Contents
Access Control List (ACL) is a method to grant your users different permissions for working with CKFinder folders and files. The default settings placed in the config.ascx
file grant full permissions for all options to every user.
In order to change this configuration option you should learn the basics of the AccessControl
settings placed in the configuration file.
Access Control List Syntax
The syntax of the ACL entries is as follows:
AccessControl acl = AccessControl.Add(); acl.Role = "*"; acl.ResourceType = "*"; acl.Folder = "/"; acl.FolderView = true; acl.FolderCreate = true; acl.FolderRename = true; acl.FolderDelete = true; acl.FileView = true; acl.FileUpload = true; acl.FileRename = true; acl.FileDelete = true;
Basically, a single Access Control setting is defined in an instance of the AccessControl
class, created with the AccessControl.Add()
method.
The most important (and required) properties of the AccessControl
objects are: Role
, ResourceType
and Folder
.
Role Property
The Role
property sets the type of user defined by the ACL. If set to an asterisk (*
), it is treated as "all users". You may set this parameter to other names like "Admin" or "Editor". The name of the user type will be directly connected to the function the user is allowed to use. See RoleSessionVar for more information.
ResourceType Property
The ResourceType
property defines the resource type related to a specific ACL setting. See the Resource Types section for more information.
If this property is set to an asterisk (*
), the defined ACL is valid for all resource settings definined in the configuration file.
Folder Property
You can apply ACL settings to specific folders by using the Folder
property. Just set it to the folder path. The settings will be recursivelly applied to all folders inside that path.
Folder and File Options
All other properties are related to specific features to enable/disable by the ACL setting. Just set them to true
or false
according to your needs. Setting an option to true
enables it, while setting it to false
disables it.
For example, just add the following configuration code if you want to restrict the user to upload, rename, or delete files in the /Company/Logos
folder of the Images
resource type:
acl = AccessControl.Add(); acl.Role = "*"; acl.ResourceType = "Images"; acl.Folder = "/Company/Logos/"; acl.FileUpload = false; acl.FileRename = false; acl.FileDelete = false;
Note that we are reusing the previously defined acl
variable. You may use as many AccessControl.Add()
calls as you wish.
The above example only refers to file operations inside the /Company/Logos
folder and all its child folders. It does not restrict operations on the folder so the user can delete or rename the folder.
In order to restrict users from modifying the folder (not its contents) you should change the permissions in its parent folder. For example:
acl = AccessControl.Add(); acl.Role = "*"; acl.ResourceType = "Images"; acl.Folder = "/Company/" folderCreate = true; folderRename = false; folderDelete = false;
Now a user can view and create a folder, but will not be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.
More About Folder Path
In the example above the /Company/Logos
path was used in the ACL definition. It is rather obvious that this is not an absolute path to folder on server.
Let us assume that the absolute path on the server to the application folder is /sites/example.com/
and the path to the userfiles
folder is /sites/example.com/userfiles/
.There is also the Images
resource type which in this case points to /sites/example.com/userfiles/images/
.
Knowing the above we will define the correct path for the Logos
folder located in /sites/example.com/userfiles/images/Company/Logos
. The key is to define a path relative to resource type (in this case the resource type is Images
pointing to /sites/example.com/userfiles/images/
), thus the value that needs to be assigned to the ACL Folder
property is /Company/Logos/
.
If ACL for both Company
and Logos
folders need to be defined, it is enough to assign just the /Company
path.
Please also note that:
- The folder path has to start from a slash character.
- If you use a wildcard for a resource type (
acl.ResourceType = "*";
), CKFinder will look through all resource types and apply ACL to every folder that matches the rule, for exampleFiles:/Company/Logos
,Flash:/Company/Logos
.
RoleSessionVar
CKFinder uses the server-side session to identify the current user role. In order to enable the Access Control settings for different users, you should initialize a session variable when the user logs into your system.
To pass the name of the session variable to identify the user role to CKFinder, use the RoleSessionVar
setting. For example:
RoleSessionVar = "CKFinder_UserRole";
In the above example, the CKFinder_UserRole
session variable value will be used to match the ACL entries defined previously. See the Role Parameter section above.
For example, in the config.ascx
file you may assign the following three different roles:
The Admin role that has full permissions:
AccessControl acl = AccessControl.Add(); acl.Role = "Admin"; acl.ResourceType = "*"; acl.Folder = "/"; acl.FolderView = true; acl.FolderCreate = true; acl.FolderRename = true; acl.FolderDelete = true; acl.FileView = true; acl.FileUpload = true; acl.FileRename = true; acl.FileDelete = true;
The User role that cannot rename or delete neither files nor folders:
AccessControl acl = AccessControl.Add(); acl.Role = "User"; acl.ResourceType = "*"; acl.Folder = "/"; acl.FolderView = true; acl.FolderCreate = true; acl.FolderRename = false; acl.FolderDelete = false; acl.FileView = true; acl.FileUpload = true; acl.FileRename = false; acl.FileDelete = false;
The Guest role that can only view the folders contents:
AccessControl acl = AccessControl.Add(); acl.Role = "Guest"; acl.ResourceType = "*"; acl.Folder = "/"; acl.FolderView = true; acl.FolderCreate = false; acl.FolderRename = false; acl.FolderDelete = false; acl.FileView = true; acl.FileUpload = false; acl.FileRename = false; acl.FileDelete = false;