/[docman2]/doc/trustee.html

This is repository of my old source code which isn't updated any more. Go to git.rot13.org for current projects!

Diff of /doc/trustee.html

Parent Directory | Revision Log | View Patch Patch

-revision 1.1.1.1 by dpavlin,
Sun Jul 21 13:25:15 2002 UTC
+revision 1.7 by dpavlin,
Tue Jun 10 16:04:42 2003 UTC
 Line 5 
 concept of trustees for Linux kernel by
  &lt;zavadsky@braysystems.com&gt;
  </p>
- <p>Trustiees are used to controll access right, and special fetures
+ <p>Trustees are used to control access right, and special features
- (like notify on change)
+ (like <a href="notify.html">notify on change</a>)
+ </p>
+ <p>For each path (which can be file or directory) all trustees are
+ evaluated. However, <b>deny</b> has precedence over <b>allow</b> (which
+ is default in no trustee is specified).
  </p>
  <h2>Format of trustee file</h2>
-Line 14 
 concept of trustees for Linux kernel by
+Line 19 
 concept of trustees for Linux kernel by
  <p>Comments are written using hash (#) as first character in line
  <br><tt># this is a comment</tt></p>
- <p>Group can be used instead of username in all ACLs. You can't have user
+ <p>Group can be used instead of user-name in all ACL. You can't have user
  which has same name as group or vice-versa. It's written using plus (+) as
  first character in line.
  <br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p>
-Line 25 
 first character in line.
+Line 30 
 first character in line.
  Valid modifiers:
  <ul>
  <li><tt>!</tt> trustee applies to all except user or group
- <li><tt>C</tt> clear the persmission (default is to set)
+ <li><tt>C</tt> clear the permission (default is to set)
  <li><tt>D</tt> deny access (default is grant)
+ <li><tt>O</tt> one-level trustee only <small>(this means that those permissions
+         will not be inherited on directories and files downwards from current
+         level -- it's useful for <a href="#anonymous">anonymous access</a>)
+         </small>
  </ul>
  Valid permissions:
-Line 34 
 Valid permissions:
+Line 43 
 Valid permissions:
  <li><tt>R</tt> read (file)
  <li><tt>W</tt> write (file)
  <li><tt>B</tt> browse (directory)
- <li><tt>N</tt> notify (e-mail change)
+ <li><tt>N</tt> <a href="notify.html">notify</a> (e-mail change)
  </ul>
  <h2>Examples</h2>
  <pre>
- # dpavlin is admin (grant all access to members of root group)
+ # dpavlin is administrator (grant all access to members of root group)
  +root:dpavlin
  /:root:RWB
  # give read-only access to all users
-Line 59 
 read-only access) you could write:
+Line 68 
 read-only access) you could write:
  /secret.txt:*:DRWB:joe:R
  </pre>
- That is wrong. <b>deny</b> rules will take precedance over allow read
+ That is wrong. <b>deny</b> rules will take precedence over allow read
  to joe. So, you should write:
  <pre>
-Line 68 
 to joe. So, you should write:
+Line 77 
 to joe. So, you should write:
  Which will work.
- <big>FIX</big> write more examples, beter descriptions...
+ <big>FIX</big> write more examples, better descriptions...
+ <a name="anonymous">
+ <h3>Anonymous access</h3>
+ <p>One of great advantages of using trustees is that you can allow
+ anonymous access (without login). You should pay attention to access
+ right, because you probably don't want anonymous users to see all files
+ or folders in your repository.
+ </p>
+ <p>First, you will have to add browse trustee to anonymous user
+ on root directory -- docman will ignore all anonymous users if
+ you don't do this.
+ <pre>
+         /:anonymous:BO
+ </pre>
+ You really <b>want to use flags <tt>BO</tt></b> and not just <tt>B</tt> because
+ if you specify just <tt>B</tt> anonymous users will be able to browse (see
+ directory names) of your whole repository. This way you can explicitly
+ allow (or deny) which sub-directories you want anonymous users to browse.
+ <br>For example, this will allow anonymous users to see and read everything
+ in <tt>/pub</tt> and to store documents in <tt>/incoming</tt>:
+ <pre>
+         /pub:anonymous:RB
+         /incoming:anonymous:RWB
+ </pre>
+ You might also want to hide some directory from anonymous users, and you
+ can do that using:
+ <pre>
+         /private:anonymous:DB
+ </pre>
+ If you would like to <b>give all your users</b> which are authenticated via
+ login and password <b>all access</b> to all files (like in old docman v1.x) you
+ also have to add
+ <pre>
+         /:*:RWB
+ </pre>
+ However, that <b>will not add all
+ permission to anonymous users</b>. If you want to add all that permission
+ to anonymous users (which will create wiki-like community for sharing files)
+ you must explicitly say that you allow that to anonymous users:
+ <pre>
+         /:anonymous:RWB
+ </pre>
+ All those setting will create environment which is very like docman v1.x,
+ but with anonymous users allowed to see document in <tt>/pub</tt> and
+ upload them in <tt>/incoming</tt>.
+ </p>
  <h2>Default security</h2>
-Line 81 
 users)
+Line 138 
 users)
  <h2>docman without trustee configuration</h2>
  <p>If you <b>don't have</b> <tt>realm/http_virtual_host.trustee</tt> you
- will fall-back to default docman v1.x behaviour: whole group will have
+ will fall-back to default docman v1.x behavior: whole group will have
  all right on all files except <i>anonymous</i> users (which won't be able
  to login anyway).
  </p>
+ <p>See also:
+ <a href="admin.html">Administration manual</a>
+ </p>

 Legend:



Removed from v.1.1.1.1
 


changed lines


 
Added in v.1.7
 Legend:



Removed from v.1.1.1.1
 


changed lines


 
Added in v.1.7
-Removed from v.1.1.1.1
+Added in v.1.7

	ViewVC Help
Powered by ViewVC 1.1.26