How OpenCms Permissions work

(Difference between revisions)
Jump to: navigation, search
(adding page on how OpenCms permissions work)
 
(Basic Permissions)
Line 20: Line 20:
 
   
 
   
 
==Basic Permissions==
 
==Basic Permissions==
 +
(This explaination is from the source code)
 
*READ (r) the right to read the contents of a resource  
 
*READ (r) the right to read the contents of a resource  
 
*WRITE (w) the right to write the contents of a resource  
 
*WRITE (w) the right to write the contents of a resource  

Revision as of 00:49, 1 June 2007

How Permissions work

OpenCms Access Control Lists are different from most other Access Control Lists (ACLs). Unlike most ACLs, OpenCms uses a 3 stage active denial ACL. This means there are three states for any given permission level:

  • Allow – yes, you have access
  • No Permission - Nothing checked (no allow, no deny) – this is a default deny, what we would normally think of as deny. A “soft” deny, by virtue of not specifically being allowed.
  • Deny – this is the “hard” deny – it forces itself over all other permissions at all lower levels of the tree, so that even if you go into a subfolder and check “Allow” specifically, Deny will over-rule it.

So what this means is you don’t want a “hard deny” high up in the file tree if you need to over-ride it elsewhere. Instead, you want the “soft deny”, or just no permission.

One thing about OpenCms is that by default, the User group has write permission. In order to change this, you must go up to the site level, (/sites), select your website folder (in this case /sites/yoursite), manually add in the Users group, and set the permission you want. Then you select “Overwrite Inherited” and “Inherit on Subfolders” so that the permissions you chose are the ones inherited throughout the site.

OpenCms also follows the most restrictive rules for a give user. So, even if a person is an Administrator, of they are also a User, and a User has been blocked from publishing, then that person can’t publish, even though they are an Administrator! The solution is that Administrators should not belong to any other groups.

Default Groups

  • Guest – view live content only
  • Webuser – has a login, but can’t get to the workspace. Used for storing member data and personalization
  • Users – can login to the workspace, and view the Offline (editing) project, as well as the online (live) project. Usually they have the permission to read, write, view, and control (properties of the file).
  • Projectmanagers – can do everything the user can, but can also publish files from the Offline project to the Online (live) project
  • Administrators – “god”

Basic Permissions

(This explaination is from the source code)

  • READ (r) the right to read the contents of a resource
  • WRITE (w) the right to write the contents of a resource
  • VIEW (v) the right to see a resource in listings (workplace)
  • CONTROL (c) the right to set permissions of a resource
  • DIRECT_PUBLISH (d) the right direct publish a resource even without publish project permissions
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox