Access Control"

This website contains links to software which is either no longer maintained or will be supported only until the end of 2019 (CKFinder 2). For the latest documentation about current CKSource projects, including software like CKEditor 4/CKEditor 5, CKFinder 3, Cloud Services, Letters, Accessibility Checker, please visit the new documentation website.

If you look for an information about very old versions of CKEditor, FCKeditor and CKFinder check also the CKEditor forum, which was closed in 2015. If not, please head to StackOverflow for support.

(Example 2)
m (Reverted edits by Wiktor (Talk); changed back to last version by W.olchawa)
Line 1: Line 1:
 
__TOC__
 
__TOC__
  
Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.cfm file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the '''config.accessControl''' structure placed in the config.cfm file. 
+
Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.cfm file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the '''config.accessControl''' function placed in the config.cfm file. 
  
=== The syntax of the ACL Items ===
+
The syntax of the function:
 
<pre>config.accessControl[1] = structNew();
 
<pre>config.accessControl[1] = structNew();
 
config.accessControl[1].role = '*';
 
config.accessControl[1].role = '*';
 
config.accessControl[1].resourceType = '*';
 
config.accessControl[1].resourceType = '*';
 
config.accessControl[1].folder = '/';
 
config.accessControl[1].folder = '/';
 
 
config.accessControl[1].folderView = true;
 
config.accessControl[1].folderView = true;
 
config.accessControl[1].folderCreate = true;
 
config.accessControl[1].folderCreate = true;
 
config.accessControl[1].folderRename = true;
 
config.accessControl[1].folderRename = true;
 
config.accessControl[1].folderDelete = true;
 
config.accessControl[1].folderDelete = true;
 
 
config.accessControl[1].fileView = true;
 
config.accessControl[1].fileView = true;
 
config.accessControl[1].fileUpload = true;
 
config.accessControl[1].fileUpload = true;
 
config.accessControl[1].fileRename = true;
 
config.accessControl[1].fileRename = true;
 
config.accessControl[1].fileDelete = true;</pre>  
 
config.accessControl[1].fileDelete = true;</pre>  
{{ckfinder_acl_explanation}}
+
The three most important parameters of the "'''Access Control'''" function are:
 +
 
 +
=== role ===
 +
 
 +
The '''role'''is an attribute which sets the type of the user. It is set to "*" as default and you may treat as 'every user'. You may set this parameter to other name like: 'user' or 'limited_functions'. The name of the user type will be directly connected to the function the user may use.
  
==== Example 1 ====
+
=== resourceType ===
  
If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":
+
The '''resourceType''' defines the resources handled in CKFinder. A resource type is nothing more than a way to group files under different paths, each one having different configuration settings. E.g. Images, Flash, Files.It is set to '*' as default and means that all of the resources are available.
<pre>
+
 
config.accessControl[3] = structNew();
+
=== folder ===
 +
 
 +
'''Folder''' determines where your limitations will be used. By placing the folders name you specify the place you want to put your restrictions in. It is set to '/' as default so no folder is set.
 +
 
 +
=== folder and file options <br> ===
 +
 
 +
The rest of the variables are bool type and can be set as '''true''' or '''false'''. True of course enables an option, false disables it.<br>Example:<br>If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":
 +
<pre>config.accessControl[3] = structNew();
 
config.accessControl[3].role = '*';
 
config.accessControl[3].role = '*';
 
config.accessControl[3].resourceType = 'Images';
 
config.accessControl[3].resourceType = 'Images';
 
config.accessControl[3].folder = '/Logos';
 
config.accessControl[3].folder = '/Logos';
 
