Quick links: Content - sections - sub sections
EN FR

If a module has to implement access control or right management, you have to:

  • determine which subjects you'll use.
  • optionnaly store them with the driver setup for jAcl2, an LDAP driver or a database driver like jAcl2.db
  • then, use jAcl2 static methods to check if the current user has this or that right on this or that subject.

If your jAcl2 driver supports user groups, you don't have to bother about them, your driver will take care of. Of course a jAcl2 driver can use jAuth as authentication system.

Configuration

First step of jAcl2 use: you must set a driver to use with jAcl2.

Drivers are plugins in jAcl2 system. They are stored in acl2 folder of a plugins repository. A jAcl2 plugin is a class fooAcl2Driver (foo being the plugin name) implementing jIAcl2Driver interface and located in foo.acl2.php file. As for example, "db" driver is the class dbAcl2Driver in db/db.acl2.php file.

To set the driver, you have two choices:

  • if it is provided by a module, like jacl2db, just install the module. If you want to use jAcl2.db, see configuration of jAcl2.db for details.
  • If only a plugin is provided, just indicate its name into an acl2 section in your application configuration:

[acl2]
driver=db

Ask a question to jAcl2

As jAcl2 discovers on its own the current user, you have on 99% cases only one method to use: jAcl2::check().

jAcl2::check

It will probably be the most used method for checking rights. It returns right or false, of course. Example:


if( jAcl2::check("cms.articles.create")){
   // current user has the right to create an article
}else{
   // current user has no right to create an article
}

If you want to check a right about a precise resource:


$article_id = "opinions";

if( jAcl2::check("cms.articles.update", $article_id)){
   // current user has the right to modify THIS article
}else{
   // current user has no right to modify THIS article
}

Automatic checking

The installer of the jacl2db module, setup a coordinator plugin for jAcl2. This plugin check rights automatically before calling a controller.

You should have this configuration:


[coordplugins]
jacl2 = "index/jacl2.coord.ini.php"

And have a new file var/config/index/jacl2.coord.ini.php. This file contains configuration parameters for the plugin.


on_error=2
error_message="jacl2~errors.action.right.needed"
on_error_action="jelix~error:badright"
  • on_error should be equals to 1 for web service entry points (soap, jsonrpc, xmlrpc...)
  • error_message indicates the selector of the localized string containing the error message
  • on_error_action indicates the selector of the action where the application should redirect when check fails.

The plugin will try to retrieve these plugin parameters in your controllers: jacl2.right, jacl2.rights.and, jacl2.rights.or.

To check only one right, use jacl2.right:



   public $pluginParams = array(
        '*' => array( 'jacl2.right'=>'subject', ...)
        ...
   );

Or, to check a sequence of rights about the current user, use jacl2.rights.and:



   public $pluginParams = array(
     '*' => array( 'jacl2.rights.and'=>array('subject1', 'subject2', ..)
            ),
        ...
   );

Or else, to check if current user has any of a sequence of rights, use jacl2.rights.or:



   public $pluginParams = array(
     '*' => array( 'jacl2.rights.or'=>array('subject1', 'subject2', ..)
            ),
        ...
   );

template plugins ifacl2 and ifnotacl2

jAcl2 comes with two template plugins useful to conditionnally generate content upon rights criteria. Their arguments are the same of jAcl2::check().


  {ifacl2 "cms.articles.create"}
    <input type="button" value="create an article" />
  {else}
   <p>You cannot create an article.</p>
  {/ifacl2}

{ifnotacl2} is of course the contrary to {ifacl2}, ie. it tests if the user does NOT have the given right.

You can also indicate resources:


  {ifacl2 "cms.articles.update", $article_id}
    <input type="button" value="Edit article" />
  {/ifacl2}