enigma-bbs/docs/_docs/configuration/acs.md

5.9 KiB
Raw Blame History

layout title
page Access Condition System (ACS)

Access Condition System (ACS)

ENiGMA½ uses an Access Condition System (ACS) that is both familiar to oldschool BBS operators and has it's own style. With ACS, SysOp's are able to control access to various areas of the system based on various conditions such as group membership, connection type, etc. Various touch points in the system are configured to allow for acs checks. In some cases ACS is a simple boolean check while others (via ACS blocks) allow to define what conditions must be true for certain rights such as read and write (though others exist as well).

Group Membership

ENiGMA½ does not utilize legacy "security levels" (see note below) but instead utilizes a group system. Users may be long to one or more groups which can be checked by the GM ACS (See ACS Codes below). Two special groups exist out of the box:

  1. users: Any regular user
  2. sysops: System Operators. The first user (your root, or admin) will alwasy belong to this group.

You do not need to explicitly create groups: By checking for them via ACS, and adding members to a group, they implicitly exist within the system. You may use as many groups within your system as you would like. See 'optuil user group' for information adding and removing users to groups.

Many dropfile formats require a security level. As such, the following apply: Root user or users in sysops group receive a security level of 100 while standard users receive 30.

ACS Codes

The following are ACS codes available as of this writing:

Code Condition
LC Connection is local
AGage User's age is >= age
ASstatus, AS[status,...] User's account status is group or one of [group,...]
ECencoding Terminal encoding is set to encoding where 0 is CP437 and 1 is UTF-8
GM[group,...] User belongs to one of [group,...]
NNnode, NN[node,...] Current node is node or one of [node,...]
NPposts User's number of message posts is >= posts
NCcalls User's number of calls is >= calls
SC Connection is considered secure (SSL, secure WebSockets, etc.)
THheight Terminal height is >= height
TWwidth Terminal width is >= width
TM[themeId,...] User's current theme ID is one of [themeId,...] (e.g. luciano_blocktronics)
TT[termType,...] User's current terminal type is one of [termType,...] (ANSI-BBS, utf8, xterm, etc.)
IDid, ID[id,...] User's ID is id or one of [id,...]
WDweekDay, WD[weekDay,...] Current day of week is weekDay or one of [weekDay,...] where 0 is Sunday, 1 is Monday, and so on.
AAdays Account is >= days old
BUbytes User has uploaded >= bytes
UPuploads User has uploaded >= uploads files
BDbytes User has downloaded >= bytes
DLdownloads User has downloaded >= downloads files
NRratio User has upload/download count ratio >= ratio
KRratio User has a upload/download byte ratio >= ratio
PCratio User has a post/call ratio >= ratio
MMminutes It is currently >= minutes past midnight (system time)
ACachievementCount User has >= achievementCount achievements
APachievementPoints User has >= achievementPoints achievement points
AFauthFactor User's current Authentication Factor is >= authFactor. Authentication factor 1 refers to username + password (or PubKey) while factor 2 refers to 2FA such as One-Time-Password authentication.
ARauthFactorReq Current user requires an Authentication Factor >= authFactorReq
PV[_name,value] Checks that the property by name for the current user is exactly value. This ACS allows arbitrary user property values to be checked. For example, PV[message_conf,local] checks that the user is currently in the "local" message conference.
SE[service,service,...] Checks that all services listed by service listed are enabled. Available services: http, https, web (http or https), gopher, nntp, nntps, activitypub (requires web), nodeinfo2 (requires web), webfinger (requires web). Example: SE[activitypub].

ACS Strings

ACS strings are one or more ACS codes in addition to some basic language semantics.

The following logical operators are supported:

  • ! NOT
  • | OR
  • & AND (this is the default)

ENiGMA½ also supports groupings using ( and ). Lastly, some ACS codes allow for lists of acceptable values using [ and ] — for example, GM[users,sysops].

Example ACS Strings

  • NC2: User must have called two more more times for the check to return true (to pass)
  • ID1: User must be ID 1 (the +op)
  • GM[elite,power]: User must be a member of the elite or power user group (they could be both)
  • ID1|GM[co-op]: User must be ID 1 (SysOp!) or belong to the co-op group
  • !TH24: Terminal height must NOT be 24

ACS Blocks

Some areas of the system require more than a single ACS string. In these situations an ACS block is used to allow for finer grain control. As an example, consider the following file area acs block:

acs: {
    read: GM[users]
    write: GM[sysops,co-ops]
    download: GM[elite-users]
}

All users can read (see) the area, sysops and co-ops can write (upload), and only members of the elite-users group can download.

ACS Touch Points

The following touch points exist in the system. Many more are planned:

See the specific areas documentation for information on available ACS checks.