glFusion Wiki

Site Tools


glfusion:permissions

Permissions Overview

glFusion has a very flexible method of controlling access to content, plugins, and features. Almost every component of glFusion has the following security attributes associated with it:

  • Owner Permissions
  • Group Permissions
  • Logged-In User Permissions
  • Anonymous Permissions

Each permission can be set with the following attributes:

  • Write
  • Read
  • None

There is one exception, the Owner permission is always Read and Write.

For example, if you wanted to have a story that could only be viewed by paid subscribers to your site, you could do the following:

  • Create a new group called ‘paid_subscribers’
  • Add site users to the group
  • Set the group for the story to ‘paid_subscribers’
  • Set the permissions on the story to:
    • Owner – Read / Write
    • Group – Read
    • Logged-In Users – None
    • Anonymous – None

Now, only the owner (the author) and members of the ‘paid_subscribers’ group can see this specific story.

In some cases, glFusion’s security permissions follow a hierarchy. For example, a story belongs to a Topic. Topics have their own security settings. Even if a story has permissions that would allow anyone to see it, it is possible that the Topic’s security permissions would restrict access to the story. glFusion uses the least privilege model, which means when there are multiple levels of permissions, the least permissive setting wins.

Group Permissions

glFusion has several predefined groups, these include:

Group Description
All Users You are a member whether you are logged in or not.
Logged-In Users You are a member only after logging in.
Non-Logged-In Users This group contains all anonymous users (user's who have not logged into the site)
Root Full Administration Rights - member of all groups.
Story Admin Able to edit/delete stories and approve new story submissions.
User Admin Able to add/edit/delete new users.
Group Admin Able to create/edit group access.

You can also create new groups to support your access requirements.

Security Groups are hierarchical. By adding this group to any of the groups below you will be giving this group the same rights that those groups have. Where possible it is encouraged you use the groups below to give rights to a group. If you need this group to have custom rights then you can select the rights to various site features in the section below called 'Rights'. To add this group to any of the ones below simply check the box next to the group(s) that you want.

Rights Permissions

glFusion has an additional security feature called Rights. Rights are generally associated with an administrative function or a feature of the system. For example, there is a right called story.edit. If this right is assigned to a group, then members of that group could edit stories on your site.

Here is an example of how Rights can be used: If you have a site where you have delegated some responsibility for administration to some of your trusted users, you might create new groups to support the delegation of duties. For example, if you have 3 users who will moderate new story submissions (review and either approve or reject submissions), you could create a group called story_moderators and assign that group the right story.moderate. Any member of the story_moderators group can now moderate stories on your site.

There are several predefined rights:

Right Description Default Group Assignment
block.delete Ability to delete a block Block Admin
block.edit Access to block editor Block Admin
group.delete Ability to delete groups Group Admin
group.edit Ability to edit groups Group Admin
plugin.edit Access to plugin editor Plugin Admin
stats.view Ability to view the Stats Page no default group assignment
story.edit Access to story editor Story Admin
story.moderate Ability to moderate pending stories Story Admin and Story Moderator
story.ping Ability to send pings, pingbacks, or trackbacks for stories Story Admin
story.submit May skip the story submission queue no group assignment
syndication.edit Access to Content Syndication Syndication Admin
topic.edit Access to topic editor Topic Admin
user.delete Ability to delete a user User Admin and Group Admin
user.edit Access to user editor User Admin and Group Admin
user.mail Ability to send email to members Mail Admin
webservices.atompub May use Atompub Web services (if restricted) Web services Users
Calendar Plugin
calendar.edit Access to event editor calendar Admin
calendar.moderate Ability to moderate pending events calendar Admin
calendar.submit May skip the event submission queue no group assignment
FileMgmt Plugin
filemgmt.edit filemgmt Admin filemgmt Admin
filemgmt.upload filemgmt File Upload Rights filemgmt Admin
filemgmt.user filemgmt Access All Users and FileMgmt Admin
Forum Plugin
forum.edit Forum Admin forum Admin
forum.html Can post using HTML forum Admin
forum.user Depreciated Forum Viewer forum Admin
Links Plugin
links.edit Access to link editor links Admin
links.moderate Ability to moderate pending links links Admin
links.submit May skip the link submission queue no default group assignment
Media Gallery Plugin
mediagallery.admin MediaGallery Admin mediagallery Admin
mediagallery.config Media Gallery Config Rights mediagallery Admin and mediagallery Config
mediagallery.view MediaGallery Viewer mediagallery Admin
Polls Plugin
polls.edit Access to poll editor polls Admin
Spam-X Plugin
spamx.admin spamx Admin spamx Admin
Staticpages Plugin
staticpages.delete Ability to delete static pages staticpages Admin
staticpages.edit Ability to edit a static page staticpages Admin
staticpages.PHP Ability use PHP in static pages staticpages Admin
glfusion/permissions.txt · Last modified: 2017/03/10 10:12 (external edit)

Page Tools