Access Control"

This website contains links to software which is either no longer maintained or will be supported only until the end of 2019 (CKFinder 2). For the latest documentation about current CKSource projects, including software like CKEditor 4/CKEditor 5, CKFinder 3, Cloud Services, Letters, Accessibility Checker, please visit the new documentation website.

If you look for an information about very old versions of CKEditor, FCKeditor and CKFinder check also the CKEditor forum, which was closed in 2015. If not, please head to StackOverflow for support.

Line 1: Line 1:
 
__TOC__
 
__TOC__
  
Access control is a way you to give your users different permissions while working on folders and files. The default setting in the ckfinder.config file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the '''AccessControl''' function placed in the ckfinder.config file. 
+
Access Control Lists (ACL) are ways you to give your users different permissions while working on folders and files. The default settings in the config.ascx file give full permissions to all users. In order to change this configuration you must firstly know the basics of the '''AccessControl''' settings, which can be found in the config.ascx file. 
  
The syntax of the function:
+
This is the syntax for these settings:
<pre>&lt;AccessControl
+
<pre>AccessControl acl = AccessControl.Add();
role = "*"
+
acl.Role = "*";
resourceType = "*"
+
acl.ResourceType = "*";
folder = "/"  
+
acl.Folder = "/";
folderView = "true"
+
 
folderCreate = "true"
+
acl.FolderView = true;
folderRename = "true"
+
acl.FolderCreate = true;
folderDelete = "true"
+
acl.FolderRename = true;
fileView = "true"
+
acl.FolderDelete = true;
fileUpload = "true"
+
 
fileRename = "true"
+
acl.FileView = true;
fileDelete = "true"
+
acl.FileUpload = true;
/&gt;
+
acl.FileRename = true;
 +
acl.FileDelete = true;
 
</pre>  
 
</pre>  
The three most important parameters of the "'''Access Control'''" function are:
+
Basically, a single Access Control setting is defined in an instance of the AccessControl class, created with '''AccessControl.Add()'''.<br>
 +
 
 +
The most important (and required) properties of the "'''AccessControl'''" objects are: '''Role''', '''ResourceType''' and '''Folder.'''<br>
 +
 
 +
== Role<br> ==
 +
 
 +
The '''Role''' property sets the type of user defined by the ACL. If set to asterisk (*) it is treated as "all users". You may set this parameter to other names like "Admin" or "Redator". The name of the user type will be directly connected to the function the user are allowed to use. See [[RoleSessionVar]] for more information.<br>
  
=== role ===
+
== ResourceType ==
  
The '''role''' is an attribute which sets the type of the user. It is set to "*" as default and you may treat as "every user". You may set this parameter to other name like: "user or "limited_functions". The name of the user type will be directly connected to the function the user may use.
+
The '''ResourceType''' property defines the resource type related to a specific ACL setting. See Resource Types for more information.<br>
  
=== resourceType ===
+
If this property is set to asterisk (*) the defined ACL is valid for all resource settings definined in the configuration file.<br>
  
The '''resourceType''' defines the resources handled in CKFinder. A resource type is nothing more than a way to group files under different paths, each one having different configuration settings. E.g. Images, Flash, Files.It is set to "*" as default and means that all of the resources are available.
+
== Folder ==
  
=== folder ===
+
You can apply ACL settings to specific folders by using the'''Folder''' property. Just set it to the folder path. The settings will be recursivelly applied to all folders inside that path.
  
'''Folder''' determines where your limitations will be used. By placing the folders name you specify the place you want to put your restrictions in. It is set to '/' as default so no folder is set.
+
== Folder and File Options ==
  
=== folder and file options <br> ===
+
All other properties are related to the specific features to enabled/disable by the ACL setting. Just set them to '''true''' or '''false''' according to your needs. True of course enables an option, false disables it.
  
The rest of the variables are bool type and can be set as '''true''' or '''false'''. True of course enables an option, false disables it.<br>Example:<br>If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":
+
For example, just add the following if you want to restrict the user to upload, rename or delete files in the "/Company/Logos" folder of the resource type "Images":
<pre>&lt;AccessControl
+
<pre>acl = AccessControl.Add();
role = "*"
+
acl.Role = "*";
resourceType = "Images"
+
acl.ResourceType = "Images";
folder = "/Logos"  
+
acl.Folder = "/Company/Logos/";
  
fileUpload = "false"
+
acl.FileUpload = false;
fileRename = "false"
+
acl.FileRename = false;
fileDelete = "false"
+
acl.FileDelete = false;
/&gt;
 
 
</pre>  
 
</pre>  
The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its context) you should change permissions in the parent folder.<br>Example:
+
Note that we are reusing the "acl" variable defined previously. You may have as many AccessControl.Add() calls as you want.
<pre>&lt;AccessControl
 
role = "*"
 
resourceType = "Images"
 
folder = "/"
 
  
folderView = "true"
+
The above example only refers to file operations in the "/Company/Logos" folder itself and all its child folders. It doesn't restrict operations on the folder so the user can delete or rename the folder.
folderCreate = "true"
 
folderRename = "false"
 
folderDelete = "false"
 
/&gt;</pre>
 
Now a user can view and create a folder, but he will be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.
 
