Access Control"

This website contains links to software which is either no longer maintained or will be supported only until the end of 2019 (CKFinder 2). For the latest documentation about current CKSource projects, including software like CKEditor 4/CKEditor 5, CKFinder 3, Cloud Services, Letters, Accessibility Checker, please visit the new documentation website.

If you look for an information about very old versions of CKEditor, FCKeditor and CKFinder check also the CKEditor forum, which was closed in 2015. If not, please head to StackOverflow for support.

 
(31 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.php files gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the '''$config['AccessControl']'''function placed in the config.php file. 
+
__TOC__
  
The syntax of the function:
+
Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.php file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the '''$config['AccessControl']''' settings placed in the config.php file. 
<pre>$config['AccessControl'][] = Array(
 
'role' =&gt; '*',
 
'resourceType' =&gt; '*',
 
'folder' =&gt; '/',
 
'folderView' =&gt; true,
 
'folderCreate' =&gt; true,
 
'folderRename' =&gt; true,
 
'folderDelete' =&gt; true,
 
  
'fileView' =&gt; true,
+
=== The syntax of the ACL Items ===
'fileUpload' =&gt; true,
 
'fileRename' =&gt; true,
 
'fileDelete' =&gt; true);</pre>
 
The three most important parameters of the "'''Access Control'''" function are:
 
  
=== role ===
+
The syntax of the ACL entries is as followed:
 +
<source lang="php">$config['AccessControl'][] = Array(
 +
'role' => '*',
 +
'resourceType' => '*',
 +
'folder' => '/',
  
The '''role'''is an attribute which sets the type of the user. It is set to "*" as default and you may treat as 'every user'. You may set this parameter to other name like: 'user' or 'limited_functions'. The name of the user type will be directly connected to the function the user may use.
+
'folderView' => true,
 +
'folderCreate' => true,
 +
'folderRename' => true,
 +
'folderDelete' => true,
  
=== resourceType ===
+
'fileView' => true,
 +
'fileUpload' => true,
 +
'fileRename' => true,
 +
'fileDelete' => true);</source>
 +
{{ckfinder_acl_explanation}}
  
The '''resourceType''' defines the resources handled in CKFinder. A resource type is nothing more than a way to group files under different paths, each one having different configuration settings. E.g. Images, Flash, Files.It is set to '*' as default and means that all of the resources are available.
+
<br>
  
=== folder ===
+
==== Example 1 ====
  
'''Folder''' determines where your limitations will be used. By placing the folders name you specify the place you want to put your restrictions in. It is set to '/' as default so no folder is set.
+
If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":
 +
<source lang="php">$config['AccessControl'][] = Array(
 +
'role' => '*',
 +
'resourceType' => 'Images',
 +
'folder' => '/Logos',
  
=== folder and file options <br> ===
+
'folderView' => true,
 +
'folderCreate' => true,
 +
'folderRename' => true,
 +
'folderDelete' => true,
  
The rest of the variables are bool type and can be set as '''true''' or '''false'''. True of course enables an option, false disables it.<br>Example:<br>If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":
+
'fileView' => true,
<pre>$config['AccessControl'][] = Array(
+
'fileUpload' => false,
'role' =&gt; '*',
+
'fileRename' => false,
'resourceType' =&gt; 'Images',
+
'fileDelete' => false);
'folder' =&gt; '/Logos',
+
</source>  
'fileUpload' =&gt; false,
+
The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its contents) you should change permissions in the parent folder.
'fileRename' =&gt; false,
 
'fileDelete' =&gt; false);</pre>
 
The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its context) you should change permissions in the parent folder.<br>Example:
 
<pre>$config['AccessControl'][] = Array(
 
'role' =&gt; '*',
 
'resourceType' =&gt; 'Images',
 
'folder' =&gt; '/Logos',
 
'fileUpload' =&gt; false,
 
'fileRename' =&gt; false,
 
'fileDelete' =&gt; false);</pre>
 
Now a user can view and create a folder, but he will be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.
 
  
sessions <br>In order to enable the access control options for different users you should initialize the session data by uncommenting the "session_start()" call:
+
==== Example 2 ====
<pre>$config['RoleSessionVar'] = 'CKFinder_UserRole';
+
<source lang="php">$config['AccessControl'][] = Array(
//session_start();</pre>
+
'role' => '*',
The session is a mechanism which will allow you to give different permissions to different users. <br>Example:<br>In your config.php file you create three different roles:
+
'resourceType' => 'Images',
 +
'folder' => '/',
  
First role '''admin''':
+
'folderView' => true,
<pre>$config['AccessControl'][] = Array(
+
'folderCreate' => true,
'role' =&gt; 'admin',
+
'folderRename' => false,
'resourceType' =&gt; '*',
+
'folderDelete' => false
'folder' =&gt; '/',
 
