Section: Configure jAcl2.db
| « jAcl2.db concepts | ^ jAcl2 : rights management | Use jAcl2 with jAuth » |
− Table of content
Before using jAcl2 API and its db driver, you have to setup a database and fill it with elements composing rights.
Use dedicated command line scripts to create and store those elements.
database creation ¶
jAcl2.db driver requires a database to work. You have to create it with the needed tables and setup a connection profile.
connection configuration ¶
See the documentation about jDb setup.
If jAcl2 tables are not located in your default db profile, you should setup a profile pointing to them and indicate it to jacl_profile. An example dbprofils.ini.php :
default = foo
jacl_profile= acl2
[foo]
driver="mysql"
database="jelix"
host= "localhost"
user= "jelix"
password= "jelix"
persistent= on
force_encoding=true
[acl2]
driver="mysql"
database="rights"
host= "localhost"
user= "jelix"
password= "xilej"
persistent= on
force_encoding=true
jAcl2.db tables ¶
You'll find in install folder of jelix core module (lib/jelix/core-modules/jelix/install/sql/), an SQL script for setting up all tables used by jAcl2.db : install_jacl2.schema.mysql.sql.
After executing this script, you'll end up with these list of tables :
- jacl2_group
- jacl2_user_group
- jacl2_subject
- jacl2_rights
Once created, you can start configuring rights.
Preparation ¶
Configuration is done through command line scripts. Open a terminal window and change directory to lib/jelix-scripts.
$ cd lib/jelix-scripts/ # under linux
$ cd lib\jelix-scripts\ # under windows
(note : $ is the command prompt).
set JELIX_APP_NAME environment variable. assign it with your application name.
$ export JELIX_APP_NAME="myapp" # under linux
$ set JELIX_APP_NAME=myapp # under windows
You can now execute jelix.php script. Remember to invoke php, like that:
$ php jelix.php a_commandeargument argument argument...
Under linux, the shell support a shorter version of invokation :
$ ./jelix a_command argument argument argument...
Now on to actual jAcl2.db configuration with its two dedicated commands: acl2group and acl2right. Each one take a subcommand argument and following subcommand parameters.
Subjects creation ¶
In jAcl2 rights, you define subjects symbolizing a right value or concretely an operation.
Imagine a CMS where you want to define rights about articles. You could define right subjects for READ, LIST, CREATE, DELETE, UPDATE. Concretely :
- "cms.articles.read",
- "cms.articles.list",
- "cms.articles.create",
- "cms.articles.delete",
- "cms.articles.update"
let's start by listing aleady existing subjects :
$ php jelix.php acl2right subject_list
you should start with an empty list :
----Liste des sujets
id label key
--------------------------------------------------------
A subject record is a pair of identifier/label key. label keys should be existing locale key identifiers.
let's create your subjects :
$ php jelix.php acl2right subject_create "cms.articles.create" "cms~acl2.articles.create"
$ php jelix.php acl2right subject_create "cms.articles.update" "cms~acl2.articles.update"
$ php jelix.php acl2right subject_create "cms.articles.delete" "cms~acl2.articles.delete"
$ php jelix.php acl2right subject_create "cms.articles.list" "cms~acl2.articles.list"
$ php jelix.php acl2right subject_create "cms.articles.read" "cms~acl2.articles.read"
If you don't use jAcl2 in a module then the locale key selector is not required. Just put any string of yours.
After execution, you get :
----Subject creation
OK
the OK message is always echoed upon success of an Acl2 command. Let's list the subjects again :
$ php jelix.php acl2right subject_list
----Subject list
id label key
--------------------------------------------------------
cms.articles.create cms~acl2.articles.create
cms.articles.delete cms~acl2.articles.delete
cms.articles.list cms~acl2.articles.list
cms.articles.read cms~acl2.articles.read
cms.articles.update cms~acl2.articles.update
You can delete a subject with the following command ::
$ php jelix.php acl2right subject_delete <subject id>
subject table ¶
- jacl2_subject contains all subjects infos
User group creation ¶
A jAcl2.db right is a combination of a subject and a user group. You have to create user groups. Use acl2group commmand.