  
=== sessions ===
+
In order to limit users from modifying the folder (not its contents) you should change the permissions in its parent folder. For example:
 +
<pre>acl = AccessControl.Add();
 +
acl.Role = "*";
 +
acl.ResourceType = "Images";
 +
acl.Folder = "/Company/"
  
In order to enable the access control options for different users you should initialize a session.
+
folderCreate = true;
<pre>roleSessionVar = "CKFinder_UserRole"
+
folderRename = false;
 +
folderDelete = false;
 
</pre>  
 
</pre>  
The session is a mechanism which will allow you to give different permissions to different users. <br>Example:<br>In your config.php file you create three different roles:
+
Now a user can view and create a folder, but s/he will not be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.
 +
 
 +
== RoleSessionVar<br> ==
 +
 
 +
CKFinder uses the server side session to identify the current user role. In order to enable the Access Control settings for different users, you should initialize a session variable when the user logs on your system.
  
First role '''admin''' '''(*)''':
+
To indicate CKFinder the name of the session variable to use to identify the user role, just use the RoleSessionVar setting. For example:
<pre>$config['AccessControl'][] = Array(
+
<pre>RoleSessionVar = "CKFinder_UserRole";
'role' =&gt; '*',
+
</pre>
'resourceType' =&gt; '*',
+
In the above example, the "CKFinder_UserRole" session variable value will be used to match the ACL entries defined previously. See [[Role]], above in this page.
'folder' =&gt; '/',
 
'folderView' =&gt; false,
 
'folderCreate' =&gt; false,
 
'folderRename' =&gt; false,
 
'folderDelete' =&gt; false,
 
  
'fileView' =&gt; false,
+
For example, in the config.ascx file you may the following three different roles:
'fileUpload' =&gt; false,
 
'fileRename' =&gt; false,
 
'fileDelete' =&gt; false);</pre>
 
Second role '''user''':
 
<pre>$config['AccessControl'][] = Array(
 
'role' =&gt; 'user',
 
'resourceType' =&gt; '*',
 
'folder' =&gt; '/',
 
'folderView' =&gt; true,
 
'folderCreate' =&gt; true,
 
'folderRename' =&gt; false,
 
'folderDelete' =&gt; false,
 
  
'fileView' =&gt; true,
+
The '''Admin''' role, which has full permissions:
'fileUpload' =&gt; true,
+
<pre>AccessControl acl = AccessControl.Add();
'fileRename' =&gt; false,
+
acl.Role = "Admin";
'fileDelete' =&gt; false);&nbsp;</pre>
+
acl.ResourceType = "*";
Third role '''guest''':
+
acl.Folder = "/";
<pre>$config['AccessControl'][] = Array(
 
'role' =&gt; 'guest',
 
'resourceType' =&gt; '*',
 
'folder' =&gt; '/',
 
'folderView' =&gt; true,
 
'folderCreate' =&gt; false,
 
'folderRename' =&gt; false,
 
'folderDelete' =&gt; false,
 
  
'fileView' =&gt; true,
+
acl.FolderView = true;
'fileUpload' =&gt; false,
+
acl.FolderCreate = true;
'fileRename' =&gt; false,
+
acl.FolderRename = true;
'fileDelete' =&gt; false); &nbsp;</pre>
+
acl.FolderDelete = true;
You've created three different users permissions.
 
  
'''Important:''' Note that when the role is set to '''*''' the user always has administrative privileges even though all the options are set to '''false'''.
+
acl.FileView = true;
 +
acl.FileUpload = true;
 +
acl.FileRename = true;
 +
acl.FileDelete = true;
 +
</pre>
 +
The '''User''' role, which cannot rename or delete files or folders:
 +
<pre>AccessControl acl = AccessControl.Add();
 +
acl.Role = "User";
 +
acl.ResourceType = "*";
 +
acl.Folder = "/";
 +
 
 +
acl.FolderView = true;
 +
acl.FolderCreate = true;
 +
acl.FolderRename = false;
 +
acl.FolderDelete = false;
 +
 
