title: Access rules role: manual tags: #authorization #configuration #manual #security #zettelstore syntax: zmk back: 00001010000000 00001012054400 00001012054600 backward: 00001010000000 00001012054400 00001012054600 box-number: 1 copyright: (c) 2020-present by Detlef Stern created: 00010101000000 forward: 00001010040100 00001010040200 lang: en license: EUPL-1.2-or-later modified: 20211124142456 published: 20211124142456 visibility: public Whether an operation of the Zettelstore is allowed or rejected, depends on various factors. The following rules are checked first, in this order: # In read-only mode, every operation except the ""Read"" operation is rejected. # If there is no owner, authentication is disabled and every operation is allowed for everybody. # If the user is authenticated and it is the owner, then the operation is allowed. In the second step, when [[authentication is enabled|00001010040100]] and the requesting user is not the owner, everything depends on the requested operation. * Read a zettel: ** If the visibility is ""public"", the access is granted. ** If the visibility is ""owner"", the access is rejected. ** If the user is not authenticated, access is rejected. ** If the zettel requested is an [[user zettel|00001010040200]], reject the access if the users identification is not the same as of the ''user-id'' metadata value in the zettel. In other words: only the requesting user is allowed to access its own user zettel. ** If the ''user-role'' of the user is ""creator"", reject the access. ** Otherwise the user is authenticated, no sensitive zettel is requested. Allow to read the zettel. * Create a new zettel ** If the user is not authenticated, reject the access. ** If the ''user-role'' of the user is ""reader"", reject the access. ** If the user tries to create an [[user zettel|00001010040200]], the access is rejected. Only the owner of the Zettelstore is allowed to create user zettel. ** In all other cases allow to create the zettel. * Change an existing zettel ** If the user is not allowed to read the zettel (see above), reject the access. ** If the user is not authenticated, reject the access. ** If the zettel is the [[user zettel|00001010040200]] of the authenticated user, proceed as follows: *** If some sensitive meta values are changed (e.g. user identifier, zettel role, user role, but not hashed password), reject the access *** Since the user just updates some uncritical values, grant the access In other words: a user is allowed to change its user zettel, even if s/he has no writer privilege and if only uncritical data is changed. ** If the ''user-role'' of the user is ""reader"", reject the access. ** If the user is not allowed to create a new zettel, reject the access. ** Otherwise grant the access. * Rename a zettel ** Reject the access. Only the owner of the Zettelstore is currently allowed to give a new identifier for a zettel. * Delete a zettel ** Reject the access. Only the owner of the Zettelstore is allowed to delete a zettel. This may change in the future.