The built-in access control mechanism of eZ Publish is based on roles and policies. A policy is a rule that grants access to a specific function or all functions of a module. The functions are assigned to the module's views and thus the access requirements for a view are controlled by the functions that are assigned to it.
The following code (taken from the eZ Publish source) shows how the function-view assignments of the "notification" module are specified in "kernel/notification/module.php".
<?php $Module = array( "name" => "eZNotification", "variable_params" => true ); $ViewList = array(); $ViewList["settings"] = array( "functions" => array( 'use' ), "script" => "settings.php", 'ui_context' => 'administration', "default_navigation_part" => 'ezmynavigationpart', "params" => array( ), 'unordered_params' => array( 'offset' => 'Offset' ) ); $ViewList["runfilter"] = array( "functions" => array( 'administrate' ), "script" => "runfilter.php", 'ui_context' => 'administration', "default_navigation_part" => 'ezsetupnavigationpart', "params" => array( ) ); $ViewList["addtonotification"] = array( "functions" => array( 'use' ), "script" => "addtonotification.php", 'ui_context' => 'administration', "default_navigation_part" => 'ezcontentnavigationpart', "params" => array( 'ContentNodeID' ) ); $FunctionList['use'] = array( ); $FunctionList['administrate'] = array( ); ?>
As the code shows, there are three views and two functions assigned to them. While the "administrate" function is assigned to the "runfilter" view, the "use" function is assigned to the "addtonotification" and "settings" views.
A view can have several functions assigned to it. From version 3.9.3, the system makes use of logical operators ("and", "or") within the function-view assignments. The following examples show how this works.
The "tipafriend" view of the "content" module has two functions assigned. The following code is taken from "kernel/content/module.php".
$ViewList['tipafriend'] = array( 'functions' => array( 'tipafriend', 'read' ), 'default_navigation_part' => 'ezcontentnavigationpart', 'script' => 'tipafriend.php', 'params' => array( 'NodeID' ) );
The code in this example specifies that a user must be granted access to both the "tipafriend" and "read" functions in order to use the "tipafriend" view (which is a part of the "content" module). Note that there is an alternate way of specifying this, refer to the example below.
... 'functions' => array( 'tipafriend and read' ), ...
Also, note that the "and" operator can be either "and" or "&&".
The "list" view of the "section" module has three functions assigned. The following code is taken from "kernel/section/module.php".
$ViewList['list'] = array( 'functions' => array( 'view or edit or assign' ), 'script' => 'list.php', 'default_navigation_part' => 'ezsetupnavigationpart', "unordered_params" => array( "offset" => "Offset" ), 'params' => array( ) );
The code above specifies that a user must be granted access to either the "view" or the "edit" or the "assign" function in order to use the "list" view (which is a part of the "section" module). Note that that the "or" operator can be either "or" or "||".
Some modules do not have functions (for example, this is true for the "search" and "collaboration" modules). In this case, granting access to a module means that the user(s) will get access to all of its views.
If a module has both functions and views that have no functions assigned, only users that have access to the entire module will get access to the functionless views.
In eZ Publish versions prior to 3.9.3 (except 3.8.9 and later versions of the 3.8 branch), granting access to a function of a module means that the user(s) will get access to the following:
For example, in eZ Publish version 3.9.2, there are no functions assigned to the "discountgroupview" view of the "shop" module. Anonymous users that have access to the "buy" function of the "shop" module can access the "discountgroupview" view (along with other views of the "shop" module that do not have any functions assigned to them). This was changed in versions 3.9.3 and 3.8.9 because of security reasons. Refer to the release announcement for more information.
Custom modules that contain functions should not have views that do not have any functions assigned to them.
A policy (which grants access to a module's function) can be further restricted by function limitations. This can only be done if the function itself supports limitations. A function may support none, one or several limitations. The following code shows how the available limitations for the "diff", "hide" and "tipafriend" functions of the "content" module are specified in "kernel/content/module.php".
... $FunctionList['diff'] = array( 'Class' => $ClassID, 'Section' => $SectionID, 'Owner' => $Assigned, 'Node' => $Node, 'Subtree' => $Subtree); ... $FunctionList['hide'] = array( 'Subtree' => $Subtree ); ... $FunctionList['tipafriend'] = array(); ...
As the code shows, the "diff" function supports five limitations, the "hide" function supports one limitation and the "tipafriend" function supports no limitations. Refer to the "Access control" section of the "Concept and basics" chapter for an overview of the available function limitations.
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2013 eZ Systems AS (except where otherwise noted). All rights reserved.