Permissions¶
As for pages and contents, permissions can also be defined for files, though not as fine-grained as for content (= on a per-file/folder level). The permissions in the File Abstraction Layer are grouped in two main groups:
- system permissions
- and user permissions
System Permissions¶
System permissions are required by every part of the system to perform operations. They are strictly enforced and prevent an action no matter what component triggered them.
For example think of a click in the file list versus a processed file that is to be saved. The former could be stopped because the user does not have enough permissions. The latter should always happen if the storage is writable.
Administrators always have full access. The only reason they might not have access is that the underlying file system or storage service does not allow access to a resource.
Todo
How are permissions from the storage device handled?
User Permissions¶
User permissions for files used to be set in the “Fileoperation permissions” section of the “backend user” or “backend user group” records. This still works with FAL. But it is a deprecated way because FAL offers more fine grained permission settings.
Tip
As of TYPO3 6.0 it is recommended to set user default permissions in User TSconfig either in backend user records or backend user group records.
Default User Permissions¶
The default permissions for backend users and backend user groups are READONLY:
permissions.file.default {
addFile = 0
readFile = 1
writeFile = 0
copyFile = 0
moveFile = 0
renameFile = 0
unzipFile = 0
deleteFile = 0
addFolder = 0
readFolder = 1
writeFolder = 0
copyFolder = 0
moveFolder = 0
renameFolder = 0
deleteFolder = 0
recursivedeleteFolder = 0
}
User Permissions Per Storage¶
It is also possible to set different permissions for different storages. To achieve this you need to know the uid of the storage record and specify it in User TSconfig along with the permissions.
Example: Permissions = ALL for storage with uid “1”:
permissions.file.storage.1 {
addFile = 1
readFile = 1
writeFile = 1
copyFile = 1
moveFile = 1
renameFile = 1
unzipFile = 1
deleteFile = 1
addFolder = 1
readFolder = 1
writeFolder = 1
copyFolder = 1
moveFolder = 1
renameFolder = 1
deleteFolder = 1
recursivedeleteFolder = 1
}
Note
Configured permissions for a specific storage take precedence over default permissions.
If no permissions are defined in TSconfig, then the settings in the user and in the group record are taken into account and will be treated as default permissions for all storages.
Permissions Details¶
This model for permissions behaves very similar to permission systems on Unix and Linux systems. Folders are seen as a collection of files and folders. If you want to change that collection by adding, removing or renaming files or folders folders you need to have write permissions for the folder as well. If you only want to change the contents of a file you need write permissions for the file but not for the containing folder.
- addFile
- Create new files, upload files
- readFile
- Show contents of files
- writeFile
- Edit or Save contents of file, even if NO write permissions to folders are granted
- copyFile
- Allow copying of files; needs writeFolder permissions for the target folder
- moveFile
- Allow moving files; needs writeFolder permissions for source and target folders
- renameFile
- Allow renaming a file; needs writeFolder permissions
- unzipFile
- Allow unzipping a file; needs writeFolder permissions on the target folder
- deleteFile
- delete a file; needs writeFolder permissions
- addFolder
- add or create new folders; needs writeFolder permissions for the parent folder
- readFolder
- list contents of folder
- writeFolder
- Permission to change contents of folder (add files, rename files, add folders, rename folders). Changing contents of existing files is not governed by this permission!
- copyFolder
- Needs writeFolder permissions for the target folder
- moveFolder
- Needs writeFolder permissions for both target and source folder (because it is removed from the latter, which changes the folder).
- renameFolder
- Needs writeFolder permissions (because it changes the folder itself and also the containing folder’s contents).
- deleteFolder
- Remove an (empty) folder; needs write folder permissions
- recursivedeleteFolder
- Remove a folder even if it has contents; needs write folder permissions