m (moved CKFinder/Developers Guide/ColdFusion/Configuration/Access Control to CKFinder 1.x/Developers Guide/ColdFusion/Configuration/Access Control) |
|||
(4 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
__TOC__ | __TOC__ | ||
− | Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.cfm file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the '''config.accessControl''' | + | Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.cfm file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the '''config.accessControl''' structure placed in the config.cfm file. |
− | The syntax of the | + | === The syntax of the ACL Items === |
<pre>config.accessControl[1] = structNew(); | <pre>config.accessControl[1] = structNew(); | ||
config.accessControl[1].role = '*'; | config.accessControl[1].role = '*'; | ||
config.accessControl[1].resourceType = '*'; | config.accessControl[1].resourceType = '*'; | ||
config.accessControl[1].folder = '/'; | config.accessControl[1].folder = '/'; | ||
+ | |||
config.accessControl[1].folderView = true; | config.accessControl[1].folderView = true; | ||
config.accessControl[1].folderCreate = true; | config.accessControl[1].folderCreate = true; | ||
config.accessControl[1].folderRename = true; | config.accessControl[1].folderRename = true; | ||
config.accessControl[1].folderDelete = true; | config.accessControl[1].folderDelete = true; | ||
+ | |||
config.accessControl[1].fileView = true; | config.accessControl[1].fileView = true; | ||
config.accessControl[1].fileUpload = true; | config.accessControl[1].fileUpload = true; | ||
config.accessControl[1].fileRename = true; | config.accessControl[1].fileRename = true; | ||
config.accessControl[1].fileDelete = true;</pre> | config.accessControl[1].fileDelete = true;</pre> | ||
− | + | {{ckfinder_acl_explanation}} | |
− | === | + | ==== Example 1 ==== |
− | + | If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images": | |
+ | <pre> | ||
+ | config.accessControl[2] = structNew(); | ||
+ | config.accessControl[2].role = '*'; | ||
+ | config.accessControl[2].resourceType = 'Images'; | ||
+ | config.accessControl[2].folder = '/Logos'; | ||
− | === | + | config.accessControl[2].folderView = true; |
+ | config.accessControl[2].folderCreate = true; | ||
+ | config.accessControl[2].folderRename = true; | ||
+ | config.accessControl[2].folderDelete = true; | ||
− | + | config.accessControl[2].fileView = true; | |
− | + | config.accessControl[2].fileUpload = false; | |
− | + | config.accessControl[2].fileRename = false; | |
− | + | config.accessControl[2].fileDelete = false; | |
− | ''' | + | </pre> |
− | + | The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its contents) you should change permissions in the parent folder. | |
− | |||
− | + | ==== Example 2 ==== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<pre>config.accessControl[3] = structNew(); | <pre>config.accessControl[3] = structNew(); | ||
config.accessControl[3].role = '*'; | config.accessControl[3].role = '*'; | ||
config.accessControl[3].resourceType = 'Images'; | config.accessControl[3].resourceType = 'Images'; | ||
config.accessControl[3].folder = '/'; | config.accessControl[3].folder = '/'; | ||
+ | |||
config.accessControl[3].folderView = true; | config.accessControl[3].folderView = true; | ||
config.accessControl[3].folderCreate = true; | config.accessControl[3].folderCreate = true; | ||
config.accessControl[3].folderRename = false; | config.accessControl[3].folderRename = false; | ||
− | config.accessControl[3].folderDelete = false;</pre> | + | config.accessControl[3].folderDelete = false; |
− | Now a user can view and create a folder, but he will be unable to rename or delete it. | + | |
+ | config.accessControl[3].fileView = true; | ||
+ | config.accessControl[3].fileUpload = true; | ||
+ | config.accessControl[3].fileRename = true; | ||
+ | config.accessControl[3].fileDelete = true; | ||
+ | </pre> | ||
+ | Now a user can view and create a folder, but he will be unable to rename or delete it. <br> | ||
− | === | + | === Sessions === |
− | + | The roleSessionVar is a session variable name that CKFinder must use to retrieve the "role" of the current user. | |
<pre>config.roleSessionVar = 'CKFinder_UserRole'; | <pre>config.roleSessionVar = 'CKFinder_UserRole'; | ||
</pre> | </pre> | ||
− | + | To switch between different user roles, simply change the session variable:<br> | |
+ | <pre><CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> | ||
+ | <CFSET session.CKFinder_UserRole="#newrole#"> | ||
+ | </CFLOCK> | ||
+ | </pre> | ||
+ | {{CKFinder Sessions|lang=ColdFusion}} | ||
+ | ==== Example3 ==== | ||
− | First role ''' | + | In your config.cfm file you create three different roles: First role, '''every user''' (wildcard "*" is used): |
<pre>config.accessControl[1] = structNew(); | <pre>config.accessControl[1] = structNew(); | ||
config.accessControl[1].role = '*'; | config.accessControl[1].role = '*'; | ||
config.accessControl[1].resourceType = '*'; | config.accessControl[1].resourceType = '*'; | ||
config.accessControl[1].folder = '/'; | config.accessControl[1].folder = '/'; | ||
