E D R , A S I H C RSS

Moni WikiACL

/!\ since MoniWiki 1.1.2

ชจ‹ˆœ„ํ‚ค˜ SecurityPlugin˜ ํ•œ€€

1. „ •

config.php— ‹คŒ„ „œฉด ACL SecurityPluginด ํ™œ„ํ™”ฉ‹ˆ‹ค.
$security_class="acl";
$acl_type="default";

2. ฆฌ  •˜œ ทธ @group

  • @ALL: ชจ“  ‚ฌšฉž (priority: 1)
  • @User: “ก ‚ฌšฉž (priority: 2)

3. ‚ฌšฉž  •˜ ทธ @group ทธฆฌณ  @group˜ priority

##@ทธด„ ‚ฌšฉžฆฌŠคํŠธ [priority]
@Guest  Anonymous                   # priority € •ํ•˜€ •Šœฉด ธฐณธฐ’ 2
@Kiwirian foobar,kiwi,hello123   20 # @Kiwirain ทธ˜ priority žกŠ”‹ค.
/!\ —ฌธฐ„œ Anonymous ‚ฌšฉžŠ” @Guestกœ € •˜–ด žˆœฉฐ, @GuestŠ” ฆฌ  •˜œ ทธด •„‹™‹ˆ‹ค.

<!> ชจ‹ˆœ„ํ‚ค 1.1.5€„Š” network/ip †Œ €›ํ•ฉ‹ˆ‹ค.
# €„ IP, CIDR ““„ ชจ‘ €›.
@Block 123.123.0.0/255.255.0.0, 123.12, 123.125.0/16 

œ„˜ ˜ˆ—„œ @Block ทธ„  •˜ํ•˜ณ  žˆœฉฐ ด— ํ•ด‹˜Š” IPŒ€—ญ, €„IP ““„ € •ํ•˜ณ  žˆŠต‹ˆ‹ค.

•„ž˜™€ ฐ™ด ทธ— Œ€ํ•œ ํšจ ฅ„ ฐœƒ‹œํ‚ฌ ˆ˜ žˆŠต‹ˆ‹ค.
*       @Block            deny    * // ชจ“  ํŽ˜ด€(*) @Block ‚ฌšฉžทธ— Œ€ํ•ด ชจ“  •ก…˜(*)„ €(deny)

/!\ IP, CDIR, €„IP ““€ ทธ € •—„œงŒ ‚ฌšฉ €Šฅํ•ฉ‹ˆ‹ค.

4. ACL ํƒ€ž…

  • allow : ํ—ˆšฉ
  • deny :  œํ•œ
  • protect: „€ฒˆํ˜ธ  œํ•œด €Šฅํ•œ ช‡ช‡ POST•ก…˜— Œ€ํ•ด (ชจ“  •ก…˜ด €ฆฌ„ฒˆœกœ  œํ•œ€Šฅํ•˜€Š” •ŠŠต‹ˆ‹ค)
    • € POST•ก…˜€ €ฆฌž „€ฒˆํ˜ธกœ  œํ•œ„ –ด‘˜ ˆ˜ žˆŠ” •ก…˜€ protect €Šฅํ•œ •ก…˜ž…‹ˆ‹ค. protect •ก…˜€  œํ•œœ allowดฉฐ, € POST•ก…˜งŒ €›ํ•ฉ‹ˆ‹ค. ˜ˆ) do_post_savepage()Š” post •ก…˜ดฉฐ, ฐ˜ do_goto()ฐ™€ •ก…˜Š” ‹ฌฆฌ €ฆฌž „€ฒˆํ˜ธกœ •ก…˜„  œํ•œ„ ํ•  ˆ˜ žˆŠต‹ˆ‹ค.

