Defining Access Control

This website contains links to software which is either no longer maintained or will be supported only until the end of 2019 (CKFinder 2). For the latest documentation about current CKSource projects, including software like CKEditor 4/CKEditor 5, CKFinder 3, Cloud Services, Letters, Accessibility Checker, please visit the new documentation website.

If you look for an information about very old versions of CKEditor, FCKeditor and CKFinder check also the CKEditor forum, which was closed in 2015. If not, please head to StackOverflow for support.

(Article content moved to a template)
Line 1: Line 1:
__TOC__
+
{{Ckfinder_2.x_Access_Control_Description|file=<code>config.asp</code>|AccessControl=accessControl(0)}}
 +
<source lang="asp">Set accessControl(0) = DefineAccessControlItem("*", "*", "/", true, true, true, true, true, true, true, true)</source>
 +
The parameters are definied in the following order:
 +
<source lang="asp">Function DefineAccessControlItem( role, resourceType, folder, folderView, folderCreate, folderRename, folderDelete,
 +
fileView, fileUpload, fileRename, fileDelete )</source>
  
Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.asp file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the '''accessControl(0)''' function placed in the config.asp file.&nbsp;
+
{{ckfinder_acl_explanation}}
  
=== The syntax of the ACL Items ===
+
{{Ckfinder_2.x_ACL_Examples|example1=
 +
<source lang="asp">Set accessControl(1) = DefineAccessControlItem("*", "Images", "/Logos", true, true, true, true, true, false, false, false)</source>|example2=  
 +
<source lang="asp">Set accessControl(1) = DefineAccessControlItem("*", "Images", "/", true, true, false, false, true, false, false, false)</source>}}
  
The syntax of the ACL entries is as followed:
+
<note>Remember to adjust <code>Dim accessControl(0)</code> to <code>Dim accessControl(1)</code> as necessary.
<pre>Set accessControl(0) = DefineAccessControlItem("*", "*", "/", true, true, true, true, true, true, true, true)</pre>  
+
</note>
Functions are definied in the following order:
 
<pre>Function DefineAccessControlItem( role, resourceType, folder, folderView, folderCreate, folderRename, folderDelete, fileView, fileUpload, fileRename, fileDelete )</pre>  
 
* '''role'''<br>The role is an attribute which sets the type of the user. It is set to "*" as default and you may treat as 'every user'. You may set this parameter to other name like: 'user' or 'limited_functions'. The name of the user type will be directly connected to the function the user may use.
 
  
* '''resourceType'''<br>The resourceType defines the resources handled in CKFinder. A resource type is nothing more than a way to group files under different paths, each one having different configuration settings. e.g. ''Images, Flash, Files''.It is set to "*" as default and means that all of the resources are available.
 
  
* '''folder'''<br>Folder determines where your limitations will be used. By placing the folders name you specify the place you want to put your restrictions in. It is set to "/" as default so no folder is set.
+
{{CKFinder_2.x Sessions|lang=ASP|roleSessionVar=RoleSessionVar|file=<code>config.asp</code>|code1=
 
+
<source lang="asp">CKFinder_Config.Add "RoleSessionVar", "CKFinder_UserRole"</source>|code2=
* '''folder and file options''' <br>The rest of the variables are bool type and can be set as '''true''' or '''false'''. True of course enables an option, false disables it.
+
<source lang="asp"><% Session("CKFinder_UserRole")="admin" %></source>|code3=  
 
+
<source lang="asp">Set accessControl(1) = DefineAccessControlItem("*", "*", "/", true, false, false, false, true, false, false, false)</source>|code4=
* '''other information'''<br> Many "AccessControl" entries can be added. All attributes are optional.
+
<source lang="asp">Set accessControl(2) = DefineAccessControlItem("registered", "*", "/", true, true, false, false, true, true, false, false)</source>|code5=
 
+
<source lang="asp">Set accessControl(3) = DefineAccessControlItem("admin", "*", "/", true, true, true, true, true, true, true, true)</source>}} You can assign one of the pre-defined roles to the user &mdash; using the admin role:
Subfolders inherit their default settings from their parents' definitions.
+
{{CKFinder_2.x Sessions_Details|code1=
 