− | config.accessControl[1].folderView = | + | config.accessControl[1].folderView = true; |
config.accessControl[1].folderCreate = false; | config.accessControl[1].folderCreate = false; | ||
config.accessControl[1].folderRename = false; | config.accessControl[1].folderRename = false; | ||
config.accessControl[1].folderDelete = false; | config.accessControl[1].folderDelete = false; | ||
− | config.accessControl[1].fileView = | + | config.accessControl[1].fileView = true; |
config.accessControl[1].fileUpload = false; | config.accessControl[1].fileUpload = false; | ||
config.accessControl[1].fileRename = false; | config.accessControl[1].fileRename = false; | ||
config.accessControl[1].fileDelete = false;</pre> | config.accessControl[1].fileDelete = false;</pre> | ||
− | Second role ''' | + | Second role, '''registered''' user: |
<pre>config.accessControl[2] = structNew(); | <pre>config.accessControl[2] = structNew(); | ||
− | config.accessControl[2].role = ' | + | config.accessControl[2].role = 'registered'; |
config.accessControl[2].resourceType = '*'; | config.accessControl[2].resourceType = '*'; | ||
config.accessControl[2].folder = '/'; | config.accessControl[2].folder = '/'; | ||
Line 84: | Line 98: | ||
config.accessControl[2].fileRename = false; | config.accessControl[2].fileRename = false; | ||
config.accessControl[2].fileDelete = false;</pre> | config.accessControl[2].fileDelete = false;</pre> | ||
− | Third role ''' | + | Third role, '''admin''': |
<pre>config.accessControl[3] = structNew(); | <pre>config.accessControl[3] = structNew(); | ||
− | config.accessControl[3].role = ' | + | config.accessControl[3].role = 'admin'; |
config.accessControl[3].resourceType = '*'; | config.accessControl[3].resourceType = '*'; | ||
config.accessControl[3].folder = '/'; | config.accessControl[3].folder = '/'; | ||
− | config.accessControl[3].folderView = | + | config.accessControl[3].folderView = true; |
− | config.accessControl[3].folderCreate = | + | config.accessControl[3].folderCreate = true; |
− | config.accessControl[3].folderRename = | + | config.accessControl[3].folderRename = true; |
− | config.accessControl[3].folderDelete = | + | config.accessControl[3].folderDelete = true; |
− | config.accessControl[3].fileView = | + | config.accessControl[3].fileView = true; |
− | config.accessControl[3].fileUpload = | + | config.accessControl[3].fileUpload = true; |
− | config.accessControl[3].fileRename = | + | config.accessControl[3].fileRename = true; |
− | config.accessControl[3].fileDelete = | + | config.accessControl[3].fileDelete = true;</pre> |
− | You've created three different users permissions. | + | You've created three different users permissions. The default user (guest) is allowed to browse all files and folders. Registered user has also the ability to upload files and create folders. The administrator has full permissions. |
− | ' | + | Now let's say you have an authentication mechanism somewhere in your web application. In this file, you assign one of the pre-defined roles to the user: |
+ | <pre><CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> | ||
+ | <CFSET session.CKFinder_UserRole="#admin#"> | ||
+ | </CFLOCK> | ||
+ | </pre> | ||
+ | if you want to use the admin role. | ||
+ | <pre><CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> | ||
+ | <CFSET session.CKFinder_UserRole="#registered#"> | ||
+ | </CFLOCK> | ||
+ | </pre> | ||
+ | if you want to use the role assigned to registered users. | ||
+ | <pre><CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> | ||
+ | <CFSET session.CKFinder_UserRole="#guest#"> | ||
+ | </CFLOCK> | ||
+ | </pre> | ||
+ | ''guest'' doesn't have assigned any specific permissions, so the default values are used (defined with "*") | ||
+ | <pre><CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> | ||
+ | <CFSET session.CKFinder_UserRole="#any_other_value#"> | ||
+ | </CFLOCK> | ||
+ | </pre> | ||
+ | same situation, default values are used. |
Latest revision as of 07:46, 28 May 2010
Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.cfm file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the config.accessControl structure placed in the config.cfm file.
The syntax of the ACL Items
config.accessControl[1] = structNew(); config.accessControl[1].role = '*'; config.accessControl[1].resourceType = '*'; config.accessControl[1].folder = '/'; config.accessControl[1].folderView = true; config.accessControl[1].folderCreate = true; config.accessControl[1].folderRename = true; config.accessControl[1].folderDelete = true; config.accessControl[1].fileView = true; config.accessControl[1].fileUpload = true; config.accessControl[1].fileRename = true; config.accessControl[1].fileDelete = true;
Access Control List entries are defined using the following values:
-
role
– this attribute sets the type of the user. By default it is set to*
which can be treated as "everybody". You may set this parameter to other name likeuser
orlimited_functions
. The name of the user type will be directly related to the functions the user can make use of.
