Depois de configurar os Recursos, a configuração das permissões é a parte mais importante da administração do Tiki. Esta página descreve os conceitos básicos do sistema de permissões do Tiki e como elas interagem. Uma lista completa de permissões pode ser encontrada na página Lista de Permissões.
Como as Permissões funcionam
Alguns fatos básicos que você precisa saber para compreender o sistema de permissões do Tiki.
Cada grupo pode ter total acesso personalizado a todos os recursos do site.
Usuários podem ser colocados em um ou vários grupos.
Grupos podem ter sub-grupos.
Permissões são dadas aos Grupos, NÃO usuários.
Administradores podem criar e editar uma Categoria.
Objetos (Após versão 1.9) podem ser adicionados às categorias.
uma categoria pode, então, ser atribuída a um grupo.
as permissões base de uma categoria, quando usada (avançado), dá aos membros do grupo as permissões atribuídas a eles.
Objetos individuais podem ter permissões atribuídas a eles diretamente.
Se nenhuma permissão for atribuída a um Grupo , a um objeto ou ao conteúdo de uma categoria, então as permissões globais são aplicadas.
Quando o Tiki é instalado, há pelo ao menos dois grupos pré-definidos:
Anônimos (Anonymous): Usuários que não estão logado (fora) do sistema pertencem automaticamente ao grupo Anônimos.
Registrados (Registered): Usuários que logados (dentro) do sistema automaticamente pertencem a este grupo.
==Tradução interrompida neste ponto ===
What order are permissions settings applied?
It is important to understand that Tiki uses several types of permissions:
Global permissions: Each site visitor belongs to a Group (such as Anonymous or Registered). The permissions you assign to the group define the global permissions for that user.
Category permissions: These permissions define the actions that users can take for objects in a specific category.
Object permissions: These permissions define the actions that user can take for an individual object.
Permissions are inherited from from the top-down, but override from the bottom-up.
This image illustrates the relationship among Group, Category, and Object permissions.
Tiki's permissions model may look like complex... but may also be very customizable.
Starting with Release 4.x, Tiki has a dramatically different (and friendlier) method of assigning permissions than earlier versions.
Consider the following example for a company using Tiki:
You have the groups:
Anonymous
Employees
Board of Directors
The Groups for ABC Company.
Notice that some groups include other groups. For example, members of the Board of Directors group will include, in addition to their own permissions, the permissions from the Employees, Registered, and Anonymous groups.
You have the categories:
Financial Information
Press Releases
You want to give:
Everyone permission to read most pages
Employees permission to edit most wiki pages
Board Members only, access to the company's financial information.
Group Permissions
Anonymous
To let the general public (that is, anonymous visitors) the ability to view wiki pages, assign tiki_p_view to Anonymous.
The Group Information page for the Anonymous group.
Employees
The Employee group includes the Anonymous group (that is, everyone) and Registered group (that is, users who are logged in). Therefore, the Employee group inherits the tiki_p_view permission from these groups.
To let employees edit pages, assign tiki_p_edit to Employees.
The Group Information page for the Employees group.
Board of Directors
The Board of Directors group includes the Anonymous, Registered, and Employees groups. Therefore, the Board of Directors group inherits the tiki_p_view and tiki_p_edit permission from these groups.
This group does not require any additional permissions.
Category Permissions
Press Releases
Currently, Anonymous can view press releases, and Employees can edit them. To allow only the Board of Directors to edit press releases, you must assign permissions tothe category. This will override the default group (global) permissions:
For the Press Releases category, assign tiki_p_edit_categorized to Board of Directors
But this will override all global permissions — no one will be able to view the press releases. To let the general public read the press releases, assign tiki_p_view_categorized to Anonymous.
Financial Information
Currently, Anonymous can view financial information, and Employees can edit them. To allow only the Board of Directors to edit and view these pages, you must assign permissions to the category. This will override the default group (global) permissions:
For the Financial Information category, assign tiki_p_view_categorized and tiki_p_edit_categorized to Board of Directors__
But what if you want one item in the Financial Information category, for example, a public disclosure form, to be visible to the public? You can override all other permissions, by assigning specific permissions to the object itself.
For the individual item (such as a wiki page), assign tiki_p_view to the Anonymous group and tiki_p_edit to the Board of Directors group.
Managing permissions
Warning
While entering a filter, JQuery will rebuild the list. Do not press enter or you'll start all over.
Starting in Tiki4, a new interface has been designed to manage object and category permissions.
In this new interface there are three tabs. The first one to allow assigning permissions.
the second tab is to select which groups should be included in the table for assigning permissions, since when the list of groups is too big, assigning permissions could be too slow.
Plugin Image
File is not an image.
The third tab is also to filter the number of features that should be shown in the interface. This is specially needed when managing category permissions, to avoid having a list far bigger than needed for our purposes in specific cases.
Plugin Image
File is not an image.
