mirrors/TiddlyWiki5
1
0
Fork 0
mirror of https://github.com/Jermolene/TiddlyWiki5 synced 2024-12-02 22:39:56 +00:00
Code Issues Releases Wiki Activity
12e48af372
TiddlyWiki5/plugins/tiddlywiki/multiwikiserver/docs/readme.tid
webplusai 12e48af372
update multiwiki server documentation (#8748) 
* mws authentication

* add more tests and permission checkers

* add logic to ensure that only authenticated users' requests are handled

* add custom login page

* Implement user authentication as well as session handling

* work on user operations authorization

* add middleware to route handlers for bags & tiddlers routes

* add feature that only returns the tiddlers and bags which the user has permission to access on index page

* refactor auth routes & added user management page

* fix Ci Test failure issue

* fix users list page, add manage roles page

* add commands and scripts to create new user & assign roles and permissions

* resolved ci-test failure

* add ACL permissions to bags & tiddlers on creation

* fix comments and access control list bug

* fix indentation issues

* working on user profile edit

* remove list users command & added support for database in server options

* implement user profile update and password change feature

* update plugin readme

* implement command which triggers protected mode on the server

* revert server-wide auth flag. Implement selective authorization

* ACL management feature

* Complete Access control list implementation

* Added support to manage users' assigned role by admin

* fix comments

* fix comment

* Add user profile management and account deletion functionality

* add success and error message feedback for user profile operations

* fix indentation issues

* Add command to create admin user if none exists when the start command is executed