+
config.accessControl[3].fileUpload = false;
 +
config.accessControl[3].fileRename = false;
 +
config.accessControl[3].fileDelete = false;</pre>
 +
The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its context) you should change permissions in the parent folder.<br>Example:
 +
<pre>config.accessControl[3] = structNew();
 +
config.accessControl[3].role = '*';
 +
config.accessControl[3].resourceType = 'Images';
 +
config.accessControl[3].folder = '/';
 
config.accessControl[3].folderView = true;
 
config.accessControl[3].folderView = true;
 
config.accessControl[3].folderCreate = true;
 
config.accessControl[3].folderCreate = true;
config.accessControl[3].folderRename = true;
+
config.accessControl[3].folderRename = false;
config.accessControl[3].folderDelete = true;
+
config.accessControl[3].folderDelete = false;</pre>
 +
Now a user can view and create a folder, but he will be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.
  
config.accessControl[3].fileView = true;
+
=== sessions ===
config.accessControl[3].fileUpload = false;
 
config.accessControl[3].fileRename = false;
 
config.accessControl[3].fileDelete = false;
 
</pre>
 
The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its context) you should change permissions in the parent folder.
 
  
==== Example 2 ====
+
In order to enable the access control options for different users you should initialize a session.
<pre>config.accessControl[2] = structNew();
 
config.accessControl[2].role = '*';
 
config.accessControl[2].resourceType = 'Images';
 
config.accessControl[2].folder = '/';
 
 
 
config.accessControl[2].folderView = true;
 
config.accessControl[2].folderCreate = true;
 
config.accessControl[2].folderRename = false;
 
config.accessControl[2].folderDelete = false;
 
 
 
config.accessControl[2].fileView = true;
 
config.accessControl[2].fileUpload = true;
 
config.accessControl[2].fileRename = true;
 
config.accessControl[2].fileDelete = true;
 
</pre>
 
Now a user can view and create a folder, but he will be unable to rename or delete it.&nbsp;<br>
 
 
 
=== Sessions ===
 
 
 
The roleSessionVar is a session variable name that CKFinder must use to retrieve the "role" of the current user.
 
 
<pre>config.roleSessionVar = 'CKFinder_UserRole';
 
<pre>config.roleSessionVar = 'CKFinder_UserRole';
 
</pre>  
 
</pre>  
To switch between different user roles, simply change the session variable:<br>
+
The session is a mechanism which will allow you to give different permissions to different users. <br>Example:<br>In your config.cfm file you create three different roles:
<pre>&lt;CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"&gt;
 
&lt;CFSET session.CKFinder_UserRole="#newrole#"&gt;
 
&lt;/CFLOCK&gt;
 
</pre>
 
{{CKFinder Sessions|lang=ColdFusion}}
 
==== Example3 ====
 
  
In your config.cfm file you create three different roles: First role, '''every user''' (wildcard "*" is used):
+
First role '''admin''' '''(*)''':
 
<pre>config.accessControl[1] = structNew();
 
<pre>config.accessControl[1] = structNew();
 
config.accessControl[1].role = '*';
 
config.accessControl[1].role = '*';
 
config.accessControl[1].resourceType = '*';
 
config.accessControl[1].resourceType = '*';
 
config.accessControl[1].folder = '/';
 
config.accessControl[1].folder = '/';
config.accessControl[1].folderView = true;
+
config.accessControl[1].folderView = false;
 
config.accessControl[1].folderCreate = false;
 
config.accessControl[1].folderCreate = false;
 
config.accessControl[1].folderRename = false;
 
config.accessControl[1].folderRename = false;
 
config.accessControl[1].folderDelete = false;
 
config.accessControl[1].folderDelete = false;
config.accessControl[1].fileView = true;
+
config.accessControl[1].fileView = false;
 
config.accessControl[1].fileUpload = false;
 
config.accessControl[1].fileUpload = false;
 
config.accessControl[1].fileRename = false;
 
config.accessControl[1].fileRename = false;
 
config.accessControl[1].fileDelete = false;</pre>  
 
config.accessControl[1].fileDelete = false;</pre>  
Second role, '''registered''' user:
+
Second role '''user''':
 
<pre>config.accessControl[2] = structNew();
 