'folderView' =&gt; true,
 
'folderCreate' =&gt; true,
 
'folderRename' =&gt; true,
 
'folderDelete' =&gt; true,
 
  
'fileView' =&gt; true,
+
'fileView' => true,
'fileUpload' =&gt; true,
+
'fileUpload' => true,
'fileRename' =&gt; true,
+
'fileRename' => true,
'fileDelete' =&gt; true);</pre>
+
'fileDelete' => true);</source>  
Second role '''user''':
+
Now a user can view and create a folder, but he will be unable to rename or delete it.&nbsp;<br>
<pre>$config['AccessControl'][] = Array(
 
'role' =&gt; 'user',
 
'resourceType' =&gt; '*',
 
'folder' =&gt; '/',
 
'folderView' =&gt; true,
 
'folderCreate' =&gt; true,
 
'folderRename' =&gt; false,
 
'folderDelete' =&gt; false,
 
  
'fileView' =&gt; true,
+
=== Sessions ===
'fileUpload' =&gt; true,
 
'fileRename' =&gt; false,
 
'fileDelete' =&gt; false);&nbsp;</pre>
 
Third role '''guest''':
 
<pre>$config['AccessControl'][] = Array(
 
'role' =&gt; 'guest',
 
'resourceType' =&gt; '*',
 
'folder' =&gt; '/',
 
'folderView' =&gt; true,
 
'folderCreate' =&gt; false,
 
'folderRename' =&gt; false,
 
'folderDelete' =&gt; false,
 
  
'fileView' =&gt; true,
+
The roleSessionVar is a session variable name that CKFinder must use to retrieve the "role" of the current user.
'fileUpload' =&gt; false,
+
<source lang="php">$config['RoleSessionVar'] = 'CKFinder_UserRole';</source>
'fileRename' =&gt; false,
+
To switch between different user roles, simply change the session variable:
'fileDelete' =&gt; false); &nbsp;</pre>
+
<source lang="php">$_SESSION['CKFinder_UserRole'] = "admin";
You've created three different users permissions. Now you must create a place where you will point out the role you want to use e.g. a file. In this file you put initialize the session by writing '''session_start();''' and write the command which will access you pre-defined role:
+
</source>
<pre>$_SESSION['CKFinder_UserRole'] ='admin' - if you want to use the admin role.
+
{{CKFinder Sessions|lang=PHP}}
$_SESSION['CKFinder_UserRole'] ='user' - if you want to use the user role.  
+
==== Example 3 ====
$_SESSION['CKFinder_UserRole'] = 'guest' - if you want to use the guest role</pre>
+
 
 +
In your config.php file you can create three different roles:
 +
 
 +
First role, '''every user''' (wildcard "*" is used):
 +
<source lang="php">$config['AccessControl'][] = Array(
 +
'role' => '*',
 +
'resourceType' => '*',
 +
'folder' => '/',
 +
 
 +
'folderView' => true,
 +
'folderCreate' => false,
 +
'folderRename' => false,
 +
'folderDelete' => false,
 +
 
 +
'fileView' => true,
 +
'fileUpload' => false,
 +
'fileRename' => false,
 +
'fileDelete' => false);</source>
 +
Second role, '''registered user''':
 +
<source lang="php">$config['AccessControl'][] = Array(
 +
'role' => 'registered',
 +
'resourceType' => '*',
 +
'folder' => '/',
 +
 
 +
'folderView' => true,
 +
'folderCreate' => true,
 +
'folderRename' => false,
 +
'folderDelete' => false,
 +
 
 +
'fileView' => true,
 +
'fileUpload' => true,
 +
'fileRename' => false,
 +
'fileDelete' => false);</source>
 +
Third role, '''admin''':
 +
<source lang="php">$config['AccessControl'][] = Array(
 +
'role' => 'admin',
 +
'resourceType' => '*',
 +
'folder' => '/',
 +
 
 +
'folderView' => true,
 +
'folderCreate' => true,
 +
'folderRename' => true,
 +
'folderDelete' => true,
 +
 
 +
'fileView' => true,
 +
'fileUpload' => true,
 +
'fileRename' => true,
 +
'fileDelete' => true);</source>  
 +
You've created three different users permissions. The default user (everybody) is allowed to browse all files and folders. Registered user has also the ability to upload files and create folders. The administrator has full permissions.<br>
 +
 
 +
'''''<br>'''''
 +
 
 +
Now let's say you have an authentication mechanism somewhere in your web application. In this file you initialize the session with '''session_start();''' command and assign one of the pre-defined roles to the user:<br>
 +
<source lang="php">$_SESSION['CKFinder_UserRole'] ='admin';</source>
 +
if you want to use the admin role.
 +
<source lang="php">$_SESSION['CKFinder_UserRole'] ='registered';</source>
 +
if you want to use the role assigned to registered users.
 +
<source lang="php">$_SESSION['CKFinder_UserRole'] = 'guest';</source>
 +
''guest'' doesn't have assigned any specific permissions, so the default values are used (defined with "*")
 +
<source lang="php">$_SESSION['CKFinder_UserRole'] = 'any_other_value';</source>  
 +
same situation, default values are used.

