访问控制

Weblate 带有细粒度的特权系统,可以为整个实例或在有限范围内分配用户权限。

在 3.0 版更改: 在 Weblate 3.0 之前,特权系统仅基于 Django,但现在是专门为 Weblate 构建的。如果使用的是更旧的版本,那么请查阅所使用的特定版本的文档。

简单的访问控制

如果你不是掌控完整的Weblate安装,而仅仅是需要访问管理当前项目(如在Hosted Weblate <https://hosted.weblate.org/>`_),你的访问控制管理选项将被设置所限制。如果你不需要任何复杂的步骤,这些就足够了。

项目访问控制

注解

此功能对于运行 Weblate 上托管的自由软件计划的项目不可用。

您可以通过选择不同的:guilabel:`Access control`设置来限制用户对单个项目的访问。可用的选项有:

公开的

公开可见,且所有登录用户均可进行翻译。

受保护的

公开可见,但只允许被选择的用户翻译。

私有的

公开可见,但只允许被选择的用户翻译。

自定义

用户管理<manage-acl>功能将被禁用;默认情况下,禁止所有用户对项目执行任何操作。您必须使用:ref:`custom-acl`设置所有权限。

可以在每个项目的配置(:guilabel:`Manage↓:guilabel:`Settings)的:guilabel:`Access`选项卡中更改Access控制。

../_images/project-access.png

可以通过 DEFAULT_ACCESS_CONTROL 更改默认值。

注解

Even for Private projects, some info about your project will be exposed: statistics and language summary for the whole instance will include counts for all projects despite the access control setting. Your project name and other information can’t be revealed through this.

注解

The actual set of permissions available for users by default in Public, Protected, and Private projects can be redefined by Weblate instance administrator using custom settings.

警告

通过打开 Custom 访问控制, Weblate 会删除所有为一个选定项目建立的 special groups。如果你在没有整个 Weblate 实例的管理员权限的情况下这样做,你会立即丢失管理项目的权限。

参见

访问控制

管理每个项目的访问控制

Manage project access 特权的用户(请参见 特权列表 )还可以通过 non-Custom 访问控制来管理用户。它们可以将用户分配到以下组之一。

For Public, Protected and Private projects:

管理

包括项目可用的所有权限。

Review (only if review workflow is turned on)

可以在复查时批准翻译。

For Protected and Private projects only:

翻译

可以翻译项目,并将离线的翻译上传。

可以编辑源字符串 (如果在 project settings 中允许的话 )及源字符串信息。

语言

可以管理翻译语言(添加或删除翻译)。

词汇表

可以管理词汇表(添加或删除条目,并上传)。

记忆存储

可以管理翻译记忆库。

截图

可以管理截屏(添加或删除截屏,并将其与源字符串关联)。

版本控制系统(VCS )

可以管理版本控制系统(VCS)并访问导出的仓库。

账单

可以访问账单信息和设置(请参见 账单 )。

Unfortunately, it’s not possible to change this predefined set of groups for now. Also this way it’s not possible to give just some additional permissions to all users.

注解

For non-Custom access control an instance of each group described above is actually defined for each project. The actual name of those groups will be Project@Group, also displayed in the Django admin interface this way. Although they can’t be edited from Weblate user-interface.

../_images/manage-users.png

These features are available on the Access control page, which can be accessed from the project’s menu ManageUsers.

新用户邀请

Also, besides adding an existing user to the project, it is possible to invite new ones. Any new user will be created immediately, but the account will remain inactive until signing in with a link in the invitation sent via an e-mail. It is not required to have any site-wide privileges in order to do so, access management permission on the project’s scope (e.g. a membership in the Administration group) would be sufficient.

提示

If the invited user missed the validity of the invitation, they can set their password using invited e-mail address in the password reset form as the account is created already.

3.11 新版功能: 重新发送用户邀请电子邮件是有可能的 (使任何之前发送的邀请无效)。

The same kind of invitations are available site-wide from the management interface on the Users tab.

每项目的权限管理

你可以将你的项目设置为 ProtectedPrivate ,并在 Weblate 的界面上设置每个项目的 manage users

By default this prevents Weblate from granting access provided by Users and Viewers default groups due to these groups’ own configuration. This doesn’t prevent you from granting permissions to those projects site-wide by altering default groups, creating a new one, or creating additional custom settings for individual component as described in 客户访问控制 below.

One of the main benefits of managing permissions through the Weblate user interface is that you can delegate it to other users without giving them the superuser privilege. In order to do so, add them to the Administration group of the project.

客户访问控制

注解

此功能对于运行 Weblate 上托管的自由软件计划的项目不可用。

权限系统基于组和角色,其中角色定义了一组权限,组将它们链接到用户和翻译,请参阅 用户、角色、用户组和权限 以获取更多详细信息。

The most powerful features of the Weblate’s access control system for now are available only through the Django admin interface. You can use it to manage permissions of any project. You don’t necessarily have to switch it to Custom access control to utilize it. However you must have superuser privileges in order to use it.

