My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
ACL  
ACL support information
ACL, Featured
Updated Oct 9, 2011 by evert...@gmail.com

ACL

Introduction

Since version 1.4 SabreDAV comes with some support for ACL (rfc3744). At the moment it is possible for nodes (files, directories) to define their own ACL, so SabreDAV will automatically enforce it.

What ACL is not:

  • This will not magically work in WebDAV clients. In fact, none of the standard WebDAV clients I've tested have support for this. So even though ACL is enforced on the server, clients might not properly display ACL information, let alone change it.
  • This will not allow you to lock down your filesystem. ACL support purely exists as a developer API if you create your own node classes.
  • The full specification is not yet supported, this includes changing ACL.

Full ACL support will happen in future versions. There's a very solid basis, so we'll try to implement bits and pieces of the specification with subsequent releases. The main reason ACL was implemented, was so we can fully support CalDAVProxy.

Client support

So far none of the clients we've tested uses ACL. Only iCal's CalDAV client uses bits and pieces of the specification.

Setting up

To add ACL support, you can do so my adding the ACL plugin to your server: 

$aclPlugin = new Sabre_DAVACL_Plugin();
$server->addPlugin($aclPlugin);

To add ACL support to your nodes, you must implement the Sabre_DAVACL_IACL interface for each of them. This allows nodes to tell the server which permissions are currently set on the node.

Principals

'Principals' are users or groups in WebDAV terminilogy. Privileges (permissions) are assigned to principals.

A principal must exist in the directory tree. The easiest way to do this, is to add a top-level 'principals' collection to your tree. 

// Assuming we have a database connection 
$principalBackend = new Sabre_DAVACL_PrincipalBackend_PDO($pdo);

$tree = array(
	new Sabre_DAVACL_PrincipalCollection($principalBackend);
	new My_Own_Collection_Class(),
);

$server = new Sabre_DAV_Server($tree);

$aclPlugin = new Sabre_DAVACL_Plugin();
$server->addPlugin($aclPlugin);

$server->exec();

Advanced settings

The ACL plugin has a couple of public properties that alter it's behavour.

By default the ACL plugin will grant access to any node that does not implement Sabre_DAVACL_IACL. If you want to lock down access to any node that does not have an explicit ACL list defined you can do this like so: 

$aclPlugin = new Sabre_DAVACL_Plugin();
$aclPlugin->allowAccessToNodesWithoutACL = false;

By default inaccessible nodes will show up in directory listings, but any attempts to read data or properties from them will result in a permission denied error. Sometimes it's desirable to hide nodes from directory listings altogether. You can do this like so: 

$aclPlugin = new Sabre_DAVACL_Plugin();
$aclPlugin->hideNodesFromListings = true;

By default the ACL Plugin will try to find the Authentication plugin to determine who's currently logged in. After that it will prepend the username with 'principals/' to determine the correct principal path. If your users are in for example principals/users you can change this as follows: 

$aclPlugin = new Sabre_DAVACL_Plugin();
$aclPlugin->defaultUsernamePath = 'principals/users';

Note that this path must not begin or end with a slash.


Sign in to add a comment
Powered by Google Project Hosting