Latest revision as of 07:46, 28 May 2010

Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.php file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the $config['AccessControl'] settings placed in the config.php file. 

The syntax of the ACL Items

The syntax of the ACL entries is as followed:

$config['AccessControl'][] = Array(
'role' => '*',
'resourceType' => '*',
'folder' => '/',

'folderView' => true,
'folderCreate' => true,
'folderRename' => true,
'folderDelete' => true,

'fileView' => true,
'fileUpload' => true,
'fileRename' => true,
'fileDelete' => true);

Access Control List entries are defined using the following values:

  • role – this attribute sets the type of the user. By default it is set to * which can be treated as "everybody". You may set this parameter to other name like user or limited_functions. The name of the user type will be directly related to the functions the user can make use of.
  • resourceType – this setting defines the resources handled in CKFinder. A resource type is nothing more than a way to group files under different paths, each having different configuration settings (like Images, Flash, Files). By default it is set to * which means that all resources are available.
  • folder – this setting determines where the restrictions will be used. By declaring a folder name you specify the place you want to put your restrictions on. By default it is set to /, so no folder is set.
  • folder* and file* options – these variables are of Boolean type and can be set to true or false. The true setting enables an option, false disables it.
  • It is possible to define numerous ACL entries. All attributes are optional. Subfolders inherit their default settings from their parents' definitions.


Example 1

If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":

$config['AccessControl'][] = Array(
'role' => '*',
'resourceType' => 'Images',
'folder' => '/Logos', 

'folderView' => true,
'folderCreate' => true,
'folderRename' => true,
'folderDelete' => true,

'fileView' => true,
'fileUpload' => false,
'fileRename' => false,
'fileDelete' => false);

The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its contents) you should change permissions in the parent folder.

Example 2

$config['AccessControl'][] = Array(
'role' => '*',
'resourceType' => 'Images',
'folder' => '/', 

'folderView' => true,
'folderCreate' => true,
'folderRename' => false,
'folderDelete' => false

'fileView' => true,
'fileUpload' => true,
'fileRename' => true,
'fileDelete' => true);

Now a user can view and create a folder, but he will be unable to rename or delete it. 

Sessions

The roleSessionVar is a session variable name that CKFinder must use to retrieve the "role" of the current user.

$config['RoleSessionVar'] = 'CKFinder_UserRole';

To switch between different user roles, simply change the session variable:

$_SESSION['CKFinder_UserRole'] = "admin";

Please read the Sessions article for more information about using session variables.

Example 3

In your config.php file you can create three different roles:

First role, every user (wildcard "*" is used):

$config['AccessControl'][] = Array(
'role' => '*',
'resourceType' => '*',
'folder' => '/', 

'folderView' => true,
'folderCreate' => false,
'folderRename' => false,
'folderDelete' => false,

'fileView' => true,
'fileUpload' => false,
'fileRename' => false,
'fileDelete' => false);

Second role, registered user:

$config['AccessControl'][] = Array(
'role' => 'registered',
'resourceType' => '*',
'folder' => '/', 

'folderView' => true,
'folderCreate' => true,
'folderRename' => false,
'folderDelete' => false,

'fileView' => true,
'fileUpload' => true,
'fileRename' => false,
'fileDelete' => false);

Third role, admin:

$config['AccessControl'][] = Array(
'role' => 'admin',
'resourceType' => '*',
'folder' => '/', 

'folderView' => true,
'folderCreate' => true,
'folderRename' => true,
'folderDelete' => true,

'fileView' => true,
'fileUpload' => true,
'fileRename' => true,
'fileDelete' => true);

You've created three different users permissions. The default user (everybody) is allowed to browse all files and folders. Registered user has also the ability to upload files and create folders. The administrator has full permissions.


Now let's say you have an authentication mechanism somewhere in your web application. In this file you initialize the session with session_start(); command and assign one of the pre-defined roles to the user:

$_SESSION['CKFinder_UserRole'] ='admin';

if you want to use the admin role.

$_SESSION['CKFinder_UserRole'] ='registered';

if you want to use the role assigned to registered users.

$_SESSION['CKFinder_UserRole'] = 'guest';

guest doesn't have assigned any specific permissions, so the default values are used (defined with "*")

$_SESSION['CKFinder_UserRole'] = 'any_other_value';

same situation, default values are used.

This page was last edited on 28 May 2010, at 07:46.