(zettel (meta (back "00001010000000 00001012054400 00001012054600") (backward "00001010000000 00001012054400 00001012054600") (box-number "1") (created "00010101000000") (forward "00001010040100 00001010040200") (modified "20211124142456") (published "20211124142456") (role "manual") (syntax "zmk") (tags "#authorization #configuration #manual #security #zettelstore") (title "Access rules")) (rights 4) (encoding "") (content "Whether an operation of the Zettelstore is allowed or rejected, depends on various factors.\n\nThe following rules are checked first, in this order:\n\n# In read-only mode, every operation except the \"\"Read\"\" operation is rejected.\n# If there is no owner, authentication is disabled and every operation is allowed for everybody.\n# If the user is authenticated and it is the owner, then the operation is allowed.\n\nIn the second step, when [[authentication is enabled|00001010040100]] and the requesting user is not the owner, everything depends on the requested operation.\n\n* Read a zettel:\n** If the visibility is \"\"public\"\", the access is granted.\n** If the visibility is \"\"owner\"\", the access is rejected.\n** If the user is not authenticated, access is rejected.\n** If the zettel requested is an [[user zettel|00001010040200]], reject the access if the users identification is not the same as of the ''user-id'' metadata value in the zettel.\n\n   In other words: only the requesting user is allowed to access its own user zettel.\n** If the ''user-role'' of the user is \"\"creator\"\", reject the access.\n** Otherwise the user is authenticated, no sensitive zettel is requested.\n   Allow to read the zettel.\n* Create a new zettel\n** If the user is not authenticated, reject the access.\n** If the ''user-role'' of the user is \"\"reader\"\", reject the access.\n** If the user tries to create an [[user zettel|00001010040200]], the access is rejected.\n\n   Only the owner of the Zettelstore is allowed to create user zettel.\n** In all other cases allow to create the zettel.\n* Change an existing zettel\n** If the user is not allowed to read the zettel (see above), reject the access.\n** If the user is not authenticated, reject the access.\n** If the zettel is the [[user zettel|00001010040200]] of the authenticated user, proceed as follows:\n*** If some sensitive meta values are changed (e.g. user identifier, zettel role, user role, but not hashed password), reject the access\n*** Since the user just updates some uncritical values, grant the access\n   In other words: a user is allowed to change its user zettel, even if s/he has no writer privilege and if only uncritical data is changed.\n** If the ''user-role'' of the user is \"\"reader\"\", reject the access.\n** If the user is not allowed to create a new zettel, reject the access.\n** Otherwise grant the access.\n* Rename a zettel\n** Reject the access.\n   Only the owner of the Zettelstore is currently allowed to give a new identifier for a zettel.\n* Delete a zettel\n** Reject the access.\n   Only the owner of the Zettelstore is allowed to delete a zettel.\n   This may change in the future."))