The built-in access control mechanism of eZ Publish is based on roles and policies. A policy is a rule that grants access to a specific function or all functions of a module. The functions are assigned to the module's views and thus the access requirements for a view are controlled by the functions that are assigned to it.
The following code (taken from the eZ Publish source) shows how the function-view assignments of the "notification" module are specified in "kernel/notification/module.php".
<?php $Module = array( "name" => "eZNotification", "variable_params" => true ); $ViewList = array(); $ViewList["settings"] = array( "functions" => array( 'use' ), "script" => "settings.php", 'ui_context' => 'administration', "default_navigation_part" => 'ezmynavigationpart', "params" => array( ), 'unordered_params' => array( 'offset' => 'Offset' ) ); $ViewList["runfilter"] = array( "functions" => array( 'administrate' ), "script" => "runfilter.php", 'ui_context' => 'administration', "default_navigation_part" => 'ezsetupnavigationpart', "params" => array( ) ); $ViewList["addtonotification"] = array( "functions" => array( 'use' ), "script" => "addtonotification.php", 'ui_context' => 'administration', "default_navigation_part" => 'ezcontentnavigationpart', "params" => array( 'ContentNodeID' ) ); $FunctionList['use'] = array( ); $FunctionList['administrate'] = array( ); ?>
As the code shows, there are three views and two functions assigned to them. While the "administrate" function is assigned to the "runfilter" view, the "use" function is assigned to the "addtonotification" and "settings" views.
Multiple function assignments
A view can have several functions assigned to it. From version 3.9.3, the system makes use of logical operators ("and", "or") within the function-view assignments. The following examples show how this works.
The "tipafriend" view of the "content" module has two functions assigned. The following code is taken from "kernel/content/module.php".
$ViewList['tipafriend'] = array( 'functions' => array( 'tipafriend', 'read' ), 'default_navigation_part' => 'ezcontentnavigationpart', 'script' => 'tipafriend.php', 'params' => array( 'NodeID' ) );
The code in this example specifies that a user must be granted access to both the "tipafriend" and "read" functions in order to use the "tipafriend" view (which is a part of the "content" module). Note that there is an alternate way of specifying this, refer to the example below.
... 'functions' => array( 'tipafriend and read' ), ...
Also, note that the "and" operator can be either "and" or "&&".
The "list" view of the "section" module has three functions assigned. The following code is taken from "kernel/section/module.php".
$ViewList['list'] = array( 'functions' => array( 'view or edit or assign' ), 'script' => 'list.php', 'default_navigation_part' => 'ezsetupnavigationpart', "unordered_params" => array( "offset" => "Offset" ), 'params' => array( ) );
The code above specifies that a user must be granted access to either the "view" or the "edit" or the "assign" function in order to use the "list" view (which is a part of the "section" module). Note that that the "or" operator can be either "or" or "||".
Some modules do not have functions (for example, this is true for the "search" and "collaboration" modules). If this is the case, granting users access to that module means that the users have access to all of the module's views.
But in cases where a module has both views with functions assigned as well as views without functions assigned, only users with access to the entire module will have access to the views were no functions are assigned.
Additional notes for earlier versions
In eZ Publish versions prior to 3.9.3 (except 3.8.9 and later versions of the 3.8 branch), granting access to a function of a module means that the user(s) will get access to the following:
- Views that have the function assigned.
- Views that do not have any functions assigned.
For example, in eZ Publish version 3.9.2, there are no functions assigned to the "discountgroupview" view of the "shop" module. Anonymous users that have access to the "buy" function of the "shop" module can access the "discountgroupview" view (along with other views of the "shop" module that do not have any functions assigned to them). This was changed in versions 3.10.0 beta1, 3.9.3 and 3.8.9 because of security reasons. Refer to the release announcement for more information.
In order to optimize the functionality of the access permissions when using earlier versions, it is best that modules either have views with functions assigned or views without functions assigned to them, but not both.
A policy (which grants access to a module's function) can be further restricted by function limitations. This can only be done if the function itself supports limitations. A function may support none, one or several limitations. The following code shows how the available limitations for the "diff", "hide" and "tipafriend" functions of the "content" module are specified in "kernel/content/module.php".
... $FunctionList['diff'] = array( 'Class' => $ClassID, 'Section' => $SectionID, 'Owner' => $Assigned, 'Node' => $Node, 'Subtree' => $Subtree); ... $FunctionList['hide'] = array( 'Subtree' => $Subtree ); ... $FunctionList['tipafriend'] = array(); ...
As the code shows, the "diff" function supports five limitations, the "hide" function supports one limitation and the "tipafriend" function supports no limitations. Refer to the "Access control" section of the "Concept and basics" chapter for an overview of the available function limitations.
Svitlana Shatokhina (14/09/2010 12:31 pm)
Geir Arne Waaler (28/09/2010 12:32 pm)