Permissions¶

As for pages and contents, permissions can also be defined for files, though not as fine-grained as for content (= on a per-file/folder level). The permissions in the File Abstraction Layer are grouped in two main groups:

system permissions
and user permissions

System Permissions¶

System permissions are required by every part of the system to perform operations. They are strictly enforced and prevent an action no matter what component triggered them.

For example think of a click in the file list versus a processed file that is to be saved. The former could be stopped because the user does not have enough permissions. The latter should always happen if the storage is writable.

Administrators always have full access. The only reason they might not have access is that the underlying file system or storage service does not allow access to a resource.

Todo

How are permissions from the storage device handled?

User Permissions¶

User permissions for files used to be set in the “Fileoperation permissions” section of the “backend user” or “backend user group” records. This still works with FAL. But it is a deprecated way because FAL offers more fine grained permission settings.

Tip

As of TYPO3 6.0 it is recommended to set user default permissions in User TSconfig either in backend user records or backend user group records.

Default User Permissions¶

The default permissions for backend users and backend user groups are READONLY:

permissions.file.default {
   addFile      = 0
   readFile     = 1
   writeFile    = 0
   copyFile     = 0
   moveFile     = 0
   renameFile   = 0
   unzipFile    = 0
   deleteFile   = 0
   addFolder    = 0
   readFolder   = 1
   writeFolder  = 0
   copyFolder   = 0
   moveFolder   = 0
   renameFolder = 0
   deleteFolder = 0
   recursivedeleteFolder = 0
}

User Permissions Per Storage¶

It is also possible to set different permissions for different storages. To achieve this you need to know the uid of the storage record and specify it in User TSconfig along with the permissions.

Example: Permissions = ALL for storage with uid “1”:

permissions.file.storage.1 {
   addFile      = 1
   readFile     = 1
   writeFile    = 1
   copyFile     = 1
   moveFile     = 1
   renameFile   = 1
   unzipFile    = 1
   deleteFile   = 1
   addFolder    = 1
   readFolder   = 1
   writeFolder  = 1
   copyFolder   = 1
   moveFolder   = 1
   renameFolder = 1
   deleteFolder = 1
   recursivedeleteFolder = 1
}

Note

Configured permissions for a specific storage take precedence over default permissions.

If no permissions are defined in TSconfig, then the settings in the user and in the group record are taken into account and will be treated as default permissions for all storages.

Permissions Details¶

This model for permissions behaves very similar to permission systems on Unix and Linux systems. Folders are seen as a collection of files and folders. If you want to change that collection by adding, removing or renaming files or folders folders you need to have write permissions for the folder as well. If you only want to change the contents of a file you need write permissions for the file but not for the containing folder.

addFile: Create new files, upload files
readFile: Show contents of files
writeFile: Edit or Save contents of file, even if NO write permissions to folders are granted
copyFile: Allow copying of files; needs writeFolder permissions for the target folder
moveFile: Allow moving files; needs writeFolder permissions for source and target folders
renameFile: Allow renaming a file; needs writeFolder permissions
unzipFile: Allow unzipping a file; needs writeFolder permissions on the target folder
deleteFile: delete a file; needs writeFolder permissions
addFolder: add or create new folders; needs writeFolder permissions for the parent folder
readFolder: list contents of folder
writeFolder: Permission to change contents of folder (add files, rename files, add folders, rename folders). Changing contents of existing files is not governed by this permission!
copyFolder: Needs writeFolder permissions for the target folder
moveFolder: Needs writeFolder permissions for both target and source folder (because it is removed from the latter, which changes the folder).
renameFolder: Needs writeFolder permissions (because it changes the folder itself and also the containing folder’s contents).
deleteFolder: Remove an (empty) folder; needs write folder permissions
recursivedeleteFolder: Remove a folder even if it has contents; needs write folder permissions