Section: Using jAcl2 in modules
« jAcl2 general concepts | ^ jAcl2 : rights management | jAcl2.db concepts » |
− Table of content
If a module has to implement access control or right management, you have to:
- determine which subjects you'll use.
- optionnaly store them with the driver setup for jAcl2, an LDAP driver or a database driver like jAcl2.db
- then, use jAcl2 static methods to check if the current user has this or that right on this or that subject.
If your jAcl2 driver supports user groups, you don't have to bother about them, your driver will take care of. Of course a jAcl2 driver can use jAuth as authentication system.
Configuration ¶
First step: you must install the jacl2 module.
php cmd.php installmodule jacl2
You must also indicate the driver to use.
Drivers are plugins in jAcl2 system. They are stored in acl2 folder of a
plugins repository. A jAcl2 plugin is a class fooAcl2Driver
(foo
being
the plugin name) implementing jIAcl2Driver
interface and located in
foo.acl2.php
file. As for example, "db" driver is the class
dbAcl2Driver
in db/db.acl2.php
file.
To set the driver, you have two choices:
- if it is provided by a module, like jacl2db, just install the module. If you want to use jAcl2.db, see configuration of jAcl2.db for details.
- If a plugin is provided without a module, just indicate its name into
an
acl2
section in your application configuration:
[acl2]
driver=db
Since Jelix 1.6.8, there is also a "dbcache" driver, which is similar to the "db" driver (it works with jAcl2.db) but stores also rights result into a cache using jCache.
Ask a question to jAcl2 ¶
As jAcl2 discovers on its own the current user, you have on 99% cases only one method to use: jAcl2::check()
.
jAcl2::check ¶
It will probably be the most used method for checking rights. It returns right or false, of course. Example:
if( jAcl2::check("cms.articles.create")){
// current user has the right to create an article
}else{
// current user has no right to create an article
}
If you want to check a right about a precise resource:
$article_id = "opinions";
if( jAcl2::check("cms.articles.update", $article_id)){
// current user has the right to modify THIS article
}else{
// current user has no right to modify THIS article
}
If the value of the resource is empty or equal to "-", it means "every resources". Before Jelix 1.4.1, "-" could be a resource id but this is not the case anymore.
Automatic checking ¶
The installer of the jacl2 module, setup a coordinator plugin for jAcl2. This plugin check rights automatically before calling a controller.
You should have this configuration:
[coordplugins]
jacl2 = "1"
The plugin have a configuration in a coordplugin_jacl2
section (it was in a separate file before Jelix 1.5):
[coordplugin_jacl2]
on_error=2
error_message="jacl2~errors.action.right.needed"
on_error_action="jelix~error:badright"
on_error
should be equals to 1 for web service entry points (soap, jsonrpc, xmlrpc...)error_message
indicates the selector of the localized string containing the error messageon_error_action
indicates the selector of the action where the application should redirect when check fails.
The plugin will try to retrieve these plugin parameters in your controllers: jacl2.right
, jacl2.rights.and
, jacl2.rights.or
.
To check only one right, use jacl2.right
:
public $pluginParams = array(
'*' => array( 'jacl2.right'=>'subject', ...)
...
);
Or, to check a sequence of rights about the current user, use jacl2.rights.and
:
public $pluginParams = array(
'*' => array( 'jacl2.rights.and'=>array('subject1', 'subject2', ..)
),
...
);
Or else, to check if current user has any of a sequence of rights, use jacl2.rights.or
:
public $pluginParams = array(
'*' => array( 'jacl2.rights.or'=>array('subject1', 'subject2', ..)
),
...
);
template plugins ifacl2 and ifnotacl2 ¶
jAcl2 comes with two template plugins useful to conditionnally generate content
upon rights criteria. Their arguments are the same of jAcl2::check()
.
{ifacl2 "cms.articles.create"}
<input type="button" value="create an article" />
{else}
<p>You cannot create an article.</p>
{/ifacl2}
{ifnotacl2}
is of course the contrary to {ifacl2}
, ie. it tests if the user does NOT have the given right.
You can also indicate resources:
{ifacl2 "cms.articles.update", $article_id}
<input type="button" value="Edit article" />
{/ifacl2}