Using ACLsG2

From GeeklogWiki
Jump to: navigation, search

About ACLs

In the context of Geeklog 2.x, Access control lists (ACLs) are a security concept used to enforce access restrictions on items (articles, links, etc.). The ACLs are maintained as a database table linking users and groups to different levels of access.

It is important that the the set of (user/group, item) is unique. That is, for each item's ACL a user or group can only appear once.

Geeklog 2.x Access Levels

The full set of user access levels are listed below:

  • LIST - Access to have the item appear as part of a list of items, but not to view the item's content.
  • READ - Access to view the content of the item
  • EDIT - Access to edit the content of an item
  • MODATTR - Access to modify attributes of the item (such as expiration)
  • DELETE - Access to delete the item
  • LOCK - Access to enable/disable the item `is this needed?`
  • ADMIN - Access to set the ACL for the item

Common combinations of these access rights are:

  • Viewer: LIST & READ
  • Editor: Viewer & EDIT & MODIFY_ATTRIBUTES & DELETE
  • Administrator: Editor & LOCK & ADMIN

Using ACLs

Checking for Permissions against ACLs

To check if a user has a certain level of access to the current item, use the Gl2User class method hasAccess(). For instance, to check to see if the user $user has READ access to $item, do the following:

if ($user->hasAccess($item, READ)) {
    // has read access
} else {
    // does not have read access
}

You can also check to see if a user has several different access levels to an item:

if ($user->hasAccess($item, READ|EDIT)) {
    // has read and edit access
} else {
    // does not have read and edit access
}

To get an integer representing all the access rights that the user $user has on item $item, do the following:

// $rights will be a bit field containing the access rights of $user on $item
$rights = $user->getAccess($item);

Adding Permissions to an Item

The basic idea in adding an access control set to an item is:

  1. Create a Gl2ItemAcl object.
  2. Set the User or Group that should have the access.
  3. Set the Access level the the User or Group should have.
  4. Set which Item the Gl2ItemAcl should be associated with.
  5. Save the Gl2ItemAcl object.

In code (assuming adding READ access for user $user to item $item):

$acl = new Gl2ItemAcl;
$acl->setGl2User($user);
$acl->setRights(READ);
$acl->setGl2Item($item);
$acl->save();              // Don't forget to save!!!

Removing Permissions from an Item

The basic idea to removing an access control set from an item is:

  1. Determine what acl set you want to remove.
  2. Delete based on that criteria.

In code (assuming removing access for user $user from item $item):

$crit = new Criteria;
$crit->add(Gl2ItemAclPeer::ITEM_ID, $item->getItemId);
$crit->add(Gl2ItemAclPeer::USER_ID, $user->getUserId);
Gl2ItemAclPeer::doDelete($crit);

Modifying Permissions of an Item

The basic idea for modifying an existing access control set of an item is:

  1. Determine what acl set you want to modify.
  2. Get a Gl2ItemAcl object based on that criteria.
  3. Set the new access level you want.
  4. Save the object.

In code, to set the access level of user $user</t> on item <tt>$item to READ:

$crit = new Criteria;
$crit->add(Gl2ItemAclPeer::ITEM_ID, $item->getItemId);
$crit->add(Gl2ItemAclPeer::USER_ID, $user->getUserId);
$acl = Gl2ItemAclPeer::doSelectOne($crit);
$acl->setRights(READ);
$acl->save();

In code, to add READ access (and leave other existing rights as they are) for user $user</t> on item <tt>$item:

$crit = new Criteria;
$crit->add(Gl2ItemAclPeer::ITEM_ID, $item->getItemId);
$crit->add(Gl2ItemAclPeer::USER_ID, $user->getUserId);
$acl = Gl2ItemAclPeer::doSelectOne($crit);
$acl->setRights($acl->getRights() | READ);
$acl->save();

In code, to remove READ (and leave other existing rights as they are) access for user $user</t> on item <tt>$item:

$crit = new Criteria;
$crit->add(Gl2ItemAclPeer::ITEM_ID, $item->getItemId);
$crit->add(Gl2ItemAclPeer::USER_ID, $user->getUserId);
$acl = Gl2ItemAclPeer::doSelectOne($crit);
$acl->setRights($acl->getRights() & (~READ));
$acl->save();

Selecting Multiple Items Based on Permissions

In order to select multiple items based on the avaialbe permission you must join the item table to the ACL table. You then want to select all the unique items that have the specified access level for the current user or the groups that user belongs to.