<pre>config.accessControl[2] = structNew();
config.accessControl[2].role = 'registered';
+
config.accessControl[2].role = 'user';
 
config.accessControl[2].resourceType = '*';
 
config.accessControl[2].resourceType = '*';
 
config.accessControl[2].folder = '/';
 
config.accessControl[2].folder = '/';
Line 98: Line 84:
 
config.accessControl[2].fileRename = false;
 
config.accessControl[2].fileRename = false;
 
config.accessControl[2].fileDelete = false;</pre>  
 
config.accessControl[2].fileDelete = false;</pre>  
Third role, '''admin''':
+
Third role '''guest''':
 
<pre>config.accessControl[3] = structNew();
 
<pre>config.accessControl[3] = structNew();
config.accessControl[3].role = 'admin';
+
config.accessControl[3].role = 'guest';
 
config.accessControl[3].resourceType = '*';
 
config.accessControl[3].resourceType = '*';
 
config.accessControl[3].folder = '/';
 
config.accessControl[3].folder = '/';
config.accessControl[3].folderView = true;
+
config.accessControl[3].folderView = false;
config.accessControl[3].folderCreate = true;
+
config.accessControl[3].folderCreate = false;
config.accessControl[3].folderRename = true;
+
config.accessControl[3].folderRename = false;
config.accessControl[3].folderDelete = true;
+
config.accessControl[3].folderDelete = false;
config.accessControl[3].fileView = true;
+
config.accessControl[3].fileView = false;
config.accessControl[3].fileUpload = true;
+
config.accessControl[3].fileUpload = false;
config.accessControl[3].fileRename = true;
+
config.accessControl[3].fileRename = false;
config.accessControl[3].fileDelete = true;</pre>  
+
config.accessControl[3].fileDelete = false;</pre>  
You've created three different users permissions. The default user (guest) is allowed to browse all files and folders. Registered user has also the ability to upload files and create folders. The administrator has full permissions.
+
You've created three different users permissions.
  
Now let's say you have an authentication mechanism somewhere in your web application. In this file, you assign one of the pre-defined roles to the user:
+
'''Important:''' Note that when the role is set to '''*''' the user always has administrative privileges even though all the options are set to '''false'''.
<pre>&lt;CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"&gt;
 
&lt;CFSET session.CKFinder_UserRole="#admin#"&gt;
 
&lt;/CFLOCK&gt;
 
</pre>
 
if you want to use the admin role.
 
<pre>&lt;CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"&gt;
 
&lt;CFSET session.CKFinder_UserRole="#registered#"&gt;
 
&lt;/CFLOCK&gt;
 
</pre>
 
if you want to use the role assigned to registered users.
 
<pre>&lt;CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"&gt;
 
&lt;CFSET session.CKFinder_UserRole="#guest#"&gt;
 
&lt;/CFLOCK&gt;
 
</pre>
 
''guest'' doesn't have assigned any specific permissions, so the default values are used (defined with "*")
 
<pre>&lt;CFLOCK TIMEOUT="30" NAME="#session.sessionID#" TYPE="Exclusive"&gt;
 
&lt;CFSET session.CKFinder_UserRole="#any_other_value#"&gt;
 
&lt;/CFLOCK&gt;
 
</pre>
 
same situation, default values are used.
 

Revision as of 10:46, 12 March 2009

Access control is a way you to give your users different permissions while working on folders and files. The default setting in the config.cfm file gives permission to every user and permits all the options. In order to change this configuration you must firstly know the basic of the config.accessControl function placed in the config.cfm file. 

