feat(wiki): per-folder access control for wiki sections #674

Closed
opened 2026-06-21 13:41:14 +00:00 by jmiller · 0 comments
Owner

Summary

Add folder-level write protection for wiki sections, allowing admins to lock specific wiki areas while keeping others open for editing. Similar to Wikipedia's page protection levels.

Current State

  • Wiki permissions are all-or-nothing per repo: CanRead(unit.TypeWiki) and CanWrite(unit.TypeWiki) in routers/web/repo/wiki.go
  • No way to protect individual pages or sections from editing
  • The existing folder structure (MokoGitea-only feature) provides natural section boundaries

Design

Access Control File

A _access.yml file in any wiki folder defines permissions for that folder and its children:

# wiki-root/admin/_access.yml
write:
  - admin
  - maintainer
read:
  - "*"   # everyone can read
# wiki-root/drafts/_access.yml
write:
  - "*"   # anyone with repo wiki access can edit
read:
  - member   # only org members can view drafts

Permission Inheritance

  • If no _access.yml exists in a folder, permissions are inherited from the parent folder
  • Root-level default: whatever the repo's wiki unit permissions allow
  • More restrictive permissions in child folders override parent

Enforcement

  • Check in WikiPost() / EditWikiPost() before allowing edits — walk the folder chain for _access.yml files
  • Check in renderViewPage() for read restrictions
  • _access.yml files themselves are only editable by repo admins

UI

  • Lock icon displayed next to protected pages/folders in the sidebar tree and page list
  • "This section is protected" banner on protected pages for users without write access
  • "Request edit" or "Suggest edit" button that creates an issue instead of direct editing

Files to Modify

File Change
routers/web/repo/wiki.go Access check in edit/create handlers, read checks
services/wiki/wiki_access.go New — parse _access.yml, permission resolution
templates/repo/wiki/view.tmpl Lock icon, protection banner

Related

  • #133 (independent visibility controls for issues, wiki, projects)
  • #9 (granular role-based permissions)

Wikipedia Parity

Wikipedia has multiple protection levels (semi-protected, fully protected, cascading protection) that prevent unauthorized edits to high-traffic or sensitive pages while keeping the majority of the wiki open.

## Summary Add folder-level write protection for wiki sections, allowing admins to lock specific wiki areas while keeping others open for editing. Similar to Wikipedia's page protection levels. ## Current State - Wiki permissions are all-or-nothing per repo: `CanRead(unit.TypeWiki)` and `CanWrite(unit.TypeWiki)` in `routers/web/repo/wiki.go` - No way to protect individual pages or sections from editing - The existing folder structure (MokoGitea-only feature) provides natural section boundaries ## Design ### Access Control File A `_access.yml` file in any wiki folder defines permissions for that folder and its children: ```yaml # wiki-root/admin/_access.yml write: - admin - maintainer read: - "*" # everyone can read ``` ```yaml # wiki-root/drafts/_access.yml write: - "*" # anyone with repo wiki access can edit read: - member # only org members can view drafts ``` ### Permission Inheritance - If no `_access.yml` exists in a folder, permissions are inherited from the parent folder - Root-level default: whatever the repo's wiki unit permissions allow - More restrictive permissions in child folders override parent ### Enforcement - Check in `WikiPost()` / `EditWikiPost()` before allowing edits — walk the folder chain for `_access.yml` files - Check in `renderViewPage()` for read restrictions - `_access.yml` files themselves are only editable by repo admins ### UI - Lock icon displayed next to protected pages/folders in the sidebar tree and page list - "This section is protected" banner on protected pages for users without write access - "Request edit" or "Suggest edit" button that creates an issue instead of direct editing ### Files to Modify | File | Change | |------|--------| | `routers/web/repo/wiki.go` | Access check in edit/create handlers, read checks | | `services/wiki/wiki_access.go` | New — parse `_access.yml`, permission resolution | | `templates/repo/wiki/view.tmpl` | Lock icon, protection banner | ## Related - #133 (independent visibility controls for issues, wiki, projects) - #9 (granular role-based permissions) ## Wikipedia Parity Wikipedia has multiple protection levels (semi-protected, fully protected, cascading protection) that prevent unauthorized edits to high-traffic or sensitive pages while keeping the majority of the wiki open.
jmiller added the feature: wiki label 2026-06-21 13:41:14 +00:00
Sign in to join this conversation.