€ • ฐฉฒ•€ *Š” ชจ“  •ก…˜„ €ฆฌํ‚คฉฐ, ํŽ˜ด€ ด„€ regex€ €Šฅํ•ฉ‹ˆ‹ค.
# ํŽ˜ด€ด„ @ทธ/ํŠ •‚ฌšฉž allow/deny •ก…˜ฆฌŠคํŠธ
FoobarPage @ALL allow *
FoobarPage babo deny edit,diff,info
HelpOn.*   @ALL deny edit,savepage

4.1. „‹จํ•œ  šฉ˜ €

@Guest  Anonymous  // @Guest ‚ฌšฉž ทธ  •˜
*       @ALL            deny    * // ชจ“  ํŽ˜ด€(*) ชจ“  ‚ฌšฉž(@ALL)—„œ ชจ“  •ก…˜(*)„ €(deny)
*       @ALL            allow   ticket // ชจ“  ํŽ˜ด€ ชจ“  ‚ฌšฉž—ฒŒ ticket •ก…˜„ ํ—ˆฝ(allow)
*       @ALL            allow   read,userform,rss_rc,aclinfo,fortune,deletepage,fixmoin,ticket // —ฌŸฌ „กœ ‚˜ˆ “ฐธฐ €Šฅ
*       @User           allow   *
// ชจ“  ํŽ˜ด€(*) ฐ˜ €ž… ‚ฌšฉž—ฒŒ(@User) ํ—ˆฝ(*)
WikiSandBox     @Guest  allow   edit,info,diff
// WikiSandBox ํŽ˜ด€ @Guest ทธ— edit,info,diff •ก…˜„ ํ—ˆšฉ(allow)
WikiSandBox     Foobar deny edit
// ‚ฌšฉž FoobarŠ” WikiSandbox ํŽธง‘ ชปํ•˜ฒŒ ํ•จ

4.2. ™„ „ํ•œ  šฉ˜ ˜ˆ

/!\ //กœ ‹œž‘˜Š” „€ „ช…„ž…‹ˆ‹ค.
# acl.default.php
# <?php exit()?> // ํŒŒ€ phpด€งŒ ํ˜•‹€ php€ •„‹Œ ฐ˜ ํ…ŠคํŠธ‹ค.
# Please don't modify the lines above
#
# A sample Access Control Lists file for Moniwiki
#
@Guest  Anonymous  // @Guest ‚ฌšฉž ทธ  •˜
*       @ALL            deny    *
// ชจ“  ํŽ˜ด€(*) ชจ“  ‚ฌšฉž(@ALL)—„œ ชจ“  •ก…˜(*)„ €(deny)
*       @ALL            allow   ticket
// ชจ“  ํŽ˜ด€(*) ชจ“  ‚ฌšฉž(@ALL)—ฒŒ ticket •ก…˜„ ํ—ˆฝ(allow) ticket€ €ž… ํ— ‚˜˜คŠ” กœด‡€ž…ฐฉ€ captcha
*       @User           allow   *
// ชจ“  ํŽ˜ด€(*) ฐ˜ €ž… ‚ฌšฉž—ฒŒ(@User) ํ—ˆฝ(*)
# some pages are allowed to edit
WikiSandBox     @Guest  allow   edit,info,diff
// WikiSandBox ํŽ˜ด€ @Guest ทธ— edit,info,diff •ก…˜„ ํ—ˆšฉ(allow)
# some POST actions support protected mode using admin password
*       @ALL            protect deletefile,deletepage,rename,rcspurge,rcs,chmod,backup,restore
// ชจ“  ํŽ˜ด€(*)— Œ€ํ•ด ชจ“  ‚ฌšฉž˜(@ALL) detetefile,deltetepage ““˜ protect €Šฅํ•œ •ก…˜„ protect
# some actions allowed to @ALL
*       @ALL            allow   read,userform,rss_rc,aclinfo,fortune,deletepage,fixmoin,ticket
# some pages have restrict permission
MoniWiki        @ALL    deny    edit,uploadfile,diff
// MoniWiki ํŽ˜ด€ @ALL ชจ“  ‚ฌšฉž—ฒŒ edit,upload,diff“˜ € •ก…˜„ €