-
resourceType
– this setting defines the resources handled in CKFinder. A resource type is nothing more than a way to group files under different paths, each having different configuration settings (like Images, Flash, Files). By default it is set to*
which means that all resources are available.
-
folder
– this setting determines where the restrictions will be used. By declaring a folder name you specify the place you want to put your restrictions on. By default it is set to/
, so no folder is set.
-
folder*
andfile*
options – these variables are of Boolean type and can be set totrue
orfalse
. Thetrue
setting enables an option,false
disables it.
- It is possible to define numerous ACL entries. All attributes are optional. Subfolders inherit their default settings from their parents' definitions.
Example 1
If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":
config.accessControl[2] = structNew(); config.accessControl[2].role = '*'; config.accessControl[2].resourceType = 'Images'; config.accessControl[2].folder = '/Logos'; config.accessControl[2].folderView = true; config.accessControl[2].folderCreate = true; config.accessControl[2].folderRename = true; config.accessControl[2].folderDelete = true; config.accessControl[2].fileView = true; config.accessControl[2].fileUpload = false; config.accessControl[2].fileRename = false; config.accessControl[2].fileDelete = false;
The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its contents) you should change permissions in the parent folder.
Example 2
config.accessControl[3] = structNew(); config.accessControl[3].role = '*'; config.accessControl[3].resourceType = 'Images'; config.accessControl[3].folder = '/'; config.accessControl[3].folderView = true; config.accessControl[3].folderCreate = true; config.accessControl[3].folderRename = false; config.accessControl[3].folderDelete = false; config.accessControl[3].fileView = true; config.accessControl[3].fileUpload = true; config.accessControl[3].fileRename = true; config.accessControl[3].fileDelete = true;
Now a user can view and create a folder, but he will be unable to rename or delete it.
Sessions
The roleSessionVar is a session variable name that CKFinder must use to retrieve the "role" of the current user.
config.roleSessionVar = 'CKFinder_UserRole';
To switch between different user roles, simply change the session variable:
<CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> <CFSET session.CKFinder_UserRole="#newrole#"> </CFLOCK>
Example3
In your config.cfm file you create three different roles: First role, every user (wildcard "*" is used):
config.accessControl[1] = structNew(); config.accessControl[1].role = '*'; config.accessControl[1].resourceType = '*'; config.accessControl[1].folder = '/'; config.accessControl[1].folderView = true; config.accessControl[1].folderCreate = false; config.accessControl[1].folderRename = false; config.accessControl[1].folderDelete = false; config.accessControl[1].fileView = true; config.accessControl[1].fileUpload = false; config.accessControl[1].fileRename = false; config.accessControl[1].fileDelete = false;
Second role, registered user:
config.accessControl[2] = structNew(); config.accessControl[2].role = 'registered'; config.accessControl[2].resourceType = '*'; config.accessControl[2].folder = '/'; config.accessControl[2].folderView = true; config.accessControl[2].folderCreate = true; config.accessControl[2].folderRename = false; config.accessControl[2].folderDelete = false; config.accessControl[2].fileView = true; config.accessControl[2].fileUpload = true; config.accessControl[2].fileRename = false; config.accessControl[2].fileDelete = false;
Third role, admin:
config.accessControl[3] = structNew(); config.accessControl[3].role = 'admin'; config.accessControl[3].resourceType = '*'; config.accessControl[3].folder = '/'; config.accessControl[3].folderView = true; config.accessControl[3].folderCreate = true; config.accessControl[3].folderRename = true; config.accessControl[3].folderDelete = true; config.accessControl[3].fileView = true; config.accessControl[3].fileUpload = true; config.accessControl[3].fileRename = true; config.accessControl[3].fileDelete = true;
You've created three different users permissions. The default user (guest) is allowed to browse all files and folders. Registered user has also the ability to upload files and create folders. The administrator has full permissions.
Now let's say you have an authentication mechanism somewhere in your web application. In this file, you assign one of the pre-defined roles to the user:
<CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> <CFSET session.CKFinder_UserRole="#admin#"> </CFLOCK>
if you want to use the admin role.
<CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> <CFSET session.CKFinder_UserRole="#registered#"> </CFLOCK>
if you want to use the role assigned to registered users.
<CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> <CFSET session.CKFinder_UserRole="#guest#"> </CFLOCK>
guest doesn't have assigned any specific permissions, so the default values are used (defined with "*")
<CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"> <CFSET session.CKFinder_UserRole="#any_other_value#"> </CFLOCK>
same situation, default values are used.