Update:Remora Permissions: Difference between revisions

← Older edit

Update:Remora Permissions (view source)

Revision as of 00:06, 29 April 2007

1,421 bytes added , 29 April 2007

no edit summary

Fligtar

canmove, Confirmed users, Bureaucrats and Sysops emeriti

1,043

edits

@@ Line 1: / Line 1: @@
 [[Update:Remora|&laquo; Back to Update:Remora]]
 == Backdrop ==
-We tried to use db_acl, but the implementation meant too much overhead for our relatively simple requirements.  Mainly we wanted to lock down access by group/role.  We opted to go with the [http://www.thinkingphp.org/2006/10/03/a-lightweight-approach-to-acl-the-33-lines-of-magic/ 33 lines of magic] approach which is simpler by design and was shaver's first preferred choice.  Read the blog to see why it can get the job done even if it isn't completely normalized and abstracted.
+We tried to use db_acl, but the implementation meant too much overhead for our relatively simple requirements.  Mainly we wanted to lock down access by group/role.  We opted to go with the [http://www.thinkingphp.org/2006/10/03/a-lightweight-approach-to-acl-the-33-lines-of-magic/ 33 lines of magic] approach which is simpler by design and was [http://en.wikipedia.org/wiki/Mike_Shaver shaver]'s first preferred choice.  Read the blog to see why it can get the job done even if it isn't completely normalized and abstracted.
+See also: [[Update:Admins/Groups|AMO User Groups]]
 == Permissions ==
-There are two ways to grant permissions:
-* group
-* user
-These permissions can be used together.  The resulting permissions will be the union of these.
 Formatting permissions is a matter of entering Controller:action permissions in a comma delimited list in either User.rules or Group.rules.  Examples would be:
   // Grants access to all Users and Groups controller actions.
   Users:*,Groups:*
   // Grants access to all possible controllers and actions.
   *:*
   // Grants access to only Editor actions.
   Reviewers:*
   // Grants access to only review adding.
   Reviews:add
+Our implementation deviates from the 33 lines of magic approach in two ways:
+* aclException checks
+* user->group map is a many-to-many relationship using a map table instead of a simple group_id injected into the users table
 == Using Permissions in Controllers ==
+Since ACLs are turned on from app_controller you pick up permissions for free based on Controller:action.  For example, if you're in the Images controller and you're adding an image with the add() action, SimpleAcl will just check group and user permissions for Images:add automatically and deny the user access if it fails.
+There is a way to do a manual check using the SimpleAcl component.  If you're wanting to use it for display logic or some other use that requires and explicit check, you may need to use this method:
+ // Check to see if the user has access to the entire Reviewers controller.
+ if ($this->SimpleAcl->actionAllowed('Reviewers','*')) {
+     // Do something
+ }
+ // Check to see if the user has access to ANY action in the Reviewers controller.
+ if ($this->SimpleAcl->actionAllowed('Reviewers', '%')) {
+     // Do something
+ }
+Normally this would be done in an action.  I was not able to use this in a beforeFilter, because that would access member variables and functions not yet loaded.
+* [[User:Fligtar|Fligtar]] 03:33, 30 March 2007 (PDT) If you want to use this in beforeFilter, just add this:
+        $this->SimpleAuth->startup($this);
+        $this->SimpleAcl->startup($this);
+== Disabling Permissions in Controllers ==
 SimpleAcl and SimpleAuth are instantiated in the app_controller, which means they are loaded for all controllers by default.  This means:
 * New controller actions will be locked down by default
@@ Line 39: / Line 58: @@
   }
-== Public permissions ==
+== Controller Notepad ==
 Controllers, actions and their permissions.