 +
acl.FileView = true;
 +
acl.FileUpload = true;
 +
acl.FileRename = false;
 +
acl.FileDelete = false;
 +
</pre>
 +
The '''Guest''' role, which can only view the folders contents:
 +
<pre>AccessControl acl = AccessControl.Add();
 +
acl.Role = "Guest";
 +
acl.ResourceType = "*";
 +
acl.Folder = "/";
 +
 
 +
acl.FolderView = true;
 +
acl.FolderCreate = false;
 +
acl.FolderRename = false;
 +
acl.FolderDelete = false;
 +
 
 +
acl.FileView = true;
 +
acl.FileUpload = false;
 +
acl.FileRename = false;
 +
acl.FileDelete = false;
 +
</pre>
 +
'''<br>'''

Revision as of 12:56, 11 January 2008

Access Control Lists (ACL) are ways you to give your users different permissions while working on folders and files. The default settings in the config.ascx file give full permissions to all users. In order to change this configuration you must firstly know the basics of the AccessControl settings, which can be found in the config.ascx file. 

This is the syntax for these settings:

AccessControl acl = AccessControl.Add();
acl.Role = "*";
acl.ResourceType = "*";
acl.Folder = "/";

acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = true;
acl.FolderDelete = true;

acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = true;
acl.FileDelete = true;

Basically, a single Access Control setting is defined in an instance of the AccessControl class, created with AccessControl.Add().

The most important (and required) properties of the "AccessControl" objects are: Role, ResourceType and Folder.

Role

The Role property sets the type of user defined by the ACL. If set to asterisk (*) it is treated as "all users". You may set this parameter to other names like "Admin" or "Redator". The name of the user type will be directly connected to the function the user are allowed to use. See RoleSessionVar for more information.

ResourceType

The ResourceType property defines the resource type related to a specific ACL setting. See Resource Types for more information.

If this property is set to asterisk (*) the defined ACL is valid for all resource settings definined in the configuration file.

Folder

You can apply ACL settings to specific folders by using theFolder property. Just set it to the folder path. The settings will be recursivelly applied to all folders inside that path.

Folder and File Options

All other properties are related to the specific features to enabled/disable by the ACL setting. Just set them to true or false according to your needs. True of course enables an option, false disables it.

For example, just add the following if you want to restrict the user to upload, rename or delete files in the "/Company/Logos" folder of the resource type "Images":

acl = AccessControl.Add();
acl.Role = "*";
acl.ResourceType = "Images";
acl.Folder = "/Company/Logos/";

acl.FileUpload = false;
acl.FileRename = false;
acl.FileDelete = false;

Note that we are reusing the "acl" variable defined previously. You may have as many AccessControl.Add() calls as you want.

The above example only refers to file operations in the "/Company/Logos" folder itself and all its child folders. It doesn't restrict operations on the folder so the user can delete or rename the folder.

In order to limit users from modifying the folder (not its contents) you should change the permissions in its parent folder. For example:

acl = AccessControl.Add();
acl.Role = "*";
acl.ResourceType = "Images";
acl.Folder = "/Company/" 

folderCreate = true;
folderRename = false;
folderDelete = false;

Now a user can view and create a folder, but s/he will not be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.

RoleSessionVar

CKFinder uses the server side session to identify the current user role. In order to enable the Access Control settings for different users, you should initialize a session variable when the user logs on your system.

To indicate CKFinder the name of the session variable to use to identify the user role, just use the RoleSessionVar setting. For example:

RoleSessionVar = "CKFinder_UserRole";

In the above example, the "CKFinder_UserRole" session variable value will be used to match the ACL entries defined previously. See Role, above in this page.

For example, in the config.ascx file you may the following three different roles:

The Admin role, which has full permissions:

AccessControl acl = AccessControl.Add();
acl.Role = "Admin";
acl.ResourceType = "*";
acl.Folder = "/";

acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = true;
acl.FolderDelete = true;

acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = true;
acl.FileDelete = true;

The User role, which cannot rename or delete files or folders:

AccessControl acl = AccessControl.Add();
acl.Role = "User";
acl.ResourceType = "*";
acl.Folder = "/";

acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = false;
acl.FolderDelete = false;

acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = false;
acl.FileDelete = false;

The Guest role, which can only view the folders contents:

AccessControl acl = AccessControl.Add();
acl.Role = "Guest";
acl.ResourceType = "*";
acl.Folder = "/";

acl.FolderView = true;
acl.FolderCreate = false;
acl.FolderRename = false;
acl.FolderDelete = false;

acl.FileView = true;
acl.FileUpload = false;
acl.FileRename = false;
acl.FileDelete = false;