+
<source lang="asp"><% Session("CKFinder_UserRole")="admin" %></source>|code2=
==== Example 1 ====
+
<source lang="asp"><% Session("CKFinder_UserRole")="registered" %></source>|code3=
 
+
<source lang="asp"><% Session("CKFinder_UserRole")="guest" %></source>|code4=
If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":
+
<source lang="asp"><% Session("CKFinder_UserRole")="any_other_value" %></source>}}
<pre>Set accessControl(1) = DefineAccessControlItem("*", "Images", "/Logos", true, true, true, true, true, false, false, false)</pre>  
 
The above example only refers to file operations in the folder "/Logos" itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its contents) you should change permissions in the parent folder.
 
 
 
==== Example 2 ====
 
<pre>Set accessControl(1) = DefineAccessControlItem("*", "Images", "/", true, true, false, false, true, false, false, false)</pre>
 
Now a user can view and create a folder, but he will be unable to rename or delete it.
 
 
 
'''Note''':Please, remember to adjust Dim accessControl(0) to Dim accessControl(1) as necessary.<br>
 
 
 
=== Sessions ===
 
 
 
The RoleSessionVar is a session variable name that CKFinder must use to retrieve the "role" of the current user.
 
<pre>CKFinder_Config.Add "RoleSessionVar", "CKFinder_UserRole"
 
</pre>  
 
To switch between different user roles, simply change the session variable:
 
<pre>&lt;%
 
Session("CKFinder_UserRole")="admin"
 
%&gt;</pre>  
 
==== Example 3 ====
 
 
 
In your config.asp file you can create three different roles:<br> First role, '''every user''' (wildcard "*" is used):
 
<pre>Set accessControl(1) = DefineAccessControlItem("*", "*", "/", true, false, false, false, true, false, false, false)
 
</pre>  
 
Second role '''registered user''':
 
<pre>Set accessControl(2) = DefineAccessControlItem("registered", "*", "/", true, true, false, false, true, true, false, false)
 
</pre>  
 
Third role '''admin''':
 
<pre>Set accessControl(3) = DefineAccessControlItem("admin", "*", "/", true, true, true, true, true, true, true, true)
 
</pre>  
 
You've created three different users permissions. The default user (everybody) is allowed to browse all files and folders. Registered user has also the ability to upload files and create folders. The administrator has full permissions.
 
 
 
'''<br>'''
 
 
 
Now let's say you have an authentication mechanism somewhere in your web application. Command and assign one of the pre-defined roles to the user:
 
<pre>&lt;%
 
Session("CKFinder_UserRole")="admin"
 
%&gt;</pre>  
 
if you want to use the admin role.
 
<pre>&lt;%
 
Session("CKFinder_UserRole")="registered"
 
%&gt;</pre>  
 
if you want to use the role assigned to registered users.
 
<pre>&lt;%
 
Session("CKFinder_UserRole")="guest"
 
%&gt;</pre>  
 
''guest'' doesn't have assigned any specific permissions, so the default values are used (defined with "*")
 
<pre>&lt;%
 
Session("CKFinder_UserRole")="any_other_value"
 
%&gt;</pre>  
 
same situation, default values are used.
 

Revision as of 11:06, 31 March 2011

Access Control List (ACL) is a method to grant your users different permissions for working with CKFinder folders and files. The default settings placed in the config.asp file grant full permissions for all options to every user.

In order to change this configuration option you should learn the basics of the accessControl(0) settings placed in the configuration file.

