QED:Category-Based Access Restrictions

From QED

Jump to: navigation, search

In addition to the other mechanisms for restricting access, QED has a category-based system which allows access restrictions to be placed on individual pages by declaring them to be in Category:Protected and/or Category:Restricted. This allows access to selected pages within a folder to be governed by folder-specific ACLs (access control lists).

Key features of the category-based system are that:

  • the restrictions are in addition to all other restrictions;
  • the additional read-restrictions are managed independently of the additional write-restrictions;
  • the additional restrictions are defined and managed on a folder-by-folder basis, and only apply to selected pages within a folder.

If an image or file in the Image: namespace is placed in the Protected or Restricted category, special rules as shown in the table below are applied.

In other namespaces:

  • the additional read-restrictions for an entire folder can be lifted or re-imposed by modifying the protected status of a single file, and similarly for write-restrictions;
  • the list of users with read permissions for a particular folder can be readily viewed and edited, and similarly for the list of users with write-permissions.

The table summarizes the significance of the two categories. The trailing ":" in the page names is significant. Further details are provided below.

Summary of Category-Based Access Restrictions
Category:Protected
(write-access) 		Category:Restricted
(read-access)
Image: namespace no overwriting logged-in users only, but thumbnails are public
Files in top-level folder Xyzzy only users listed in Xyzzy/Protected:
(if that file is protected) 		only users listed in Xyzzy/Protected: (if protected)
or Xyzzy/Restricted: (if protected)


Contents

The Protected and Restricted Categories

The category-based restriction system is based on two categories:

These category-based restrictions, however, do not apply to administrators; also, except in the Image: namespace, they only apply if the corresponding restriction page has been "protected" as explained below.

The Image: namespace

So long as an image or other file in the Image: namespace is in the Restricted category, it cannot be directly viewed by anonymous users, but anonymous users will be able to view the thumbnail of images in this category.

So long as an image or other file in the Image: namespace has been placed in the Protected category, it cannot be overwritten using the Upload file feature. A user would first have to reclassify it before being able to overwrite it. To prevent an existing file from being overwritten, the image description page itself must be protected from editing.

Other Namespaces

Except in the Image: namespace, the restriction system is based on a classification of pages within a namespace into top-level folders. Every page is regarded as being in a top-level folder in its namespace as follows:

  • a page named Xyzzy is in the "/" folder (also known as the root folder);
  • a page with a name that begins with "Xyzzy/" is in the "Xyzzy" folder.

Here "Xyzzy" represents a sequence of characters that has no "/" character in it.

The Protected: and Restricted: Pages

Given a page in the Xyzzy folder in a certain namespace, the corresponding restriction pages are pages in the same namespace with titles of the form Xyzzy/Restricted: or Xyzzy/Protected: The trailing ":" is to avoid name conflicts.

The restriction pages hold lists of userids of privileged users. The list is simply a sequence of userids, separated from each other by white-space and/or commas.

Example

The ABC project uses the convention that most pages are in the ABC/ folder in the main namespace because one of the project goals is eventually to publicize the project findings. However, while the project is in its early stages, the pages are to be accessible by only a small set of users, who are all to be given the same read/write privileges.

In this case, it is sufficient to take the following steps:

  1. Enter the list of privileged users on the page named "ABC/Protected:".
  2. Protect the page named "ABC/Protected:".
  3. All pages in the ABC/ folder that are to be restricted must also include the following two lines: 
 [[Category:Protected]] 
 [[Category:Restricted]]

As the project matures, the read-restrictions of specific pages can be lifted (while retaining the write-restrictions) by removing the second line: [[Category:Restricted]].

Summary

The access rules for a page in Category:Restricted and/or Category:Protected are as follows:

  • if the page is in the Image: namespace:
    • Restricted means read-access is restricted to logged-in users so long as the page remains in that category;
    • Protected means that overwriting is restricted to administrators so long as the page remains in that category;
  • if the page is any any other namespace:
    • if the corresponding restriction page exists and is protected and has at least one userid in it:
      • for pages in any top-level folder, say Xyzzy, then:
        1. if a page is in Category:Restricted, read-access is restricted to users listed in the Xyzzy/Restricted: or Xyzzy/Protected: page in the same namespace;
        2. if a page is in Category:Protected, write-access is restricted to users listed in the Xyzzy/Protected: page in the same namespace.

The userids appearing in the lists of privileged users must be capitalized, just as they appear on the top line of the QED screens.


See also

Retrieved from "http://qed.princeton.edu/main/QED:Category-Based_Access_Restrictions"
Personal tools