/
use.gtw
162 lines (112 loc) · 4.68 KB
/
use.gtw
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
When you want your module operates on rights, you need during the implementation of this module:
- Identify the subjects and values that you want to use or create
- Possibly record this subject and values in the system of rights used by the driver that you enable in jAcl: in LDAP if you use a driver ldap (not supplied for the moment) or a database if you use such as driver jAcl.db.
Then you can use the static methods of jAcl to know if the current user has right on a subject.
If the driver manages user groups, you do not have to specify them when you call jAcl: the driver takes care of automatically. Note that a driver can use jAuth for authentication.
===== Configuration =====
First of all you must specify which driver you use for jAcl. The drivers are plugins stored in a directory //acl// of a repository of plugins. A plugin for jAcl is a class fooAclDriver (foo is the name of the plugin) which must implement the interface jIAclDriver and is stored in a file foo.acl.php. For example, the driver "db" is stored in //db/db.acl.php// and defines the class dbAclDriver.
In the configuration of the application, you should have a section //acl//:
<code ini>
[acl]
driver=db
</code>
The //driver// option indicates the name of the driver.
===== Using jAcl =====
You have only two static methods to know: //check// and //getRight//.
==== jAcl::getRight ====
jAcl::getRight() allows you to know all values attached to the given subject, and for the current user. So it gives you all rights of the user for the given subject.
<code php>
$list = jAcl::getRight("cms.articles");
</code>
If we follow the example of the section about jAcl.db, if the user is a "reader", so the list will be:
<code php>
array('LIST','READ');
</code>
If he is a writer:
<code php>
array('LIST','READ', 'CREATE','UPDATE','DELETE');
</code>
You can indicates a resource, for example "opinions":
<code php>
$list = jAcl::getRight("cms.articles", "opinions");
</code>
If the user is a "reader", the list will be:
<code php>
array('LIST','READ', 'UPDATE');
</code>
If he is a" writer", the list is the same as previous, because all writers can modify any articles, as defined in the example of jAcl.db.
<code php>
array('LIST','READ', 'CREATE','UPDATE','DELETE');
</code>
==== jAcl::check ====
This is probably the method you use most with jAcl. It helps to know if the user has a particular right, and therefore return true or false. Example:
<code php>
if( jAcl::check("cms.articles","CREATE")){
// here the code to execute when the user has the right to create an article
}else{
// here the code to execute when the user is not allowed to create an article
}
</code>
Of course, we can specify a resoure:
<code php>
$article_id = "opinions";
if( jAcl::check("cms.articles","UPDATE", $article_id)){
// here the code to execute when the user has the right to modify the given article
}else{
// here the code to execute when the user is not allowed to modify this article
}
</code>
==== Automatic check ====
In controllers where you want to check the rights automatically, you can use the plugin jacl for the coordinator.
To do so, enable the plugin jacl in the application configuration:
<code ini>
[plugins]
jacl = jacl.coord.ini.php
</code>
Copy the file lib/jelix/plugins/coord/jacl/jacl.coord.ini.php.dist to var/config/index/jacl.coord.ini.php
Edit this file to indicate which actions to go in case of bad rights, or the message to display.
And in your controller, put the following values in the property $pluginParams:
<code php>
public $pluginParams = array(
'*'=>array('jacl.right'=>array('subject', 'value') ...)
...
);
</code>
Or also, to verify several rights:
<code php>
public $pluginParams = array(
'*'=>array('jacl.rights.and'=>array(
array('subject', 'value'),
array('subject', 'value'),
)...
),
...
);
</code>
or to verify if the user has at least on right in a list of rights:
<code php>
public $pluginParams = array(
'jacl.rights.or'=>array(
array('subject', 'value'),
array('subject', 'value'),
...
),
...
);
</code>
==== Template plugins ifacl and ifnotacl ====
Some plugins for jTpl are available to check rights inside a template, so to display or not some parts of a template. Arguments are same as jAcl::check().
<code>
{ifacl "cms.articles","CREATE"}
<input type="button" value="Create an article" />
{else}
<p>You cannot create articles.</p>
{/ifnotacl}
</code>
ifnotacl is of course the opposite of ifacl.
Same thing with a resource:
<code>
{ifacl "cms.articles","UPDATE", $article_id}
<input type="button" value="Modify the article" />
{/ifacl}
</code>