Access Control List Syntax

The syntax of the ACL entries is as follows:

Set accessControl(0) = DefineAccessControlItem("*", "*", "/", true, true, true, true, true, true, true, true)

The parameters are definied in the following order:

Function DefineAccessControlItem( role, resourceType, folder, folderView, folderCreate, folderRename, folderDelete,
fileView, fileUpload, fileRename, fileDelete )

Access Control List entries are defined using the following values:

  • role – this attribute sets the type of the user. By default it is set to * which can be treated as "everybody". You may set this parameter to other name like user or limited_functions. The name of the user type will be directly related to the functions the user can make use of.
  • resourceType – this setting defines the resources handled in CKFinder. A resource type is nothing more than a way to group files under different paths, each having different configuration settings (like Images, Flash, Files). By default it is set to * which means that all resources are available.
  • folder – this setting determines where the restrictions will be used. By declaring a folder name you specify the place you want to put your restrictions on. By default it is set to /, so no folder is set.
  • folder* and file* options – these variables are of Boolean type and can be set to true or false. The true setting enables an option, false disables it.
  • It is possible to define numerous ACL entries. All attributes are optional. Subfolders inherit their default settings from their parents' definitions.

Access Control List Examples

Have a look at the following examples that present various permission configurations in order to learn more about using Access Control Lists in CKFinder.

Example 1

If you want to restrict the upload, renaming, or deletion of files in the Logos folder of the resource type Images, use the following ACL settings.

Set accessControl(1) = DefineAccessControlItem("*", "Images", "/Logos", true, true, true, true, true, false, false, false)

This example only refers to file operations in the /Logos folder. It does not restrict operations on the folder, so the user can delete or rename it. In order to limit users' ability to modify the folder itself (not its contents), you should change permissions in the parent folder.

Example 2

The following settings restrict folder operations for the Images resource type.

Set accessControl(1) = DefineAccessControlItem("*", "Images", "/", true, true, false, false, true, false, false, false)

Now a user can view and create a folder, but he will be unable to rename or delete it.

Explaining Folder Path for Example 1

In the first example above the /Logos path was used in ACL definition. It is rather obvious that this is not an absolute path to folder on the server.

Let us assume that the absolute path on server to the application folder is /sites/example.com/ and the path to userfiles folder is /sites/example.com/userfiles/.There is also "Images" resource type which in this case points to /sites/example.com/userfiles/images/.

Knowing the above let's define correct path for the Logos folder located in /sites/example.com/userfiles/images/Logos. The key is to define path relative to resource type (In this case resource type is "Images" pointing to /sites/example.com/userfiles/images/), thus the value that needs to be assigned to ACL folder property is /Logos/.

Please also note that:

  • Folder path has to start from slash character.
  • If you use a wildcard for resource type {{{wildcard_resource}}}, CKFinder will look through all resource types and apply ACL to every folder that matches the rule, for example Files:/Logos, Flash:/Logos.


important note

Remember to adjust Dim accessControl(0) to Dim accessControl(1) as necessary.


Sessions

The RoleSessionVar is a session variable name that CKFinder must use to retrieve the role of the current user.

CKFinder_Config.Add "RoleSessionVar", "CKFinder_UserRole"

To switch between different user roles, change the session variable:

<% Session("CKFinder_UserRole")="admin" %>


Example 3

In your config.asp file you can create three different roles.

First role is assigned to every user (wildcard * is used):

Set accessControl(1) = DefineAccessControlItem("*", "*", "/", true, false, false, false, true, false, false, false)

Second role defines a registered user:

Set accessControl(2) = DefineAccessControlItem("registered", "*", "/", true, true, false, false, true, true, false, false)

Third role defines the administrator:

Set accessControl(3) = DefineAccessControlItem("admin", "*", "/", true, true, true, true, true, true, true, true)

With the above settings you have created three different user permission sets. The default user (everybody) is allowed to browse all files and folders. A registered user also has the ability to upload files and create folders. The administrator is granted full permissions.

Now suppose you have an authentication mechanism somewhere in your Web application. You can assign one of the pre-defined roles to the user — using the admin role:

<% Session("CKFinder_UserRole")="admin" %>

If you want to use the role assigned to registered users, use the following settings:

<% Session("CKFinder_UserRole")="registered" %>

A guest does not have any specific permissions granted, so the default values, defined with the * wildcard), are used:

<% Session("CKFinder_UserRole")="guest" %>

The same situation would happen here, where the default values would be used.

<% Session("CKFinder_UserRole")="any_other_value" %>