Fork me on GitHub

How do instances work in the permission system?  Bottom

  • xizhou

    Registered User
    • Rank: Registered User
    • Registered: May 31, 2009
    • Last visit: Apr 14, 2010
    • Posts: 35
    Link to this post Posted: Oct 06, 2010 - 12:28 AM
    One of Zikula's strengths is the carefully designed permission system. There's a nice Wiki page for developers at
    http://community.zik…g=ZikulaPermissions
    However after reading this page and the codes for SucurityUtil I'm still fuzzy on how the instances work. I'd appreciate it if someone can shed some light.

    Components are easy to understand. Instances, according to the page referenced above, 'define access to individual objects (or data records) in your system.' Take the News module for instance. It has a securityschema definition

    Code

    $modversion['securityschema'] = array('News::' => 'Contributor ID::Article ID',
                                          'News:pictureupload:' => '::',
                                          'News:publicationdetails:' => '::');


    My understanding is that

    Code

    'News::' => 'Contributor ID::Article ID'
    defines access to individual news articles. For instance, a user should be able to edit and delete articles submitted by himself. Therefore, when determining whether a user can edit/delete an article, codes like

    Code

    SecurityUtil::checkPermission('News::', "$article[cr_uid]::$article[sid]", ACCESS_EDIT)
    should be used. Such codes indeed appear everywhere, for instance in smarty_function_articleadminlinks where they're used to determine whether an edit/delete link should be displayed for the user.

    The problem, however, is that these permission checking codes involving instances don't seem to have an effect. A submitter can't edit/delete his own articles (not seeing the edit/delete links in the article viewing pages of course), at least in my installation. My guess is that it's because I haven't defined the permission rules for these news article instances. How should I do this? Should I create a group for news article submitters, define specifically all the 'Contributor ID::Article ID' pairs in the instance field, and assign the appropriate permission levels? If so, wouldn't the number of instances be overwhelming if there're many submitters and each submits many articles? More seriously, the article id is unknown until the article is submitted and created. Then to ensure every submitter can edit his articles, I would need to add an 'Contributor ID::Article ID' instance every time somebody submits an article. How can this be practical?

    My question is most likely due to my misunderstanding of the permission system. In a module I'm developing I need to control users' access to items created by themselves, and I use a custom function which checks if the item's creator id (cr_uid) is the same with the user id. It'll be nice to leave this to Zikula's permission check.
  • xizhou

    Registered User
    • Rank: Registered User
    • Registered: May 31, 2009
    • Last visit: Apr 14, 2010
    • Posts: 35
    Link to this post Posted: Oct 10, 2010 - 09:58 PM
    oops, nobody cares? Still can't figure it out and frustrated.

Users on-line

This list is based on users active over the last 60 minutes.