14 |
<p>Comments are written using hash (#) as first character in line |
<p>Comments are written using hash (#) as first character in line |
15 |
<br><tt># this is a comment</tt></p> |
<br><tt># this is a comment</tt></p> |
16 |
|
|
17 |
<p>Group can be used instead of username in all ACLs. You can't have user |
<p>Group can be used instead of user-name in all ACL. You can't have user |
18 |
which has same name as group or vice-versa. It's written using plus (+) as |
which has same name as group or vice-versa. It's written using plus (+) as |
19 |
first character in line. |
first character in line. |
20 |
<br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p> |
<br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p> |
28 |
<li><tt>C</tt> clear the permission (default is to set) |
<li><tt>C</tt> clear the permission (default is to set) |
29 |
<li><tt>D</tt> deny access (default is grant) |
<li><tt>D</tt> deny access (default is grant) |
30 |
<li><tt>O</tt> one-level trustee only <small>(this means that those permissions |
<li><tt>O</tt> one-level trustee only <small>(this means that those permissions |
31 |
will not be inherited on directories and files upwards from current |
will not be inherited on directories and files downwards from current |
32 |
level -- it's usefull for root directory only anonymous access) |
level -- it's useful for <a href="#anonymous">anonymous access</a>) |
33 |
|
</small> |
34 |
</ul> |
</ul> |
35 |
|
|
36 |
Valid permissions: |
Valid permissions: |
44 |
<h2>Examples</h2> |
<h2>Examples</h2> |
45 |
|
|
46 |
<pre> |
<pre> |
47 |
# dpavlin is admin (grant all access to members of root group) |
# dpavlin is administrator (grant all access to members of root group) |
48 |
+root:dpavlin |
+root:dpavlin |
49 |
/:root:RWB |
/:root:RWB |
50 |
# give read-only access to all users |
# give read-only access to all users |
74 |
|
|
75 |
<big>FIX</big> write more examples, better descriptions... |
<big>FIX</big> write more examples, better descriptions... |
76 |
|
|
77 |
|
<a name="anonymous"> |
78 |
|
<h3>Anonymous access</h3> |
79 |
|
|
80 |
|
<p>One of great advantages of using trustees is that you can allow |
81 |
|
anonymous access (without login). You should pay attention to access |
82 |
|
right, because you probably don't want anonymous users to see all files |
83 |
|
or folders in your repository. |
84 |
|
</p> |
85 |
|
|
86 |
|
<p>First, you will have to add browse trustee to anonymous user |
87 |
|
on root directory -- docman will ignore all anonymous users if |
88 |
|
you don't do this. |
89 |
|
<pre> |
90 |
|
/:anonymous:BO |
91 |
|
</pre> |
92 |
|
You really <b>want to use flags <tt>BO</tt></b> and not just <tt>B</tt> because |
93 |
|
if you specify just <tt>B</tt> anonymous users will be able to browse (see |
94 |
|
directory names) of your whole repository. This way you can explicitly |
95 |
|
allow (or deny) which sub-directories you want anonymous users to browse. |
96 |
|
<br>For example, this will allow anonymous users to see and read everything |
97 |
|
in <tt>/pub</tt> and to store documents in <tt>/incoming</tt>: |
98 |
|
<pre> |
99 |
|
/pub:anonymous:RB |
100 |
|
/incoming:anonymous:RWB |
101 |
|
</pre> |
102 |
|
You might also want to hide some directory from anonymous users, and you |
103 |
|
can do that using: |
104 |
|
<pre> |
105 |
|
/private:anonymous:DB |
106 |
|
</pre> |
107 |
|
</p> |
108 |
|
|
109 |
<h2>Default security</h2> |
<h2>Default security</h2> |
110 |
|
|
111 |
<p>If none of trustee rules satisfy, default policy is <i>deny</i>. Basically, |
<p>If none of trustee rules satisfy, default policy is <i>deny</i>. Basically, |