5. ACLด „ฆฝ˜Š”  •

5.1. งˆ€ง‰ ACL ํ•ญชฉด  šฉœ‹ค

explicitํ•˜ฒŒ € •ํ•  ฒฝšฐ ตœข… ACL ํ•ญชฉด  šฉœ‹ค.
  • allow read + deny read = deny read
  • deny read + allow read = allow read

wildcard “ด ฒฝšฐ„ —ญ‹œ ตœข… ACL ํ•ญชฉด  šฉœ‹ค.
  • allow * + deny * = deny * ชจ“  •ก…˜„ €
  • deny * + allow * = allow * ชจ“  •ก…˜„ Šธ

5.2. explicitํ•˜ฒŒ € •ํ•ด• ํ•œ‹ค

wildcard “ด ฒƒ ณด‹ค explicitํ•˜ฒŒ € •œ ฒƒด  €  šฉœ‹ค. (ˆœ„œ— ƒ€ —†‹ค)
  • deny * + allow edit,info = edit™€ info •ก…˜งŒ €Šฅ: explicitํ•˜ฒŒ € •œ •ก…˜งŒ ํ—ˆฝ
  • allow * + deny info,diff = info/diff ด™ธ˜ •ก…˜ด ชจ‘ ํ—ˆšฉ: explicitํ•˜ฒŒ € •œ •ก…˜งŒ €
  • deny info,diff + allow * = œ„˜ ฒฝšฐ™€ ฐ™‹ค. explicitํ•˜ฒŒ € •œ •ก…˜ธ info, diffงŒ €

/!\ deny * + allow readŠ” •„ํŒŒ˜˜ Order allow,deny™€ ฐ™‹ค. ฆ‰, explicitํ•˜ฒŒ € •œ allow— Œ€ํ•ด  € €‚ฌํ•˜—ฌ •ก…˜ด read•ŒงŒ ํ—ˆฝํ•˜ณ  ‚˜จธ€ •ก…˜€ deny.

deny edit + allow *€ ทธ ฐ˜Œ€กœ Order deny,allow€ œ‹ค.

5.3. ˜ˆ

ชจ“  ํŽ˜ด€— Œ€ํ•ด„œ ฝธฐงŒ €Šฅํ•˜ฒŒ, ProtectedPage— Œ€ํ•ด„œŠ” ฝธฐ„ €
* @ALL deny *
* @ALL allow read
ProtectedPage @ALL deny read
ProtectedPageŠ” deny * + allow read + deny read = deny *ด œ‹ค.

/!\ ˜: ชจ“  ฒฝšฐ, explicitํ•˜ฒŒ € •  ฒฝšฐ— ํšจ ฅด ฐœƒํ•œ‹ค.

* @ALL deny *
* @ALL allow read
ProtectedPage @ALL deny *
ProtectedPageŠ” deny * + allow read + deny *ด œ‹ค: explicitํ•˜ฒŒ ํ—ˆฝœ read€ ํ—ˆšฉœ‹ค.
งˆ€ง‰ „ ProtectedPage @ALL deny *Š” ฌด‹œ˜ฒŒ ˜Š” ฒƒด‹ค.

6. priority€ ‹คฅธ ฒฝšฐ ACL˜ „ฆฝ  •

•ž ˆ˜ „ช…€ priority€ ฐ™€ ฒฝšฐ— Œ€ํ•œ ฐ˜ ธ „ช…ด—ˆ‹ค. ทธ˜ priority ‘—ˆ„ •ŒŠ” –ด–ปฒŒ  šฉ Œ?

6.1. ˜ˆ œ 1

@ALL deny *
@User allow *
ด ฒฝšฐ @User˜ priority€ †’œ€กœ allow *ด  šฉœ‹ค.

6.2. ˜ˆ œ 2

@ALL deny *
@User allow read

@User—„œ read€ ํ—ˆšฉ. ‚˜จธ€Š” @ALL deny *— ˜ํ•ด €œ‹ค.