The syntax of the function:

config.accessControl[1] = structNew();
config.accessControl[1].role = '*';
config.accessControl[1].resourceType = '*';
config.accessControl[1].folder = '/';
config.accessControl[1].folderView = true;
config.accessControl[1].folderCreate = true;
config.accessControl[1].folderRename = true;
config.accessControl[1].folderDelete = true;
config.accessControl[1].fileView = true;
config.accessControl[1].fileUpload = true;
config.accessControl[1].fileRename = true;
config.accessControl[1].fileDelete = true;

The three most important parameters of the "Access Control" function are:

role

The roleis an attribute which sets the type of the user. It is set to "*" as default and you may treat as 'every user'. You may set this parameter to other name like: 'user' or 'limited_functions'. The name of the user type will be directly connected to the function the user may use.

resourceType

The resourceType defines the resources handled in CKFinder. A resource type is nothing more than a way to group files under different paths, each one having different configuration settings. E.g. Images, Flash, Files.It is set to '*' as default and means that all of the resources are available.

folder

Folder determines where your limitations will be used. By placing the folders name you specify the place you want to put your restrictions in. It is set to '/' as default so no folder is set.

folder and file options

The rest of the variables are bool type and can be set as true or false. True of course enables an option, false disables it.
Example:
If you want to restrict the upload, rename or delete of files in the "Logos" folder of the resource type "Images":

config.accessControl[3] = structNew();
config.accessControl[3].role = '*';
config.accessControl[3].resourceType = 'Images';
config.accessControl[3].folder = '/Logos';
config.accessControl[3].fileUpload = false;
config.accessControl[3].fileRename = false;
config.accessControl[3].fileDelete = false;

The above example only refers to file operations in the folder '/Logos' itself. It doesn't restrict operations on the folder so the user can delete or rename the folder. In order to limit users ability to modify the folder (not its context) you should change permissions in the parent folder.
Example:

config.accessControl[3] = structNew();
config.accessControl[3].role = '*';
config.accessControl[3].resourceType = 'Images';
config.accessControl[3].folder = '/';
config.accessControl[3].folderView = true;
config.accessControl[3].folderCreate = true;
config.accessControl[3].folderRename = false;
config.accessControl[3].folderDelete = false;

Now a user can view and create a folder, but he will be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.

sessions

In order to enable the access control options for different users you should initialize a session.

config.roleSessionVar = 'CKFinder_UserRole';

The session is a mechanism which will allow you to give different permissions to different users.
Example:
In your config.cfm file you create three different roles:

First role admin (*):

config.accessControl[1] = structNew();
config.accessControl[1].role = '*';
config.accessControl[1].resourceType = '*';
config.accessControl[1].folder = '/';
config.accessControl[1].folderView = false;
config.accessControl[1].folderCreate = false;
config.accessControl[1].folderRename = false;
config.accessControl[1].folderDelete = false;
config.accessControl[1].fileView = false;
config.accessControl[1].fileUpload = false;
config.accessControl[1].fileRename = false;
config.accessControl[1].fileDelete = false;

Second role user:

config.accessControl[2] = structNew();
config.accessControl[2].role = 'user';
config.accessControl[2].resourceType = '*';
config.accessControl[2].folder = '/';
config.accessControl[2].folderView = true;
config.accessControl[2].folderCreate = true;
config.accessControl[2].folderRename = false;
config.accessControl[2].folderDelete = false;
config.accessControl[2].fileView = true;
config.accessControl[2].fileUpload = true;
config.accessControl[2].fileRename = false;
config.accessControl[2].fileDelete = false;

Third role guest:

config.accessControl[3] = structNew();
config.accessControl[3].role = 'guest';
config.accessControl[3].resourceType = '*';
config.accessControl[3].folder = '/';
config.accessControl[3].folderView = false;
config.accessControl[3].folderCreate = false;
config.accessControl[3].folderRename = false;
config.accessControl[3].folderDelete = false;
config.accessControl[3].fileView = false;
config.accessControl[3].fileUpload = false;
config.accessControl[3].fileRename = false;
config.accessControl[3].fileDelete = false;

You've created three different users permissions.

Important: Note that when the role is set to * the user always has administrative privileges even though all the options are set to false.