Welcome Guest, you are in: Login

Search:
ScrewTurn Wiki 5.0 features an advanced permissions system that allows you to configure access rules for namespaces, single pages and upload directories and for some global actions.


Introduction

The permissions system in STW is basically a custom-built ACL (Access Control Lists) engine. An ACL entry determines whether a subject can perform an action on a resource.

A subject can either be a user or a user group. A resource can be a namespace, a page, an upload directory or a generic global resource called globals (more on this later). Actions are resource-specific and define activities that can be performed on a resource and some actions include other actions (for example, if you allow a write permission on a resource to a user, she is also able to read the same resource).

Note: managing complex permissions schemes might be very difficult and, if done the wrong way, can lead to security issues in your wiki. For this reason, you should be careful not to change permissions in a way that you do not fully understand.

ScrewTurn Wiki is automatically configured with a set of safe permissions that basically allow global read-only access to anonymous users, partial write access to registered users and total access to administrators.

Users, Groups and Deny Priority

As said, you can assign permissions to users or groups of users. By default, ScrewTurn Wiki defines three user groups, Anonymous Users, Users and Administrators, but you are free to create other groups and assign specific permissions to them.

General Rules

  1. An action can either be granted (allowed) or denied (not allowed)
  2. Not granting an action equals denying it (in other words, all grants must be explicit, unless the same action is allowed by a higher-level action or inherited from a higher-level resource)
    • If a user is not member of any group and has no specific grants, she has totally no access
  3. Deny entries have always priority over grant entries on the same action and resource (unless 6 is valid)
  4. If a user is member of one group, she inherits all permissions of the group
  5. If a user is member of multiple groups, denials have priority over grants for the same action on the same resource
  6. If a user is member of one or more groups, grants or denials assigned to the user have priority over entries assigned to the group (for example, a group can be denied an action but a specific user of the group can be granted it)

Actions/Resources Reference

General rules as described above are applied to resources and actions that are specific to ScrewTurn Wiki.

Note: AGB means Also Granted By, i.e. the action is also granted by another action. All actions are, by default, also granted by Full Control, either on the same resource or on Globals: Full Control is therefore omitted from AGB lists for brevity.

Globals

The following actions are valid for global permissions. Global permissions are assigned to users or groups and are not mapped to any specific resource.

ActionDescriptionAGB
Full ControlFull control on the wikin/a
Manage AccountsCreate, Edit, Delete user accountsn/a
Manage GroupsCreate, Edit, Delete user groupsn/a
Manage Pages and CategoriesCreate, Edit, Delete, Rename, Rollback pages and categoriesn/a
Manage Page DiscussionsPost, Edit, Delete messages in page discussions (including other users' messages)n/a
Manage NamespacesCreate, Edit, Delete namespacesn/a
Manage ConfigurationChange the wiki configurationn/a
Manage ProvidersUpload, Configure, Enable/Disable providersn/a
Manage Files and DirectoriesUpload, Rename, Delete files and attachments, Create, Rename, Delete directoriesn/a
Manage Snippets and TemplatesCreate, Edit, Delete snippets and templatesn/a
Manage Navigation PathsCreate, Edit, Delete navigation pathsn/a
Manage Meta-FilesEdit meta-files (also known as content, see Content Editing administration page)n/a
Manage PermissionsChange permissions of users and groupsn/a

Namespaces

The following actions are valid for namespaces.

Note: by default, sub-namespaces inherit permissions from the root namespace.

ActionDescriptionAGBAGB from Globals
Full ControlFull control on the namespacen/an/a
Read PagesRead pagesModify Pages, Create Pages, Delete Pages, Manage PagesManage Pages and Cat., Manage Namespaces
Modify PagesEdit pagesManage PagesManage Pages and Cat., Manage Namespaces
Create PagesCreate new pagesManage PagesManage Pages and Cat., Manage Namespaces
Delete PagesDelete, Rename pagesManage PagesManage Pages and Cat., Manage Namespaces
Manage PagesCreate, Edit, Delete, Rename pagesn/aManage Pages and Cat., Manage Namespaces
Read Page DiscussionsRead page discussionsPost Msg. in Page Disc., Manage Page Disc.Manage Page Disc.
Post Messages in Page DiscussionsPost messages in page discussionsManage Page Disc.Manage Page Disc.
Manage Page DiscussionsEdit, Delete other users' messages in page discussionsManage PagesManage Page Disc.
Manage CategoriesModify category bindings of pages, create and delete categoriesFull ControlManage Pages and Cat.
Download AttachmentsDownload page attachmentsUpload Attachments, Delete AttachmentsManage Files
Upload AttachmentsUpload page attachmentsDelete AttachmentsManage Files
Delete AttachmentsDelete, Rename page attachmentsn/aManage Files

Pages

The following actions are valid for pages.

Note: by default, pages inherit permissions from their namespace.

ActionDescriptionAGBAGB from NamespaceAGB from Globals
Full ControlFull control on the pagen/an/an/a
Read PageRead the pageModify Page, Manage PageRead Pages, Modify Pages, Create Pages, Manage Pages, Delete PagesManage Pages and Cat., Manage Namespaces
Modify PageEdit the pageManage PageModify Pages, Create Pages, Manage Pages, Delete PagesManage Pages and Cat., Manage Namespaces
Manage PageDelete, Rename the pagen/aManage PagesManage Pages and Cat., Manage Namespaces
Read Page DiscussionRead the page discussionPost Msg. in Page Disc., Manage Page Disc.Read Page Disc., Post Msg. in Page Disc., Manage Page Disc.Manage Page Disc.
Post Messages in Page DiscussionPost messages in the page discussionManage Page Disc.Post Msg. in Page Disc., Manage Page Disc.Manage Page Disc.
Manage Page DiscussionEdit, Delete other users' messages in the page discussionManage PageManage Page Disc.Manage Page Disc.
Manage CategoriesChange page category bindingn/aManage CategoriesManage Pages and Cat.
Download AttachmentsDownload attachmentsUpload Attn., Delete Attn.Download Attn., Upload Attn., Delete Attn.Manage Files
Upload AttachmentsUpload attachmentsDelete Attn.Upload Attn.Manage Files
Delete AttachmentsDelete, Rename attachmentsn/aDelete Attn.Manage Files

Upload Directories

The following actions are valid for upload directories, i.e. directories managed with the File Management interface.

Note: directories inherit permissions from their parent.

ActionDescriptionAGBAGB from Globals
Full ControlFull control on the directoryn/an/a
List ContentsList the contents of the directoryDownload Files, Upload Files, Delete Files, Create Directories, Delete DirectoriesManage Files
Download FilesDownload filesUpload Files, Delete Files, Create Directories, Delete DirectoriesManage Files
Upload FilesUpload filesDelete FilesManage Files
Delete FilesDelete, Rename filesn/aManage Files
Create DirectoriesCreate directoriesDelete DirectoriesManage Files
Delete DirectoriesDelete, Rename directoriesn/aManage Files

Side Projects

  • RESX Synchronizer allows to synchronize multi-language .resx files (used for the development of ScrewTurn Wiki).
  • Pixel Picker enables to pick the color of pixels on your screen — very handy for day-to-day graphics-related activities.

About