!Hubzilla Support Forum
Hello, it's me again
After some days off, digging through the PHP-source code and a lot of thoughts about the hubzilla permission system I will try to sum up what I have learned. Would be very kind of you to check if I made something wrong or overlooked something completely.
The hubzilla permission systems consists of three levels:
1. Channel permission limit
2. Connection permissions
3. ACL - access controll list
While channel permissions are the most general permissions (also called permission limits) the ACL is most specialised permission for a single accessible object.How permissions work
When someone wants to access lets say a photo from one of my albums the permission to access it will be determined the following way:
Is the accessing one an approved connection?
No: permissions are regulated by the permission role of my channels
Yes: the individual permissions of this connection is checked
The connection has the individual permission to access my photos?
No: no access
Yes: check ACL for individual photos
Is the connection in the ACL for the individual photo?
No: no access
That's the easy part. But what are channel permissions, how are the individual connection permissions determined, what are the ACLs made of and are there any special rules?Channel permissions:
Each channel has a permission role which can be selected in the security section of the channel settings. A permission role consists of:
1. permissions (like "can view my posts")
2. visibility settings (chat, directory)
3. default privacy group
4. auto privacy group for new connections
5. permission auto (automatic approval of connection request and apply of permissions)
There are several permission roles predefined. 2 to 4 are only editable in the custom/expert role. For all other predefined roles settings 2 to 5 cannot be changed.
If a default privacy group is set for a permission role this group will be preset in the ACL dialog.
If the auto privacy group is set all new connections will automatically be added to this group.
If the permission role has automatic permission settings a new connection request will be automatically approved and the individual connection permissions assigned.
In the predefined roles the default privacy group and the auto privacy group will always be the same namely "friends" or none.
To be done: detailed table of permission roles.
The permissions make up the channel permission limits. Each channel permission can have one of the following values:
1. Only me
3. Anybody in the $Projectname network
4. Any account on %s
5. Any of my connections
6. Only connections I specifically allow
7. Anybody authenticated (could include visitors from other networks)'
8. Any connections including those who haven\'t yet been approved
For the predefined permission roles only "Public" and "Only connections I specially allow" are used. The last one is set in the individual connection permissions.Individual Connection permissions:
When a connection is approved the individual permissions are assigned to this connection corresponding to the channel permission limits.
All permissions which are set to public by the predefined permission role are inherited and can not be changed for the individual connection permission.
In most predefined permission roles these are some or all of the "can view my" permissions. All other permissions can be changed.
And here comes the part I'm not sure about. I tried to get it from the PHP-source but as I'm not a PHP-developer this was sometimes very confusing.
Normally I would expect that all other individual permissions would be empty by default for new connections apart from the inherited ones. But it seems to me that some default permissions are automatically assigned (apart from the inherited).
Is that right? And if so are these default permissions independent of the predefined permission role? And if a activated the permission groups are these defaults equal to the permission role "default"?Permission groups
If you have a common set of permissions you always want to use for your connections you can activate the additional function "permission groups". You can define several permission groups by your own and apply them to each of your connection. You can also set a default permission group which is applied to your connections by default.ACLs
The ACLs are used for the individual items you share, like photos, files, posts etc.
For each of them an ACL can be set.
For an ACL you can choose between the following possibilities:
1. public (depends on channel permission limit)
2. Profiles (when using multiple profiles visibility)
3. Privacy groups
4. Only me
5. Custom selection: privacy groups, token, individual connections
If you are using a channel permission role with a default privacy group this group will be preselected in the ACL dialog but can be changed.
Furthermore ACLs cannot be changed for items which are transferred to other hubs (like posts) but can be changed for items which are accessed from outside on my server (like files or photos).
I hope I got it right this time. Next thing would be to draw a nice picture because a picture is worth a thousand word. And maybe polish the text a bit for the help.
Am I missing any special cases?
I'm a bit confused by meaz permission roles table (btw great work).
Especially from things like: Can send me their channel stream and posts (my "friends" privacy group) https://hub.disroot.org/photos/meaz/image/4d905f7c3fbdf2cadd16c3876cd23ef94655efa91b20e229cdead0533616e4a8
Feedback is very welcome.