6.3. ˜ˆ œ 3

*       @ALL            deny    *
*       @ALL            allow   read,ticket,info,diff,titleindex,bookmark,pagelist
ProtectedPage @All      deny    read,ticket,info,diff,titleindex,bookmark,pagelist
  • ชจ“  ‚ฌšฉž(@ALL)—ฒŒ allow  œ™ธํ•œ ชจ“  •ก…˜ €.
  • ProtectedPageŠ” edit,savepage  œ™ธํ•˜ณ  ชจ‘ ถˆํ—ˆ
    • ด ฒฝšฐ, allow explicitํ•˜ฒŒ ํ•œ ชจ“  •ก…˜— Œ€ํ•ด explicitํ•˜ฒŒ deny –ด–ด• œ‹ค. deny * ณ งŒ ํ•˜ฉด •ˆœ‹ค.

*       @ALL            deny    *
*       @ALL            allow   show,ticket,titleindex,bookmark,pagelist
*       @User           allow   edit,savepage
ProtectedPage @User     deny    * # ดฒƒงŒœกœŠ” ˜„Œ€กœ ž‘™ •ˆํ•œ‹ค.
# ‹คŒ„ explicitํ•˜ฒŒ ช…‹œํ•ด• ˜„Œ€กœ ž‘™ํ•œ‹ค.
ProtectedPage @User     deny    edit,savepage
  • ฐ˜ “ก ‚ฌšฉž(@User)Š” edit,savepage ํ—ˆฝ.
  • ProtectedPageŠ” ชจ‘ ถˆํ—ˆ
    • ด ฒฝšฐ “ก ‚ฌšฉž— Œ€ํ•ด @User deny * + @User allow edit,savepageด€กœ edit,savepageงŒ ํ—ˆšฉœ‹ค.
    • allow edit,savepageณ  explicitํ•˜ฒŒ  •˜œ ฒƒ„ ‹ค‹œ ทจ†Œ‹œœ• ˜„Œ€กœ ž‘™ํ•˜Š” ฒƒด‹ค. ”ฐ„œ ProtectedPage @User deny edit,savepageณ  จ –ด• ํ•œ‹ค.

6.4. —ฐŠต

1) ทธ priority€ ฐ™€ ํ•ญชฉฆฌ ํ•ฉณ€ณ , 2) ทธ priority€ †’€ ํ•ญชฉด šฐ„  œกœ  šฉœ‹ค.
####### @ALL ทธ˜ priorityŠ” 1ด‹ค.
@Guest     Anonymous             # @ALL„  œ™ธํ•œ ชจ“  ทธ˜ priorityŠ” ทธ ฐ’ด € •˜€ •Šœฉด 2 ด‹ค.
@Group1    peter,john      20    # priority = 20
@Group2    simon,soo             # default group priorty = 2
* @ALL     allow *               # group priority = 1
* @ALL     deny  backup,restore
* @Guest   deny  *               # group priority = 2
* @Group1  deny  *               # User defined @Group1 group
* @Group1  allow read,info,diff
* @Group2  deny  info,diff
  • peter™€ john: allow read,info,diff + deny * = read,info,diffงŒ ํ—ˆšฉ
  • Anonymous (@Guest): deny *: ชจ‘ € (@Guestทธ˜ priority€ †’œ€กœ @ALL— Œ€ํ•ด ํ—ˆšฉœ ฒƒ ฌด€ํ•˜ฒŒ €œ‹ค)
  • ‹คฅธ ชจ“  ‚ฌšฉž(@ALL): deny backup,resotre + allow * (Order Deny,Allow)
  • @Group1 : allow read,info,diff + deny * (Order Allow,Deny)
  • @Group2 : deny info,diff + @ALL deny backup,restore + allow *: priority€ ฐ™€ ํ•ญชฉด ํ•ฉณ„‹ค.

/!\ ฐ ACL ํ•ญชฉ˜ ฐ™€ priority €€Š” ชจ“  ํ•ญชฉด ํ•ฉํ•ด ธ„œ  šฉฉ‹ˆ‹ค.

config.php— $acl_debug=1 ˜ต…˜„ „œฉด, –ด–ค ‹œกœ  šฉ € ณด—ฌค‹ˆ‹ค.


See TwinPages : MoniWiki:MoniWikiACL
SecurityPlugin
Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2021-02-07 05:23:47
Processing time 0.0275 sec