* refactor annonymous user flow with create admin implementation

* remove mws-add-user from start command

* admin configuration for annonymous read-write opearations

* fix comments

* change get-anon handler to POST

* update multiwiki server documentation
2024-11-15 20:29:39 +00:00

239 lines
7.0 KiB
Plaintext
Raw Blame History

title: $:/plugins/tiddlywiki/multiwikiserver/readme
This plugin extends the TiddlyWiki 5 server running on Node.js to be able to host multiple wikis that can share content or be independent.
!! Installation
```
# Clone the repo into ./TiddlyWiki5
git clone https://github.com/Jermolene/TiddlyWiki5.git --branch multi-wiki-support
cd TiddlyWiki5
# Install dependencies
npm install
# Start the server
npm start
```
Then visit the administration interface in a browser: http://127.0.0.1:8080/
The `npm start` command is a shortcut for the following command:
```
node ./tiddlywiki.js ./editions/multiwikiserver --mws-listen
```
Note that changes are written to the topmost bag in a recipe.
Note that until syncing is improved it is necessary to use "Get latest changes from the server" to speed up propogation of changes between users.
To run the tests:
```
./bin/test.sh
```
# Authentication & Authorization
## Overview
Our application has transitioned from a conventional username/password authentication system to a more robust Authentication and Authorization implementation. This new system supports multiple user accounts, roles, permissions, and a comprehensive access control list.
## Key Features
1. Multiple User Accounts
2. Role-based Access Control
3. Granular Permissions
4. Access Control List (ACL)
## Application Access & Security
### Initial Setup
When you first launch the Multiwiki Server, it operates in an unauthenticated mode to facilitate initial configuration. During this initial state, the system creates a temporary anonymous administrator account. Upon accessing the landing page, you'll receive a prominent security warning with instructions to establish a permanent ADMIN account. It's crucial to create this account immediately to secure your installation.
### User Types and Permissions
#### Administrator (ADMIN)
- Full system access and configuration rights
- Can create, modify, and delete user accounts
- Manages role assignments and permissions
- Controls global system settings
- Can configure guest access policies
- Has complete control over all recipes and tiddlers
#### Regular Users
- Custom accounts created by administrators
- Permissions determined by assigned roles
- Access limited to specific recipes based on role permissions
- Can have READ and/or WRITE permissions
#### Guest Users
- Default anonymous access level
- No inherent permissions
- Can only access recipes without Access Control Lists (ACLs)
- Read/write capabilities configurable by ADMIN
- Useful for public wikis or documentation sites
### Access Control System
#### Recipe-Level Security
- Access control is implemented at the recipe level
- Each recipe can have its own Access Control List (ACL)
- Permissions are granular:
- READ: Allows viewing recipe contents
- WRITE: Allows modifications to recipe contents
#### Role-Based Access Control (RBAC)
- Administrators can create custom roles
- Roles can be assigned specific READ/WRITE permissions
- Users inherit permissions from their assigned roles
- Multiple roles can be assigned to a single user
- Provides flexible and scalable access management
#### Permission Inheritance
- Users receive combined permissions from all assigned roles
- More permissive role takes precedence in conflicts
- Guest access is overridden by recipe ACLs
- System automatically enforces most restrictive access when conflicts occur
This security model allows for fine-grained control over content access while maintaining flexibility for both private and public wiki deployments.
## User Management & Security Architecture
### User Account Management
Users can be administered through two interfaces:
1. Web-based Administrative Interface
- Accessible only to ADMIN users
- Provides graphical interface for user operations
- Real-time validation and feedback
2. Command-line Interface (CLI) Tools
- Suitable for automation and scripting
- Enables batch operations
- Useful for system initialization
Each user account contains the following essential components:
- **Username**
- Must be unique across the system
- Case-sensitive
- Used for authentication and audit trails
- **Password**
- Stored using secure hashing algorithms
- Never stored in plaintext
- Subject to complexity requirements
- **Role Assignments**
- Multiple roles can be assigned
- Inherited permissions from all assigned roles
- Dynamic permission calculation based on role combination
### Role & Permission Framework
#### Role Management
Roles serve as permission containers and provide organized access control. The system includes:
**Built-in Roles:**
- `ADMIN`
- Highest privilege level
- Full system access
- Cannot be modified or deleted
- Can create and manage other roles
- Controls guest access policies
- `USER`
- Basic access rights
- Typically limited to specific recipes
**Custom Roles (Examples):**
- `MANAGER`
- Intermediate access level
- Can manage subset of resources
- Custom roles as needed for specific use cases
#### Permission Architecture
**Core Permissions:**
1. `READ` Permission
- View recipe contents
- Access tiddler data
- View metadata
- Export capabilities
2. `WRITE` Permission
- Create new tiddlers
- Modify existing content
- Delete resources
- Manage recipe contents
**Guest Access:**
- No default permissions
- Access limited to non-ACL recipes
- Configurable by ADMIN users
- Suitable for public wikis
### Access Control List (ACL) Implementation
The ACL system provides granular security control through:
#### Entity-Level Control
- Recipe-based access control
- Individual resource protection
- Hierarchical permission inheritance
### Authentication Process Flow
1. Initial Authentication
- User submits credentials
- System validates username existence
- Password hash comparison
- Session token generation
2. Session Management
- Secure session storage
- Token-based authentication
- Automatic session expiration
- Re-authentication requirements
### Authorization Workflow
1. Request Processing
- Capture user action request
- Identify target resource
- Extract required permissions
2. Permission Validation
- Check user roles
- Aggregate permissions
- Verify ACL entries
- Apply guest policies if applicable
3. Access Decision
- Compare required vs. available permissions
- Apply most restrictive policy
- Return access decision
### System Extension Guidelines
#### Adding New Roles
1. Access administrative interface
2. Define role identifier
3. Assign base permissions
4. Configure ACL mappings
5. Test role functionality
#### Permission Expansion
1. Define new permission type
2. Update ACL structure
3. Implement permission checks
4. Update validation logic
5. Document new permission
#### Security Considerations
- Regular permission audits
- Role assignment reviews
- Guest access monitoring
- Security log analysis
- Access pattern monitoring
This comprehensive security model provides flexible, maintainable, and secure access control while supporting both authenticated and guest users within the Multiwiki Server environment.
Reference in New Issue View Git Blame Copy Permalink