From FCKeditor Docs

ACL – Access Control List

CKFinder comes with a powerful ACL feature, which makes it possible to define ACL settings at any level in the repository directories and subfolders. It implements also a simple role system for ACLs.

In the configuration file, many <AccessControl /> nodes can be created to define ACLs. All attributes defined in AccessControl nodes are optional, and each one overrides ACLs defined for parent folders.

For example, suppose the following ACLs are defined:

<AccessControl
 role = "*"
 resourceType = "*"
 folder = "/"
 folderView = "true"
 folderCreate = "true"
 fileUpload = "true"
/>
<AccessControl
 role = "*"
 resourceType = "Images"
 folder = "/My Test/Other Folder/"
 fileUpload = "false"
/>

The above should then reflect in the connector execution by returning the following values for FileUpload:

• Type = Files - / : true
• Type = Files - /My Test/ : true
• Type = Files - /My Test/Other Folder/ : true
• Type = Images - /My Test/ : true
• Type = Images - /My Test/Other Folder/ : false
• Type = Images - /My Test/Other Folder/Folder 3/ : false

The “*” wildcard may be used for “role” and “resurceType” to include all.

Roles

By setting the roleSessionVar attribute, the end developer can point the connector to a session variable which contains the name of the role of the session user. This name would then be used to calculate the ACL.'

ACL Representation

When sending ACL information to CKFinder, the connector sends a “bit mask” represented by an integer value. Each folder contains a computed aggregated ACL bit mask.

The following is the representation of all used bits in the mask:

enum AccessControlRules
{
 FolderView = 1,
 FolderCreate = 2,
 FolderRename = 4,
 FolderDelete = 8,
 FileView = 16,
 FileUpload = 32,
 FileRename = 64,
 FileDelete = 128
}