MKDoc has a simple, and crucially, a comprehensible system of user authentication and authorization. This article is a quick overview of the MKDoc permissions system as it has been developed to suit our client-base and their needs.
Authentication
Currently MKDoc uses the standard web password-based mechanism (HTTP Authentication) to authenticate users. This works with all web-browsers and you can generally tell your browser to remember the password permanently.
There is a configuration option to use an alternative cookie-based authentication mechanism but this is disabled by default – Cookies have a bad reputation, although this usage is actually an appropriate use of the technology.
In combination with https/SSL, either method is cryptographically secure.
Authorization
Permissions for MKDoc authors are at the document level; this means that if you have permission to edit a document, then you also have the authority to edit, create or delete any child or descendant attached hierarchically to that document.
The way this differs from a system where each author has his or her own document hierarchy, is that any single user can be granted authority over any number of base documents and multiple users can have authority over the same overlapping set of documents.
Examples
Visitor account
This user has no base document, consequently they can't modify any content on the site, but they can use MKDoc personalization features such as receiving newsletter-updates via email.
This is how the visitor sign-up system works on the UK government Help is at Hand site.
Intranet account
This user has a single base document in a hidden area of the site, as a result they can create intranet pages that are visible to other logged-in users, but invisible to the general public.
Trusted author account
This user has single or multiple base documents in public areas; for instance, one of our developers might have permission to edit these two pages:
..consequently this user can also modify these two pages:
..but not these pages:
General editor account
This user has a single base document which is the site homepage, this means that they can edit any page on the site, including pages maintained by other users.
“Super-User” admin account
MKDoc has a special user account that is used entirely for adding, removing and managing other users – When this user logs-in, the standard document edit menu is replaced by a user-management menu.