Subject:*
Name/Email:*
Message Icon:*
Message:*
url email imgsrc image php hide code quote
English Nederlands 
SAMPLE
alignleft aligncenter alignright bold italic underline linethrough   


 [more...]
Options:*
 

 

 
   
Re: set permissions

by skenow on 2024/5/18 11:31:37

This was added to the wiki soon after this!


Re: set permissions

by sato-san on 2012/2/9 5:50:50

Extremely useful. Thank you very much. This should go into the wiki!
Re: set permissions

by david on 2012/2/3 0:59:10

Many thanks for the input on this - I'm sure it could be useful for other developers as well.
Re: set permissions

by QM-B on 2012/2/2 8:53:59

Hi together!
Back to the permission control! Ok, I needed some time, but I'm pretty sure, that I understodd now the funktionality of permission control. Two reasons for me, to write this down: At first, I think, this could be useful for others, too. The second reason is, that I would like to know, if one of our core programmers agree in my way or would suggest a different method.
To set up a permission control for a module will require just a few lines of Code. The first, most important step is: add the permissions to the constructor in your handler. I'll try to explain for my new article module, as an example: I have three permissions to set in my handlers: View permissions for Articles, view permissions for categories and submit permissions permissions for new articles for users related to a specific category. So my first way is, to tell the handlers, where I need the permission control:
CategoryHandler.php:
public function __construct(&$db) { parent::__construct($db, "category_id", "category_title", "category_description", "article"); $this->addPermission('category_grpperm', _CO_ARTICLE_CATEGORY_CATEGORY_GRPPERM, _CO_ARTICLE_CATEGORY_CATEGORY_GRPPERM_DSC); $this->addPermission('category_uplperm', _CO_ARTICLE_CATEGORY_CATEGORY_UPLPERM, _CO_ARTICLE_CATEGORY_CATEGORY_UPLPERM_DSC); }

This would initiate the permissions for the system permission handler. What does this code mean? Well, let's have a look inside:
'category_uplperm'

e.g. would be be the permission, I like to use for submit permissions. This is the name for the permission, you can call it however you like. Add one for the view permissions for categories and one for submit permissions for new articles (like you can see in the two lines I added in the constructor above.) The next part in the line, the first constant, will be the language Identification for the field, the second constant is optional to describe the permission control.
That would be the first, most important part. Add something similar for your article handler and you're done:
$this->addPermission('article_grpperm', _CO_ARTICLE_ARTICLE_ARTICLE_GRPPERM, _CO_ARTICLE_ARTICLE_ARTICLE_GRPPERM_DSC);

Again: 'article_grpperm' is the name of the view permissions for articles, described by the two constants.
It will not be necessary to add any field into the Object table now. This will be done by IPF. So you have set up the permission control using three lines of code. But what now? What happens, if you like to check, if the current user has access? Ok, let's start in the handler, it will be the same way for both handler. Usually you will do the query using IPF and adding some db criterias, which Objects you'd like to have. Well, I'm partly using some more. Let's just have one required field: the item should be set to online and the user should have permissions to view the item:
function getItems() { $criteria = new icms_db_criteria_Compo(); $criteria->add(new icms_db_criteria_Item("item_online", TRUE); $this->setGrantedObjectsCriteria($criteria, "article_grpperm"); $items = $this->getObjects($criteria, TRUE); return $items; }

Ok, this is quite simple query, but it will be enough to explain the permission handling:
The first criteria will just be the field, which you have defined to set an item online or offline. The second line will handle the permissions.
$this->setGrantedObjectsCriteria($criteria, "article_grpperm");

The function is in your ipf handler. The first argument is your criteria, however you're calling it. The second argument is the defined permission in your constructor above. That's it. IPF will fetch only Objects, which can be called by the current user/guest.
That's it. Add this line to each query, where it's necessary to fetch objects for a special group. (search function etc.)
Well, but one function you will need to add in the Object, too. Just to get sure, that the current user have permissions to the called Object. Anyone could forward a link to an Object which has restrictions or someone could have bookmarked an object, which is deactivated or had changed the permissions anytime.
So, add the function accessGranted() to your Object.
Add here the lines below:
$gperm_handler = icms::handler('icms_member_groupperm'); $groups = is_object(icms::$user) ? icms::$user->getGroups() : array(ICMS_GROUP_ANONYMOUS); $viewperm = $gperm_handler->checkRight('article_grpperm', $this->id(), $groups, icms::$module->getVar("mid"));

At first let me explain, what's going on:
in the first part of the code I'm just defining the group permission handler. The third line will check the access permission. The first argument is the permission control you defined in the constructor, again. The second argument will call the current Object id. $groups will call the groups of the current user. If there are no groups, it's anonymous. The last argument will give the current module id. If you need this function from a block, get sure to define your module id by another way.
That's it. Add your additional requirements for object access, e.g. if the current item is set to online. The check to finish the function would be: if $viewperm && your requirements == true-> return true, else return false.
That's it. You're done now in the Object table, too. Your view permissions are ready to go. To check submit permissions add a similar function userCanSubmit() and use something like the $viewperm in the code above and you're done. Just replace in category with category_uplperm or however you called it.
That's it! Your classes are done, if hou have added all similar in
both objects and handler: for categories and objects. Just the submit permissions will be enough to have in category defined, not in Article.
Now let's go to the frontend. Here you normally don't need to do much. Just, if you're calling an Article or a category as a single object. Check something like:
if(is_object($articleObj) && $articleObj->accessGranted() && !$articleObj->isNew()) {

}
if you have defined an action, what to do if not all of the above, place it here, otherwise you'll get a blank page.
That's all. You'll need this twice: once for categories, another for articles and you're done in the frontend. Hopefully I didn't forgot anything? Well, you have questions? don't be shy to ask.. You have suggestions to make it better? Let me know! Have fun if you like to try it
Re: set permissions

by phoenyx on 2011/11/2 9:26:48

Glad you figured it out.
For future reference: Additional checks are required (e.g. using the accessGranted function of the object).