In addition, this new interface to manage permissions includes several features:
You can assign or remove all object permissions on all child categories if this box is checked.
You can filter the whole list of permissions dynamically to list only those containing some text
You can expand or collapse at will any of the sections of permissions
You can select one by one the permissions to be assigned or checking the box at the column title (group name) level, and that selection will propagate to all the checkbox shown in that column.
Storage and sharing via download or display in pages, of images, videos, and other file types . Supports check-in and check-out (lock), versions, etc.
tiki_p_admin_file_galleries
tiki_p_create_file_galleries
tiki_p_upload_files
tiki_p_download_files
NOTE: If you store images in the file gallery, you must include tiki_p_download_files in order for groups to view the images.
File Galleries enable secure and efficient uploading, storage, downloading and other serving of all types of files including images, videos, podcasts, text and PDF documents and more.
Facts and figures storage and retrieval. A forms and database generator, with reporting. Can be used for a bug tracker, item database, issue tracker, etc
Collaboratively authored documents with history of changes. Tiki's wiki has all the features you could want from a first-rate wiki. Ex.: attach files, comments, history, images, warn on edit, page locking, powerful wiki syntax, alternative WYSIWYG editor, etc.
Articles can be used for date-specific news and announcements. You can configure articles to automatically publish and expire at specific times or to require that submissions be approved before becoming "live." In addition to categories and tags, articles include their own unique classification system of Topics and Types.
Turn a wiki page into slideshow (each slide is the wiki content only, without "chrome") by using more than one title bar in the page, or make a multi-page slideshow from a structure.
This permits capturing the device screen and uploading to Tiki. An image is produced (that you can then draw on), or short video with sound. The jCapture applet is used.
Provides a webmail interface for site users' own IMAP or SMTP accounts. The Webmail tool has been massively improved since in Tiki20. Please see Email as a first-class citizen
Enable users to send internal messages to each other (like email but internal to the Tiki site). A message can be broadcast to multiple users in a Tiki group or to all site users if the appropriate permissions are granted.
Forums are online discussions organized by topic (or thread). Tiki forums feature threaded or flat views, file attachments, moderation and queuing, monitoring (subscription) of particular forums or topics, and full usage of wiki syntax.
Users can write, upload, download and read notes. Notes can be read as raw text files or as wiki pages interpreting the wiki markup syntax. The user-quota that admin can control is used to set the maximum size that user notes can take.
This provides each user with a personal wiki page that only he/she can edit. All User Pages have a similar, configurable name that includes the user name.
A simple shopping cart feature - Information on products or services can be maintained in wiki pages or trackers with display via Pretty Tracker ) and purchases added to Module Cart through the PluginAddToCart and sent to the payment page.
There is also a new feature in Tiki 1.9.x to restrict permissions via the category feature. Basically, you can already assign all the permissions you need as described above. However, permissions via the category feature is just to make it faster to assign permissions. This feature is little tricky to understand. We are working to improve it. There are only two levels ("view" & "admin") in Tiki 1.9.4, and the third level ("edit" category contents) has been introduced in starting from 1.10.
Starting in 3.0, category permissions are in addition to Groups permissions. So if tiki_p_read_categorized allows reading items which are in a category, the user must also be in a group which allows reading the specific kind of object. The category can not grant access to an object which the user's groups do not give him access to.
In Tiki4, the full granularity of permissions can be assigned to categories (and thus inherited when objects belong to a given category). The permissions granted to objects are the sum of all the permissions granted to categories in which they belong.
Because adding a category to an object can provide additional rights, it is important to protect who can assign categories to prevent undesired escalation. For example, if the site contains public and private information, someone with access to edit private information should not be able to make it available publicly by changing the categories. To resolve this issue, multiple permissions can be assigned to the categories.
To begin with, tiki_p_modify_object_categories allows to determine if the user is allowed to modify the categories of the object at all. Without this permission, it will be impossible to modify the categories. Typically, it is safe to grant this permission widely.
Then, there is higher granularity available for each category. tiki_p_add_object and tiki_p_remove_object determine if the user can add or remove elements from the category. Categories on which permissions are specified should also specify who can assign or remove those categories. When the operation is not available, the checkbox will be marked as disabled.
Additionally, some category changes may be allowed in certain contexts by defining Category Transitions, which would allow to change a category only from a certain state. A group of transitions create a workflow. Note that until Tiki6, category transitions are only available through Profiles.
Workspaces
Workspaces are coming to Tiki4 to further facilitate management of large & complex Tiki sites.
Admin permissions and special permissions
When a group has an admin permission on a feature such as tiki_p_admin_sheet, the group will lost his admin permission for an object with local perms or categories permissions.
Note
Some information on this page is from Tiki for Dummies Smarties, copyright (C) by Rick Sapir, published by KeyContent.org, and available under a Creative Commons Attribution-Share Alike License.