Let's create a writers group for our users.
$ php jelix.php acl2group create "writers"
OK message is echoed followed by the new group id (1 here)
----Group creation
OK. Group id is: 1
Let's create a second group and make it the default one with -defaultgroup , ie. every new user will be added to this group.
$ php jelix.php acl2group -defaultgroup create "readers"
You can now list your groups with list :
$ php jelix.php acl2group list
----User group list
id label name default
--------------------------------------------------------
2 readers yes
1 writers
you can switch the "default" group with setdefault command :
$ php jelix.php acl2group setdefault 1 true
or
$ php jelix.php acl2group setdefault 1 false
Or change a group name with groupname :
$ php jelix.php acl2group changename 1 "authors"
Or delete a group with delete :
$ php jelix.php acl2group delete 1
Group tables ¶
- jacl2_group
Managing users into groups ¶
In groups, you should add users. To add a user, you should declare him:
$ php jelix.php acl2group createuser laurent
Note that it doesn't create the user into jAuth, just in jAcl2. A private group is created.
Then you can add him to a group. You should use the sub-command "adduser" and indicated the number of the group or its name.
$ php jelix.php acl2group adduser readers laurent
To remove a user from a group:
$ php jelix.php acl2group removeuser readers laurent
To see the list of users of a group:
$ php jelix.php acl2group userslist readers
To see the list of all users:
$ php jelix.php acl2group alluserslist
Table ¶
- jacl2_user_group
rights creation ¶
You have every needed elements to create a right. Let's go and execute acl2right command.
You want to add readers the right to read and list articles. Let's associate readers group to cms.articles.list and cms.articles.read to readers group whose id is 2 :
$ php jelix.php acl2right add 2 "cms.articles.list"
$ php jelix.php acl2right add 2 "cms.articles.read"
Check rights list with list subcommand :
$ php jelix.php acl2right list
----Rights list
group subject resource
---------------------------------------------------------------
- anonymous group
- group readers (2)
cms.articles.list
cms.articles.read
Now, you want to deal with writers and give them all rights on cms.articles.
$ php jelix.php acl2right add 1 "cms.articles.list"
$ php jelix.php acl2right add 1 "cms.articles.read"
$ php jelix.php acl2right add 1 "cms.articles.create"
$ php jelix.php acl2right add 1 "cms.articles.delete"
$ php jelix.php acl2right add 1 "cms.articles.update"
again, let's list all rights :
$ php jelix.php acl2right list
----Rights list
group subject value resource
---------------------------------------------------------------
- group readers (2)
cms.articles.list
cms.articles.read
- group writers (1)
cms.articles.create
cms.articles.delete
cms.articles.list
cms.articles.read
cms.articles.update
However in your CMS you have an "opinions" article which you want your readers to edit. you should add the right to update this specific article to readers group. Let's create a right on the resource "opinions" with @@c@add@ subcommand :
$ php jelix.php acl2right add 2 "cms.articles.update" "opinions"
checking of rights list :
$ php jelix.php acl2right list
----Rights list
group subject value resource
---------------------------------------------------------------
- group readers (2)
cms.articles.list
cms.articles.read
cms.articles.update opinions
- group writers (1)
cms.articles.create
cms.articles.delete
cms.articles.list
cms.articles.read
cms.articles.update
You can also remove a right, by passing a user group and a subject similarly to create (and optionally a resource if one is involved).
Say you change your mind over "opinions" article, because there is too much crap ;-) :
$ php jelix.php acl2right remove 2 "cms.articles.update" "opinions"
Once all rights are injected, your application is able to work following your rights rules.
rights table ¶
- jacl2_rights
