Access Control Lists (ACL) are ways you to give your users different permissions while working on folders and files. The default settings in the config.ascx file give full permissions to all users. In order to change this configuration you must firstly know the basics of the AccessControl settings, which can be found in the config.ascx file.
This is the syntax for these settings:
AccessControl acl = AccessControl.Add(); acl.Role = "*"; acl.ResourceType = "*"; acl.Folder = "/"; acl.FolderView = true; acl.FolderCreate = true; acl.FolderRename = true; acl.FolderDelete = true; acl.FileView = true; acl.FileUpload = true; acl.FileRename = true; acl.FileDelete = true;
Basically, a single Access Control setting is defined in an instance of the AccessControl class, created with AccessControl.Add().
The most important (and required) properties of the "AccessControl" objects are: Role, ResourceType and Folder.
Role
The Role property sets the type of user defined by the ACL. If set to asterisk (*) it is treated as "all users". You may set this parameter to other names like "Admin" or "Redator". The name of the user type will be directly connected to the function the user are allowed to use. See RoleSessionVar for more information.
ResourceType
The ResourceType property defines the resource type related to a specific ACL setting. See Resource Types for more information.
If this property is set to asterisk (*) the defined ACL is valid for all resource settings definined in the configuration file.
Folder
You can apply ACL settings to specific folders by using theFolder property. Just set it to the folder path. The settings will be recursivelly applied to all folders inside that path.
Folder and File Options
All other properties are related to the specific features to enabled/disable by the ACL setting. Just set them to true or false according to your needs. True of course enables an option, false disables it.
For the below example, folders with the following absolute path on disk will be used: /sites/example.com/userfiles/images/Company/Logos
.
- Userfiles is default folder where files are kept. Its path is
/sites/example.com/userfiles/
. - There is default
"Images"
resource type that points to"/sites/example.com/userfiles/images/"
. - Folders
Company
andLogos
are subfolders of resopurce type"Images"
.
To specify ACL for Company
and Logos
folders, acl.Folder="/Company"
needs to be entered.
To specify ACL for Logos
folder, acl.Folder="/Company/Logos"
needs to be entered.
Please note that:
- Folders' path has to start from slash.
- Resource types can’t be entered in folders’ path (thus there isn't any
images
orImages
in the path). - If you use a wildcard for resource type (
acl.ResourceType = "*";
), CKFinder will look through all resource types and apply ACL to every folder that matches the rule, e.g.Files:/Company/Logos
,Flash:/Company/Logos
.
To restrict the user to upload, rename or delete files in the "/Company/Logos" folder of the resource type "Images", just add the following:
acl = AccessControl.Add(); acl.Role = "*"; acl.ResourceType = "Images"; acl.Folder = "/Company/Logos/"; acl.FileUpload = false; acl.FileRename = false; acl.FileDelete = false;
Note that we are reusing the "acl" variable defined previously. You may have as many AccessControl.Add() calls as you want.
The above example only refers to file operations in the "/Company/Logos" folder itself and all its child folders. It doesn't restrict operations on the folder so the user can delete or rename the folder.
In order to limit users from modifying the folder (not its contents) you should change the permissions in its parent folder. For example:
acl = AccessControl.Add(); acl.Role = "*"; acl.ResourceType = "Images"; acl.Folder = "/Company/" folderCreate = true; folderRename = false; folderDelete = false;
Now a user can view and create a folder, but s/he will not be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.
RoleSessionVar
CKFinder uses the server side session to identify the current user role. In order to enable the Access Control settings for different users, you should initialize a session variable when the user logs on your system.
To indicate CKFinder the name of the session variable to use to identify the user role, just use the RoleSessionVar setting. For example:
RoleSessionVar = "CKFinder_UserRole";
In the above example, the "CKFinder_UserRole" session variable value will be used to match the ACL entries defined previously. See Role, above in this page.
For example, in the config.ascx file you may the following three different roles:
The Admin role, which has full permissions:
AccessControl acl = AccessControl.Add(); acl.Role = "Admin"; acl.ResourceType = "*"; acl.Folder = "/"; acl.FolderView = true; acl.FolderCreate = true; acl.FolderRename = true; acl.FolderDelete = true; acl.FileView = true; acl.FileUpload = true; acl.FileRename = true; acl.FileDelete = true;
The User role, which cannot rename or delete files or folders:
AccessControl acl = AccessControl.Add(); acl.Role = "User"; acl.ResourceType = "*"; acl.Folder = "/"; acl.FolderView = true; acl.FolderCreate = true; acl.FolderRename = false; acl.FolderDelete = false; acl.FileView = true; acl.FileUpload = true; acl.FileRename = false; acl.FileDelete = false;
The Guest role, which can only view the folders contents:
AccessControl acl = AccessControl.Add(); acl.Role = "Guest"; acl.ResourceType = "*"; acl.Folder = "/"; acl.FolderView = true; acl.FolderCreate = false; acl.FolderRename = false; acl.FolderDelete = false; acl.FileView = true; acl.FileUpload = false; acl.FileRename = false; acl.FileDelete = false;