If you are not interested in details of implementation, and just want to create a simple-enough configuration based on the defaults, or don’t have a site-wide access to the whole Weblate installation (like on Hosted Weblate), please refer to the 简单的访问控制 section.

通用设置

This section contains an overview of some common configurations you may be interested in.

站点范围的权限管理

To manage permissions for a whole instance at once, add users to appropriate default groups:

  • Users (this is done by default by the automatic group assignment).

  • Reviewers (if you are using review workflow with dedicated reviewers).

  • Managers (if you want to delegate most of the management operations to somebody else).

You should keep all projects configured as Public (see 项目访问控制), otherwise the site-wide permissions provided by membership in the Users and Reviewers groups won’t have any effect.

You may also grant some additional permissions of your choice to the default groups. For example, you may want to give a permission to manage screenshots to all the Users.

You can define some new custom groups as well. If you want to keep managing your permissions site-wide for these groups, choose an appropriate value for the Project selection (e.g. All projects or All public projects).

自定义语言、组件或项目权限

You can create your own dedicated groups to manage permissions for distinct objects such as languages, components, and projects. Although these groups can only grant additional privileges, you can’t revoke any permission granted by site-wide or per-project groups by adding another custom group.

示例:

If you want (for whatever reason) to allow translation to a specific language (lets say Czech) only to a closed set of reliable translators while keeping translations to other languages public, you will have to:

  1. Remove the permission to translate Czech from all the users. In the default configuration this can be done by altering the Users default group.

    Users 用户组

    语言选择

    按所指定

    语言

    All but Czech

  1. Add a dedicated group for Czech translators.

    小组 Czech translators

    角色

    高级用户

    项目选择

    所有公开项目

    语言选择

    按所指定

    语言

    捷克语

  1. Add users you wish to give the permissions to into this group.

As you can see, permissions management this way is powerful, but can be quite a tedious job. You can’t delegate it to another user, unless granting superuser permissions.

用户、角色、用户组和权限

身份验证模型包括几个对象:

权限

Weblate 定义的个人权限。权限不能分配给用户。这只能通过分配角色来完成。

Role

角色定义为一组权限。这允许在几个地方重复使用这些组,使管理更容易。

User

用户可归属于几个用户组。

群组

用户组连接角色、用户和身份验证对象(项目、语言和组件列表)。

graph auth { "User" -- "Group"; "Group" -- "Role"; "Role" -- "Permission"; "Group" -- "Project"; "Group" -- "Language"; "Group" -- "Components"; "Group" -- "Component list"; }

注解

A group can have no roles assigned to it, in that case access to browse the project by anyone is assumed (see below).

浏览到项目的访问权限

用户必须是链接到项目的组或项目中的任何组件的成员。拥有成员身份就足够了,浏览项目不需要特定的权限 (这被用于默认的 查看者 小组,见 群组列表 )。

浏览组件的权限

用户一旦能够访问组件的项目,就可以不受限制地访问组件。(并将拥有该项目授予用户的所有权限)。在开启 受限制的访问 的情况下,访问组件需要对该组件(或该组件所在的组件列表)具有显式权限。

群组范围

The scope of the permission assigned by the roles in the groups are applied by the following rules:

  • If the group specifies any Component list, all the permissions given to members of that group are granted for all the components in the component lists attached to the group, and an access with no additional permissions is granted for all the projects these components are in. Components and Projects are ignored.

  • If the group specifies any Components, all the permissions given to the members of that group are granted for all the components attached to the group, and an access with no additional permissions is granted for all the projects these components are in. Projects are ignored.

  • Otherwise, if the group specifies any Projects, either by directly listing them or by having Projects selection set to a value like All public projects, all those permissions are applied to all the projects, which effectively grants the same permissions to access all projects unrestricted components.

  • The restrictions imposed by a group’s Languages are applied separately, when it’s verified if a user has an access to perform certain actions. Namely, it’s applied only to actions directly related to the translation process itself like reviewing, saving translations, adding suggestions, etc.

提示

使用 Language selectionProject selection 来自动包括所有语言或项目。

示例:

Let’s say there is a project foo with the components: foo/bar and foo/baz and the following group:

Group Spanish Admin-Reviewers

角色

审核字符串管理代码库

组件

foo/bar

语言

西班牙语

Members of that group will have following permissions (assuming the default role settings):

  • General (browsing) access to the whole project foo including both components in it: foo/bar and foo/baz.

  • Review strings in foo/bar Spanish translation (not elsewhere).

  • Manage VCS for the whole foo/bar repository e.g. commit pending changes made by translators for all languages.

自动分配组

On the bottom of the Group editing page in the Django admin interface, you can specify Automatic group assignments, which is a list of regular expressions used to automatically assign newly created users to a group based on their e-mail addresses. This assignment only happens upon account creation.

The most common use-case for the feature is to assign all new users to some default group. In order to do so, you will probably want to keep the default value (^.*$) in the regular expression field. Another use-case for this option might be to give some additional privileges to employees of your company by default. Assuming all of them use corporate e-mail addresses on your domain, this can be accomplished with an expression like ^.*@mycompany.com.

