Access Control List

This website contains links to software which is either no longer maintained or will be supported only until the end of 2019 (CKFinder 2). For the latest documentation about current CKSource projects, including software like CKEditor 4/CKEditor 5, CKFinder 3, Cloud Services, Letters, Accessibility Checker, please visit the new documentation website.

If you look for an information about very old versions of CKEditor, FCKeditor and CKFinder check also the CKEditor forum, which was closed in 2015. If not, please head to StackOverflow for support.

ACL – Access Control List

CKFinder comes with a powerful ACL feature, which makes it possible to define ACL settings at any level in the repository directories and subfolders. It implements also a simple role system for ACLs.

In the configuration file, many <AccessControl /> nodes can be created to define ACLs. All attributes defined in AccessControl nodes are optional, and each one overrides ACLs defined for parent folders. For example, suppose the following ACLs are defined:

<AccessControl
 role = "*"
 resourceType = "*"
 folder = "/"
 folderView = "true"
 folderCreate = "true"
 fileUpload = "true"
/>
<AccessControl
 role = "*"
 resourceType = "Images"
 folder = "/My Test/Other Folder/"
 fileUpload = "false"
/>

The above should then reflect in the connector execution by returning the following values for FileUpload:

  • Type = Files - / : true
  • Type = Files - /My Test/ : true
  • Type = Files - /My Test/Other Folder/ : true
  • Type = Images - /My Test/ : true
  • Type = Images - /My Test/Other Folder/ : false
  • Type = Images - /My Test/Other Folder/Folder 3/ : false


The “*” wildcard may be used for “role” and “resurceType” to include all.


Roles

By setting the roleSessionVar attribute, the end developer can point the connector to a session variable which contains the name of the role of the session user. This name would then be used to calculate the ACL.'

ACL Representation

When sending ACL information to CKFinder, the connector sends a “bit mask” represented by an integer value. Each folder contains a computed aggregated ACL bit mask.

The following is the representation of all used bits in the mask:

enum AccessControlRules
{
 FolderView = 1,
 FolderCreate = 2,
 FolderRename = 4,
 FolderDelete = 8,
 FileView = 16,
 FileUpload = 32,
 FileRename = 64,
 FileDelete = 128
}