root:RWB |
/:root:RWB |
| 50 |
# give read-only access to all users |
# give read-only access to all users |
| 63 |
/secret.txt:*:DRWB:joe:R |
/secret.txt:*:DRWB:joe:R |
| 64 |
</pre> |
</pre> |
| 65 |
|
|
| 66 |
That is wrong. <b>deny</b> rules will take precedance over allow read |
That is wrong. <b>deny</b> rules will take precedence over allow read |
| 67 |
to joe. So, you should write: |
to joe. So, you should write: |
| 68 |
|
|
| 69 |
<pre> |
<pre> |
| 72 |
|
|
| 73 |
Which will work. |
Which will work. |
| 74 |
|
|
| 75 |
<big>FIX</big> write more examples, beter descriptions... |
<big>FIX</big> write more examples, better descriptions... |
| 76 |
|
|
| 77 |
|
<a name="anonymous"> |
| 78 |
|
<h3>Anonymous access</h3> |
| 79 |
|
|
| 80 |
|
<p>One of great advantages of using trustees is that you can allow |
| 81 |
|
anonymous access (without login). You should pay attention to access |
| 82 |
|
right, because you probably don't want anonymous users to see all files |
| 83 |
|
or folders in your repository. |
| 84 |
|
</p> |
| 85 |
|
|
| 86 |
|
<p>First, you will have to add browse trustee to anonymous user |
| 87 |
|
on root directory -- docman will ignore all anonymous users if |
| 88 |
|
you don't do this. |
| 89 |
|
<pre> |
| 90 |
|
/:anonymous:BO |
| 91 |
|
</pre> |
| 92 |
|
You really <b>want to use flags <tt>BO</tt></b> and not just <tt>B</tt> because |
| 93 |
|
if you specify just <tt>B</tt> anonymous users will be able to browse (see |
| 94 |
|
directory names) of your whole repository. This way you can explicitly |
| 95 |
|
allow (or deny) which sub-directories you want anonymous users to browse. |
| 96 |
|
<br>For example, this will allow anonymous users to see and read everything |
| 97 |
|
in <tt>/pub</tt> and to store documents in <tt>/incoming</tt>: |
| 98 |
|
<pre> |
| 99 |
|
/pub:anonymous:RB |
| 100 |
|
/incoming:anonymous:RWB |
| 101 |
|
</pre> |
| 102 |
|
You might also want to hide some directory from anonymous users, and you |
| 103 |
|
can do that using: |
| 104 |
|
<pre> |
| 105 |
|
/private:anonymous:DB |
| 106 |
|
</pre> |
| 107 |
|
</p> |
| 108 |
|
|
| 109 |
<h2>Default security</h2> |
<h2>Default security</h2> |
| 110 |
|
|
| 117 |
<h2>docman without trustee configuration</h2> |
<h2>docman without trustee configuration</h2> |
| 118 |
|
|
| 119 |
<p>If you <b>don't have</b> <tt>realm/http_virtual_host.trustee</tt> you |
<p>If you <b>don't have</b> <tt>realm/http_virtual_host.trustee</tt> you |
| 120 |
will fall-back to default docman v1.x behaviour: whole group will have |
will fall-back to default docman v1.x behavior: whole group will have |
| 121 |
all right on all files except <i>anonymous</i> users (which won't be able |
all right on all files except <i>anonymous</i> users (which won't be able |
| 122 |
to login anyway). |
to login anyway). |
| 123 |
</p> |
</p> |
| 124 |
|
|
| 125 |
|
<p>See also: |
| 126 |
|
<a href="admin.html">Administration manual</a> |
| 127 |
|
</p> |
Parent Directory
| 
Revision Log
| 
Patch