注解

从一个 Weblate 版本升级到另一个版本时z总是会重新创建对 UsersViewers 的用户组分配。如果你想关闭它,将正则表达式设置为 ``^$``(不匹配任何内容)。

注解

As for now, there is no way to bulk-add already existing users to some group via the user interface. For that, you may resort to using the REST API.

默认群组和角色

After installation, a default set of groups is created (see 群组列表).

这些角色和组是在安装时创建的。 升级时,内置角色始终通过数据库迁移保持最新状态。你实际上无法更改它们,如果要定义自己的权限集,请定义一个新角色。

特权列表

账单(请参见 账单

查看账单信息[Administration, Billing]

修改

下载更改[Administration]

注释

发表注释[Administration, Edit source, Power user, Review strings, Translate]

删除注释[Administration]

组件

编辑组件设置[Administration]

锁定组件,防止翻译 [Administration]

词汇表

添加词汇表入口[Administration, Manage glossary, Power user]

编辑词汇表入口[Administration, Manage glossary, Power user]

删除词汇表入口[Administration, Manage glossary, Power user]

上传词汇表入口[Administration, Manage glossary, Power user]

自动建议

使用自动建议 [Administration, Edit source, Power user, Review strings, Translate]

翻译记忆库

编辑翻译记忆库 [Administration, Manage languages]

删除翻译记忆库 [Administration, Manage languages]

项目

编辑项目设置[Administration]

更改项目访问权限[Administration]

报告

下载报告[Administration]

截图

添加截屏[Administration, Manage screenshots]

编辑截屏[Administration, Manage screenshots]

删除截屏[Administration, Manage screenshots]

源字符串

编辑附加的字符串信息 [Administration, Edit source]

字符串

添加新字符串 [Administration]

移除一条字符串 [Administration]

忽略失败的检查 [Administration, Edit source, Power user, Review strings, Translate]

编辑字符串 [Administration, Edit source, Power user, Review strings, Translate]

复查字符串[Administration, Review strings]

当建议被强制执行时编辑字符串 [Administration, Review strings]

编辑源字符串[Administration, Edit source, Power user]

建议

接受建议 [Administration, Edit source, Power user, Review strings, Translate]

添加建议 [Administration, Edit source, Add suggestion, Power user, Review strings, Translate]

删除建议 [Administration, Power user]

为建议投票 [Administration, Edit source, Power user, Review strings, Translate]

翻译

添加翻译语言 [Administration, Power user, Manage languages]

执行自动翻译[Administration, Manage languages]

删除现有翻译 [Administration, Manage languages]

添加几种语言进行翻译 [Administration, Manage languages]

上传

定义所上传翻译的作者 [Administration]

使用上传的内容覆盖现有的字符串[Administration, Edit source, Power user, Review strings, Translate]

上传翻译 [Administration, Edit source, Power user, Review strings, Translate]

版本控制系统(VCS )

访问内部仓库 [Administration, Access repository, Power user, Manage repository]

将更改提交到内部代码库[Administration, Manage repository]

从内部存储库推送更改 [Administration, Manage repository]

重置内部代码库的更改 [Administration, Manage repository]

查看上游仓库位置 [Administration, Access repository, Power user, Manage repository]

更新内部代码库[Administration, Manage repository]

全网站范围的特权

使用管理界面

添加新项目

添加语言定义

管理语言定义

管理群组

管理用户

管理角色

管理公告

管理翻译记忆库

管理组件列表

注解

站点范围的特权不会被授予任何默认角色。它们功能强大,非常接近超级用户的地位。它们中的大多数都会影响到你的 Weblate 安装中的所有项目。

群组列表

下面的群组在安装时建立(或在执行 setupgroups 后), 您可以自由修改它们。但是,如果它们被删除或重命名,迁移后将重新创建这些名称。

访客

定义非授权用户的权限。

这个群组只包括匿名用户(请参见 ANONYMOUS_USER_NAME )。

你可以从群组中去掉角色,来限制非授权用户的权限。

默认角色: Add suggestion, Access repository

Viewers

这一角色确保公开项目对所有用户可见。默认情况下,所有用户都是该组的成员。

By default, automatic group assignment makes all new accounts members of this group when they join.

默认角色:无

用户

所有用户的默认群组。

By default, automatic group assignment makes all new accounts members of this group when they join.

默认角色: Power user

校对

复核员的群组(参见 翻译工作流 )。

默认角色: Review strings

管理人员

管理员的群组。

默认角色: Administration

警告

决不要移除预先定义的 Weblate 群组和用户,因为这会这可能会导致意想不到的问题!如果你不需要他们,你可以删除他们的所有特权。

额外访问限制

If you want to use your Weblate installation in a less public manner, i.e. allow new users on an invitational basis only, it can be done by configuring Weblate in such a way that only known users have an access to it. In order to do so, you can set REGISTRATION_OPEN to False to prevent registrations of any new users, and set REQUIRE_LOGIN to /.* to require logging-in to access all the site pages. This is basically the way to lock your Weblate installation.

提示

You can use built-in invitations to add new users.