If you take a look at the acl page, there are examples how to use them. But
!+ = Anonymous users
should be IMHO changed to
!+ = Anonymous users only
(somewhere near the end of handlers/page/acls.php)

"ACL can be easily set by clicking on the link at the bottom of the page." What link? This isn't clear.

Oh, you have to be logged in. Now I see.

The link is there only when you are logged in *and* have the right to set ACLs. Which you have if you are the page owner or an Admin.

In my experience, when the page was not owned by anyone, even Admin could not see the ACL link. Once I took ownership, I could see the link.

Thats true, thank you for the reminder!

People can register themselves under any name, so how can you see a list of registered users in order to give access to only some of them?

I am not sure if I understand your question the right way, but I'll try an answer :)

- you can use the lastusers action to keep track of newly registered user-names
- you can use the UserRegistration Hack to allow registration only by name
- or you could use the UserAdmin hack to manage your users
- or you could simply tell the people that they have to tell you their username to get access to certain pages

The instructions for "Edit ACL" indicate that you may use one or more usernames, saying "Or enter individual user WikiNames, one per line". In the wikka.config.php, there is a property "default_write_acl". If I want to include 2+ usernames in this property, how do I force "one per line"?

I tried separating the names with a comma, but the value of this property is inserted into the ACL exactly as it appears in the wikka.config.php file.

===================

Ah hah! To answer my own question (for future use): use "\n" (without the quotes) between the names. At the least, this worked on my linux-hosted site.

Who is defined as the "page owner?" Is that the person who edits the page first?

Is there a way to restrict access to defined groups of people, as opposed to registered/not registered?

see http://wikka.jsnx.com/PageOwnership

There are some hacks, see for example: http://wikka.jsnx.com/ACLsWithUserGroups

What I would like to haveis stronger enforcement of acess control, for example, people that don't have read acess shouldn't have the page listed in recent changes, or recent comments, shouldn't get the page returned via a search...

I realize that checking the ACL's in the current system isn't very efficient, and once you have to check ACL's (and worse, group ACL's...) for every page you want to list in a recent* action or feed this could pose quite a strain on the server. So, maybe the ACL storage system should be revised, instead of storing the whole list in a single row, have one row for each line in the ACL. Or something.

CyneBeald, some of your suggestions (masking pages and comments to users with no read-access) are already on our development list.

I'm not sure about the impact on performance if we applied massively the current ACL system. I guess we should first test how it works and then try to optimize performance.

DarTar: thanks for the info, I'm looking forward to changes in that area.

We're running a small wiki (closed acess for about 10-20 people) so performance probably won't really be an issue for some time, but we need to use usergroups (currently ACLsWithUserGroups), and the mechanism currently employed for it is probably not the most efficient (having to first parse the ACL list for each page, and if theres a group in it, do yet another query into the DB, and then again parse the page...).

Is there a way to set the ACL default to the Page Owner only? That way every page a user creates will be private until they or and Admin makes it "public". It will be far easier for my users (who will be creating about 40% public pages and 60% private pages) to remember to go in and make a page public than it will be for them to remember to make it private. Plus the damage done when a page is private by default is less than when a page is public by default.

What I would really like is an option similar to the * for everyone and + for registered users that would denote Page owner. Either that, or a way to set the default ACLs on a per user basis.

ChrisH, the option you are requesting is already supported in Wikka. By setting the default write ACL to !*, every time a page is created, only the Page Owner and the Wiki Admin(s) will be able to edit it. By setting the default read ACL to !* the page can only be seen by the Page Owner and the Wiki Admin(s). So switching a page from private to public is just a matter or modifying the read/write ACL settings from !* to * or +.

DarTar - OK, that makes sense now. It doesn't come across that it works that way on the page above. If I get time tonight, I'll add that to the page above. Thanks.

DarTar - I just ran into a little problem that I think is related to this. I went into my wikka.config file and changed the default ACLs all to !* so that I could keep all the pages private by default. I logged out to check some things, and suddenly found I couldn't read any of the public pages - including the login page. Fortunately I was logged in on another computer as well, so I've been able to recover.

Does the wikka.config set the ACLs of the public pages when it is changed? I can't think of anything else that might have done that - I know that changing it isn't supposed to overwrite other ACLs, but what about public pages?

Locking oneself out is a quite popular habit among Wikka users ;), maybe we should configure the default UserSettings not to use the default ACL, this would avoid at least the need to manually "reopen the door" through a FTP connection.

Keep in mind that "Public" does not refer to ACL but to page ownership. ACL and ownership are totally independent issues. The default ACL settings determine access privileges - as the name says - for any page with no ACL stored. Public pages generated by the installer use the default settings, hence it's normal that they become unaccessible if you change the default read ACL to !*.

When I posted that, I thought it was only the public pages. But it turns out that ALL of my pages got set to !*. So let me get this straight: Changing the global defaults for the ACLs in the wikka.config file will change ALL of the pages ACLs to the new defaults? Because that's what appeared to happen.

