To set up a permission control for a module will require just a few lines of Code.

(this tutorial was originally written by QM-B in the ImpressCMS Forums.

Adding Permissions

The first, most important step is: add the permissions to the constructor in your handler.

I'll try to explain for the article module, as an example: there are three permissions to set in the handlers:

  • View permissions for Articles
  • view permissions for categories
  • submit permissions permissions for new articles for users related to a specific category.

So my first way is, to tell the handlers, where I need the permission control:
CategoryHandler.php:

public function __construct(&$db) {
parent::__construct($db, "category_id", "category_title", "category_description", "article");
$this->addPermission('category_grpperm', _CO_ARTICLE_CATEGORY_CATEGORY_GRPPERM, _CO_ARTICLE_CATEGORY_CATEGORY_GRPPERM_DSC);
$this->addPermission('category_uplperm', _CO_ARTICLE_CATEGORY_CATEGORY_UPLPERM, _CO_ARTICLE_CATEGORY_CATEGORY_UPLPERM_DSC);
}

This would initiate the permissions for the system permission handler. What does this code mean? Well, let's have a look inside:

'category_uplperm'

e.g. would be be the permission, I like to use for submit permissions. This is the name for the permission, you can call it however you like. Add one for the view permissions for categories and one for submit permissions for new articles (like you can see in the two lines I added in the constructor above.)

The next part in the line, the first constant, will be the language Identification for the field, the second constant is optional to describe the permission control.

That would be the first, most important part. Add something similar for your article handler and you're done:

$this->addPermission('article_grpperm', _CO_ARTICLE_ARTICLE_ARTICLE_GRPPERM, _CO_ARTICLE_ARTICLE_ARTICLE_GRPPERM_DSC);

Again: 'article_grpperm' is the name of the view permissions for articles, described by the two constants.
It will not be necessary to add any field into the Object table now. This will be done by IPF.

Checking for permissions 

So you have set up the permission control using three lines of code. But what now? What happens, if you like to check, if the current user has access? Ok, let's start in the handler, it will be the same way for both handler.

Usually you will do the query using IPF and adding some db criterias, which Objects you'd like to have. Well, I'm partly using some more. Let's just have one required field: the item should be set to online and the user should have permissions to view the item:

function getItems() {
$criteria = new icms_db_criteria_Compo();
$criteria->add(new icms_db_criteria_Item("item_online", TRUE);
$this->setGrantedObjectsCriteria($criteria, "article_grpperm");
$items = $this->getObjects($criteria, TRUE);
return $items;
}

Ok, this is quite simple query, but it will be enough to explain the permission handling:
The first criteria will just be the field, which you have defined to set an item online or offline. The second line will handle the permissions.

$this->setGrantedObjectsCriteria($criteria, "article_grpperm");

The function is in your ipf handler. The first argument is your criteria, however you're calling it. The second argument is the defined permission in your constructor above. That's it. IPF will fetch only Objects, which can be called by the current user/guest.

That's it. Add this line to each query, where it's necessary to fetch objects for a special group. (search function etc.) Well, but one function you will need to add in the Object, too. Just to get sure, that the current user have permissions to the called Object. Anyone could forward a link to an Object which has restrictions or someone could have bookmarked an object, which is deactivated or had changed the permissions anytime.

So, add the function accessGranted() to your Object.

Add here the lines below:

$gperm_handler = icms::handler('icms_member_groupperm');
$groups = is_object(icms::$user) ? icms::$user->getGroups() : array(ICMS_GROUP_ANONYMOUS);
$viewperm = $gperm_handler->checkRight('article_grpperm', $this->id(), $groups, icms::$module->getVar("mid"));

At first let me explain, what's going on:
in the first part of the code I'm just defining the group permission handler. The third line will check the access permission. The first argument is the permission control you defined in the constructor, again. The second argument will call the current Object id. $groups will call the groups of the current user. If there are no groups, it's anonymous. The last argument will give the current module id. If you need this function from a block, get sure to define your module id by another way.

That's it. Add your additional requirements for object access, e.g. if the current item is set to online. The check to finish the function would be:

if $viewperm && your requirements == true-> return true, else return false.

That's it. You're done now in the Object table, too. Your view permissions are ready to go. To check submit permissions add a similar function userCanSubmit() and use something like the $viewperm in the code above and you're done. Just replace in category with category_uplperm or however you called it.

That's it! Your classes are done, if hou have added all similar in both objects and handler: for categories and objects. Just the submit permissions will be enough to have in category defined, not in Article.

Frontend 

Now let's go to the frontend. Here you normally don't need to do much. Just, if you're calling an Article or a category as a single object. Check something like:


if(is_object($articleObj) && $articleObj->accessGranted() && !$articleObj->isNew()) {
...
}

if you have defined an action, what to do if not all of the above, place it here, otherwise you'll get a blank page.

Last modified on 2024/5/18 by skenow
Comments
The comments are owned by the poster. We aren't responsible for their content.