I would suggest, rather than "This action requires at least such and such access level" to be more like group membership on an OS - arbitrary rights can be given to a group, and enjoyed by all members of that group. Slightly more flexible than a linear scale of increasing access. Of course, I'm a SysAdmin, so I tend to see everything filtered through UNIX and NT permission systems. (Though I think those systems apply quite well here. Just don't imitate the bugs in NT. Please! -- ErikDeBill
NT allows an arbitrary number of users and groups per file. There is no concept of a default group - NTFS by default inherits file permissions from the parent directory (thus making a shared /tmp directory rather impractical). Thus, it's practical to have files which are readable by "Domain Users", allow full control to "Domain Admins", and change control to user "customername" (an ftp account).
This gives a wonderful capacity for complexity - there are many security related aspects to almost every file on the system, so getting a system properly locked down, but not unuseable can be a daunting task. (MS doesn't help, when they allow .dll files to be run as programs, mix normal user programs and administrative tools in the same directory - e.g. "net" and "notepad" in the same dir, and generally ignore the possibility that more than one person may use the system). On the other hand, a Wiki has relatively fewer things to control and should not experience as many problems. A Umask like concept (set for everyone on the wiki) would ensure proper permissions on most things, and let the GodKing/BenevolentDictator tighten individual pages as needed ("new users", and "users" can't directly edit RecentChanges, but "trusted users" can?).
I was just worried you'd start doing something like the old BulletinBoardSystems? or SlashCode do:
if ($user{'level'} >= $action{'level'}) { doAction(); }
This makes the implicit assumption that all actions are hierarchical - someone trusted to do foo is also trusted to do bar. There is no way to allow someone to do bar without letting them do foo. You don't seem to be suggesting that. I think it was the "levels" part that had me thinking this... perhaps AccessClasses? might have been less confusing to me.
Time limits on permissions is something I've wished for in several operating systems. Go for it. It's incredibly convenient to be able to grant special privileges during an emergency and have them automatically go away some time later. I wish that was standard on both NT and UNIX (instead of needing special scripts...) -- ErikDeBill
It isn't surprising that operating security is adaptable to community security, especially multi-user systems, as they are inheritantly social systems. There is a finite resource that needs to be allocated to many competing people. Sounds like a good reason to have a people-oriented security system (as opposed to animal-oriented or natural-disaster-oriented). See also the IncompatibleTimesharingSystem to a big influence for my SoftSecurity campaign. -- SunirShah
I was just worried you'd start doing something [hierarchical] like:
if ($user{'level'} >= $action{'level'}) { doAction(); }
My intent is for the code to contain calls like:
if (&AllowUser('action')) { doAction(); }
...with all decision making contained in the AllowUser? routine. For the first release, only a few "admin" actions like "BlockIp?" or "DeletePageNow?" will be checked, and AllowUser? might just check to see if the current user is listed in a special "admin" file. This would allow owners and delegated admins to maintain the site remotely.
Later the list of actions and required levels should be stored in a plain text file as a set of number/action pairs. A conservative default file will probably ship with the wiki, but it should be easy to edit for local needs. (I'll probably even allow comments starting with # in the file to make it mostly self-documenting.) If a user has a (current) exception for an action, the required level will be compared against that exception. Otherwise the user's generic level will be compared.
Of course, those with a MetaBaby inclination could make AllowUser? always return 1. It could be interesting until people start using "BlockIpRange?" too freely... --CliffordAdams
Login should be optional, but unless you do login all the files you make on the centralized storage are owned by "Public Domain" and can be used by anyone. When you login then the files you make are owned by you, however, files you don't access (read or write) for 100 days will become owned by "Public Domain" automatically.
The use of encryption (GnuPG? style) is encouraged and deeply integrated in to the system: all applications should be able to recognize encrypted data and ask for a key. There is no delete option, but files which are not used for n years are automatically "forgotten" (aka deleted), and you can always remove the content of files.
(Sidenote: I would not use a hierarchical structure (a folder that contains multiple files/folders) but I would use a categorical structure: each file can belong to multiply categories (default every file gets a "Owned by $USER" category).
Now I would make one more very big change to the filesystem: No more file locking. When you read a file you will have to give use (get url time), so that you get a copy of the file as it was at that moment. At write you replace the file that was there (there is no merge in the filesystem: this is for the application to take care of). Move, delete and rollback preserve history of the whole storage to a degree (when you're running out of space the least used and oldest history will be lost/recycled. -- Gideon FormerContributor?
for example mean that any user that has admin-status assigned, any user from group ABC (HL and EDB) and TESTER (defined elsewhere) and the individuals HW and SS may edit the page branch. Currently only a few actions (like read and edit) are protected that way, but in principle this is extendable to any action (e. g. upload, spell checking, ...). Of course such group and status commands would not be side by side typically.
There is a syntax to give action permissions to single pages:
and to pages based on wiki words (parts of their name):
so that any page ThisTopic...Article... is automatically protected. The precedence is: page permissions > word permissions > general permissions.
"Context" pages are only admin editable and have an archive setting that stores any single change as a separate page revision.
It's just a start but we are testing and refining step by step and it seems a pragmatic and flexible approach.
Compared to Unix it means that rwx roughly corresponds to (read, write, administrate) but is extendable to any number of action types. A permission may be owned by any number of groups and individual users (instead of one of each). There is no concept of a user default group. There is an additional concept of "permission by page name component = word". -- HelmutLeitner
Yes, for example a RealName/WorkSpace?/Context containing:
This would give you complete control to configure and reconfigure this branch. Of course this you also be centrally controlled in a page Context:
MoinMoin uses access control lists to restrict access to pages. Possible access rights are read, write, admin (change acls), delete, revert. ACLs are part of the processing instructions at the top of the page that are not displayed in HTML. Access rights can be granted to individual users or to groups. Groups are stored as bullet lists in wiki pages (*Group). Groups can be member of other groups. ACLs are processed from left to right. The permissions of the first matching user name/group takes effect - later entries are ignored!
There is a acl_default and a acl_before config variable. Right now ACLs are not inherited to sub pages but each page has its own ACL.
For details see MoinMoin:HelpOnAccessControlLists