If that's the case, then, yes, I think something needs to be done. At a minimum, the UserSettings page should have it's read ACL hardcoded as *. What I'd really like is a way to set the default ACLs on a per user basis - so that some users will always create "public" pages, while others will always create "private" ones, etc.

Doh! - read your reply a little closer this time. Ok, so it didn't change all of my pages, just every one except the 6 or so that I had stored different ACLs with. Which, in my panic and frustration last night I wouldn't have noticed.

So now that I've gone through and set different ACL levels for the public pages, this won't happen again if I change the default settings later on?

For any page, if the ACL are stored in the DB the wiki will be use these instead of the default one specified in the config file.
ACL on a per-user basis are a nice enhancement that we are probably introducing as soon as usergroups are implemented.

ChrisH, I've modified the installer of 1.1.6.1 to set the read ACL for UserSettings to * on a fresh install:

http://wush.net/trac/wikka/changeset/21

DarTar, Thanks. Now that I know what happened, it's not really a big deal. That's why I added the notes above, to help anyone else out. At this point, I don't know if I need to update to 1.1.6.1 (from 1.1.6.0). I've looked around here to see if I could find what the differences are, but it's not catching my eye. Anyway, the changes will certainly help other new users from running into it. I probably wouldn't have been as panicked if it hadn't have already been 1am.

i think it would also make sense to explicitly set the page ownership AND the write ACL of the _user page_ (/MinusF in my case for example) to the newly created user
at the time of _registration_.

i find that users create/edit other users pages (by mistake or deliberately i don't know ;-) and this is not acceptable.

We have a discussion about such things somewhere. If i could only remember where...

two things, is an ACL "" (null string) equal to that of "!*" (nobody). also wouldn't it be a good idea to set the Write ACL of all pages made at install to "!*" this are the pages that normal user shouldn't be able to touch and vandals could make a mess of

Technically, "" is not equal to "!*" .. when the code performs the logic check, the data either matches or it doesn't.
I don't follow your 'default' of nobody ... but then again, that depends on your Wiki and its purpose. My default is "Registered" for Posting and Comments ... (but am also working on trying to 'fix' the Registration process, as it stands, there is no real control over the user base) ... Also note that the database comes into question here, as the only ACL data stored is when the page setting is "other than defailt" ....

for most of the pages created on install (RecentChanges, PageIndex, FormattingRules,etc ) their is no reason for anyone other than the admin to change the pages, there for the default of nobody. The only one you would want to have more open access to is the Sandbox.

Maybe I missed something ...??? Won't argue about those "start-up" pages, but those pages would normally be a very small subset of "the" Wiki ... feeding back into the database mode of only storing an ACL entry if it is "other than default" ... I'm suggesting setting the 'default" for the setting on "most" of the pages, then only having to modify these 'few' pages to restrict access.

brand new to this -- and getting the following error message when trying to change ACL for specific pages:

Query failed: INSERT INTO wikka_acls SET page_tag = 'SandBox', read_acl = '*' (Field 'write_acl' doesn't have a default value)

seems to be an issue with MySQL -- wikki-config that I don't understand yet. Any help would be appreciated --

Do you have a line in your wikka.config.php that sets a default for write_acl?

Mine are set to:

"default_write_acl" => "+",
"default_read_acl" => "*",
"default_comment_acl" => "+",

Yes, I do have the same wikka.config.php settings as you-- however, when I peek at the wikka_acls table, no default values are present ---and worse yet when I attempt to enter the values into the table manually, I get an error message: #1101 - BLOB/TEXT column 'read_acl' can't have a default value
wikka_acls
Field Type Null Default
page_tag varchar(75) Yes
read_acl text Yes
write_acl text Yes
comment_acl text Yes

running MySQL 5.0.15-nt with phpMyAdmin 2.6.4-pl3
That seems to be all the relevant details ...still at the too helpless stage in the learning curve :-)

Strange. I have opened up a ticket: http://wush.net/trac/wikka/ticket/168 where we can discuss further.

mysql> show create table wikka_acls;
CREATE TABLE `wikka_acls` (
`page_tag` varchar(75) NOT NULL default '',
`read_acl` text NOT NULL,
`write_acl` text NOT NULL,
`comment_acl` text NOT NULL,
PRIMARY KEY (`page_tag`)
) TYPE=MyISAM

Does yours match?

Thanks for your responses thus far -- I am using ticket #168 for assistance

DarTar's last edit "to show a better example" did not work for me on Version 1.1.6.2 final and prior .... This last example may work if one of Brian's versions of modified code is in place, but the standard release of this Wikka needed to have the line as I previously posted it: Example:

'default_write_acl' => '!WikiGroupRestrictedUsers'."\n".'+',
which says 'no' to the Restricted Users, 'allowed' to Registered Users

The problem being the way the code read and used the config file data ...