Access Control

This website contains links to software which is either no longer maintained or will be supported only until the end of 2019 (CKFinder 2). For the latest documentation about current CKSource projects, including software like CKEditor 4/CKEditor 5, CKFinder 3, Cloud Services, Letters, Accessibility Checker, please visit the new documentation website.

If you look for an information about very old versions of CKEditor, FCKeditor and CKFinder check also the CKEditor forum, which was closed in 2015. If not, please head to StackOverflow for support.

Access Control Lists (ACL) are ways you to give your users different permissions while working on folders and files. The default settings in the config.ascx file give full permissions to all users. In order to change this configuration you must firstly know the basics of the AccessControl settings, which can be found in the config.ascx file. 

This is the syntax for these settings:

AccessControl acl = AccessControl.Add();
acl.Role = "*";
acl.ResourceType = "*";
acl.Folder = "/";

acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = true;
acl.FolderDelete = true;

acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = true;
acl.FileDelete = true;

Basically, a single Access Control setting is defined in an instance of the AccessControl class, created with AccessControl.Add().

The most important (and required) properties of the "AccessControl" objects are: Role, ResourceType and Folder.

Role

The Role property sets the type of user defined by the ACL. If set to asterisk (*) it is treated as "all users". You may set this parameter to other names like "Admin" or "Redator". The name of the user type will be directly connected to the function the user are allowed to use. See RoleSessionVar for more information.

ResourceType

The ResourceType property defines the resource type related to a specific ACL setting. See Resource Types for more information.

If this property is set to asterisk (*) the defined ACL is valid for all resource settings definined in the configuration file.

Folder

You can apply ACL settings to specific folders by using theFolder property. Just set it to the folder path. The settings will be recursivelly applied to all folders inside that path.

Folder and File Options

All other properties are related to the specific features to enabled/disable by the ACL setting. Just set them to true or false according to your needs. True of course enables an option, false disables it.

For example, just add the following if you want to restrict the user to upload, rename or delete files in the "/Company/Logos" folder of the resource type "Images":

acl = AccessControl.Add();
acl.Role = "*";
acl.ResourceType = "Images";
acl.Folder = "/Company/Logos/";

acl.FileUpload = false;
acl.FileRename = false;
acl.FileDelete = false;

Note that we are reusing the "acl" variable defined previously. You may have as many AccessControl.Add() calls as you want.

The above example only refers to file operations in the "/Company/Logos" folder itself and all its child folders. It doesn't restrict operations on the folder so the user can delete or rename the folder.

In order to limit users from modifying the folder (not its contents) you should change the permissions in its parent folder. For example:

acl = AccessControl.Add();
acl.Role = "*";
acl.ResourceType = "Images";
acl.Folder = "/Company/" 

folderCreate = true;
folderRename = false;
folderDelete = false;

Now a user can view and create a folder, but s/he will not be unable to rename or delete it. This is the best way to secure your folders from unauthorized access.

RoleSessionVar

CKFinder uses the server side session to identify the current user role. In order to enable the Access Control settings for different users, you should initialize a session variable when the user logs on your system.

To indicate CKFinder the name of the session variable to use to identify the user role, just use the RoleSessionVar setting. For example:

RoleSessionVar = "CKFinder_UserRole";

In the above example, the "CKFinder_UserRole" session variable value will be used to match the ACL entries defined previously. See Role, above in this page.

For example, in the config.ascx file you may the following three different roles:

The Admin role, which has full permissions:

AccessControl acl = AccessControl.Add();
acl.Role = "Admin";
acl.ResourceType = "*";
acl.Folder = "/";

acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = true;
acl.FolderDelete = true;

acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = true;
acl.FileDelete = true;

The User role, which cannot rename or delete files or folders:

AccessControl acl = AccessControl.Add();
acl.Role = "User";
acl.ResourceType = "*";
acl.Folder = "/";

acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = false;
acl.FolderDelete = false;

acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = false;
acl.FileDelete = false;

The Guest role, which can only view the folders contents:

AccessControl acl = AccessControl.Add();
acl.Role = "Guest";
acl.ResourceType = "*";
acl.Folder = "/";

acl.FolderView = true;
acl.FolderCreate = false;
acl.FolderRename = false;
acl.FolderDelete = false;

acl.FileView = true;
acl.FileUpload = false;
acl.FileRename = false;
acl.FileDelete = false;