Table of Contents
Access Control Lists (ACL)
DokuWiki — like most wikis — is very open by default. Everyone is allowed to create, edit and delete pages. However sometimes it makes sense to restrict access to certain or all pages. This is when the Access Control List (ACL) comes into play. This page gives an overview of how ACLs work in DokuWiki and how they are configured.
WARNING: DokuWiki's ACL feature has been included for some time and should be pretty stable. However, if you are concerned about the risk of unauthorized users accessing information in your wiki, you should never put it on a computer accessible from the Internet.
Information should be categorized as public (world readable), private (world is blocked, signed in or group has access), or sensitive (not stored in the wiki at all; example passwords should be kept in a password manager.)
Access Restrictions
Access restrictions can be bound to pages and namespaces. There are seven permissions: none, read, edit, create, upload, delete and admin. Each higher permission contains the lower ones, with read being the lowest and delete the highest one. You should note that create, upload and delete permissions can only be assigned to namespaces.
Rules that were set to namespaces apply on media namespaces as well as for page namespaces.
When DokuWiki checks which rights it should give to a user, it uses all rules matching the user's name or the groups he or she is in. The rule that provides a user's permission is chosen according to the following process:
- Rules which match closer to the namespace:page are preferred over rules which match further away—we call this “specific matching”.
- When more than one rule matches at the same level, the rule giving the highest access level is preferred.
Users are in the groups they were assigned to in the user manager (or the auth backend). However there are two groups that are somewhat special:
- @ALL Everyone, even users not logged in, is a member of the ALL group. You can use this group to restrict access for all users (as a default setting) and then relax the permissions for some selected users.
- @user All self-registered users are by default automatically a member of the group 'user'. Use this to give permissions to 'logged-in' users. The name of this group is configured through the defaultgroup option. Unlike the virtual “ALL” group, the “user” group is a real group to which all users are added automatically when using the plain auth backend. If you use a different backend you need to use the groups provided by this backend.
Groups are represented internally and in the ACL manager by a prepended @ character to the group name.
Editing ACLs
Only Wiki Administrators can update ACLs.
Permissions
| Name | Permission |
|---|---|
| None | No Permission - Locked Out |
| Read | Read Only |
| Edit | Read and Write Existing Pages |
| Create | New Pages Can Be Created |
| Upload | Media Files May Be Uploaded |
| Delete | Media Files May Be Overwritten or Deleted |
ACL Info Plugin
The following code may be included in the sidebar and displays the ACLs affecting the current page.
**Access Control List** ~~NOCACHE~~ ~~ACLINFO~~
Private Pages and Namespaces
Anonymous users are denied access to pages or any page under a namespace with the name private.