Intro
Limitations are crucial building blocks of the permissions system in eZ Platform. They provide the restrictions you can apply to a given access right to limit the right according to certain conditions.
Limitations consist of two parts:
Limitation(Value)LimitationType
Certain limitations also serve as RoleLimitations, which means they can be used to limit the rights of a Role assignment. Currently this covers Subtree and Section limitations.
Limitation represents the value, while LimitationType deals with the business logic surrounding how it actually works and is enforced.
LimitationTypes have two modes of operation in regards to permission logic (see eZ\Publish\SPI\Limitation\Type interface for more info):
| Method | Use |
|---|---|
evaluate
| Evaluating if the user has access to a given object in a certain context (for instance the context can be Locations when the object is Content), under the condition of the Limitation value(s). |
getCriterion
| Generates a Criterion using Limitation value and current user which SearchService by default applies to search criteria for filtering search based on permissions. |
List of Limitations
| Limitation | Description |
|---|---|
| BlockingLimitation | Generic limitation that always tells the permissions system that the user has no access, causing it to continue to the next policy. |
| Limits content access depending on its Content Type. | |
| Limits content access depending on its Language. | |
| Limits content access depending on its Location. | |
| NewObjectStateLimitation | Limits content ObjectState assignment access depending on new state. |
| Limits content Section assignment access depending on new Section. | |
| Limits content access depending on its ObjectStates. | |
| Limits content access depending on its owner; access is only granted to the owner of the content. | |
| Limits content (create) access depending on parent location Content Type; access is only granted if the parent is of this type of content. | |
| Limits content (create) access depending on parent location depth; access is only granted if the parent is at a given depth of the tree structure. | |
| Limits content (create) access depending on parent location content owner; access is only granted if to the owner of the Content item's parent. | |
| Limits content (create) access depending on parent location content owner's User group; access is only granted to a User in the same User group as owner of the Content item's parent. | |
| Limits content access depending on its Section. | |
| Limits access to an action depending on siteaccess, typically used for user/login. | |
| Limits content access depending on its subtree. | |
| UserGroupLimitation | Limits content access depending on its owner's User group; access is only granted to a User in the same User group as the owner. |
Related topics: