Wagn's powerful permissions system lets you set CRUD (create, read, update, and delete) permissions on any Set of cards.
These permissions are checked when a card is included. That means, for example, that if a public page includes a private card, that private card won't be shown to folks without permission. Permissions are also checked wherever cards are queried, so that search results will never turn up a card that a user doesn't not have permission to see.
Wagn also supports true file permissions, meaning that permissions are checked whenever a file is requested.
Permission to update a given cards is based on its *update rules. A new Wagn comes with several update rules, including these two:
By "Layout cards", we mean cards that have the type "Layout". Since the set of "Layout cards" is narrower than the set of "all cards", the second rule overrides the first, and only Administrators are permitted to edit Layout cards.
Wagn's permissions system is both powerful and simple. It uses just 4 main kinds of rules: *create, *read, *update, and *delete. (It currently also supports *comment rules, but that will soon be handled differently.)
All Wagn permissions can be assigned to any combination of User and Role (user group). For example, a "Conference Call" card could be restricted so that it could be updated only by persons with the Staff role or the Board role or by Justin Blauchen (the CEO's husband).
Editing card permissions is just like editing any other rules; just go to "advanced" or "advanced > rules" on the card menus.
A card with the compound name A+B can inherit its permissions from A.
Suppose we have a card named "Jin's Dossier" and another named "Jin's Dossier+overview". The common use for such compound names is as fields. Which is to say that the +overview card is used as a field of Jin's Dossier. Often we want our field cards (+overview) to have the same permission as their subject (Jin's Dossier).
We call this pattern "inheriting" permissions, and every Wagn comes with default create, read, update, and delete rules that make all plus cards (all cards withcompound names) inherit from their parents. These rule can, of course be changed or overridden like any other rules.
When serving files and images, many systems rely on "security through obscurity": the hope that hard-to-guess urls will prevent users from stumbling upon their files. But as soon as the url becomes known to search engines, that approach flops. Wagn checks for file permissions (which are no different from any other card permission) on every request, so clicking a link to a restricted file will only work for permitted users.