Geek asks and answers

Overview of user permissions and how to use them

I am developing a module for a site using the Social Engine , which uses the Zend Framework. I am new to both the Zend Framework and the Social Engine, but I have experience in OOP and MVC architecture, so you can quickly learn the basics.

His test module, which I am developing, just created a simple module where the user can create, edit or delete information about the CD. Then there is a widget that can be displayed wherever they like, which displays information about the CD.

Now I am at the point where I need to set permissions for what CD people can see. So I studied other modules and found that the polling module is a concrete example.

Looking at other modules, I realized that when you create something, they allow the user to set their permissions manually.

So added this code to my form to create a selection box with the appropriate permissions:

$auth = Engine_Api::_()->authorization()->context;
$user = Engine_Api::_()->user()->getViewer();
$viewOptions = (array) Engine_Api::_()->authorization()->getAdapter('levels')->getAllowed('ryan', $user, 'auth_view');
$viewOptions = array_intersect_key($availableLabels, array_flip($viewOptions));

$privacy = null;

if( !empty($viewOptions) && count($viewOptions) >= 1 ) {
    // Make a hidden field
    if(count($viewOptions) == 1) {
        //$this->addElement('hidden', 'auth_view', array('value' => key($viewOptions)));
        $privacy  = new Zend_Form_Element_Hidden('auth_view');
        $privacy->setValue(key($viewOptions));
        // Make select box
    } else {
        $privacy = new Zend_Form_Element_Select('auth_view');
        $privacy->setLabel('Privacy')
                ->setDescription('Who may see this CD?')
                ->setMultiOptions($viewOptions)
                ->setValue(key($viewOptions));
        /*$this->addElement('Select', 'auth_view', array(
            'label' => 'Privacy',
            'description' => 'Who may see this CD?',
            'multiOptions' => $viewOptions,
            'value' => key($viewOptions),
        ));*/
    }
}

$this->addElements(array($artist, $title, $privacy, $submit));

Honestly, I'm not quite sure what this code does, except that it explicitly creates a selection field and populates it with the specified values.

So, if the user selects "Everyone", everyone should be able to delete and edit this cd, etc.

Obviously, I thought that the controller should have code that could affect the determination of whether the user has rights to view each CD, etc.

So, scanning the polling controller, I found that it is in the controller's init function:

public function init() {
    // Get subject
    $poll = null;
    if( null !== ($pollIdentity = $this->_getParam('poll_id')) ) {
        $poll = Engine_Api::_()->getItem('poll', $pollIdentity);
        if( null !== $poll ) {
            Engine_Api::_()->core()->setSubject($poll);
        }
    }

    // Get viewer
    $this->view->viewer = $viewer = Engine_Api::_()->user()->getViewer();
    $this->view->viewer_id = Engine_Api::_()->user()->getViewer()->getIdentity();

    // only show polls if authorized
    $resource = ( $poll ? $poll : 'poll' );
    $viewer = ( $viewer && $viewer->getIdentity() ? $viewer : null );
    if( !$this->_helper->requireAuth()->setAuthParams($resource, $viewer, 'view')->isValid() ) {
        return;
    }
}

, - editAction, :

// Check auth
if( !$this->_helper->requireUser()->isValid() ) {
    return;
}
if( !$this->_helper->requireSubject()->isValid() ) {
    return;
}
if( !$this->_helper->requireAuth()->setAuthParams(null, null, 'edit')->isValid() ) {
    return;
}

, , , editAction :

$auth = Engine_Api::_()->authorization()->context;
$roles = array('owner', 'owner_member', 'owner_member_member', 'owner_network', 'registered', 'everyone');

// Populate form with current settings
$form->search->setValue($poll->search);
foreach( $roles as $role ) {
    if( 1 === $auth->isAllowed($poll, $role, 'view') ) {
        $form->auth_view->setValue($role);
    }
    if( 1 === $auth->isAllowed($poll, $role, 'comment') ) {
        $form->auth_comment->setValue($role);
    }
}

// CREATE AUTH STUFF HERE
if( empty($values['auth_view']) ) {
    $values['auth_view'] = array('everyone');
}
if( empty($values['auth_comment']) ) {
    $values['auth_comment'] = array('everyone');
}

$viewMax = array_search($values['auth_view'], $roles);
$commentMax = array_search($values['auth_comment'], $roles);

, , - , , , 100% . - , , , , .

+5
2

, , , SocialEngine. , SocialEngine, PHPDocumentor , IDE, Neatbeans (http://netbeans.org/), .

SocialEngine , :

  • ///Controller/Action/Helper/RequireAuth.php
  • ///Controller/Action/Helper/RequireAbstract.php
  • ///Controller/Action/Helper/RequireAdmin.php
  • ///Controller/Action/Helper/RequireSubject.php
  • ///Controller/Action/Helper/RequireUser.php

, , :

  • ///Controller/Action/Helper/RequireAuth.php
  • ///Controller/Action/Helper/RequireSubject.php
  • ///Controller/Action/Helper/RequireUser.php

, , Album_AlbumController: ////AlbumController.php

public function init()
{
if( !$this->_helper->requireAuth()->setAuthParams('album', null, 'view')->isValid() ) return;

if( 0 !== ($photo_id = (int) $this->_getParam('photo_id')) &&
null !== ($photo = Engine_Api::_()->getItem('album_photo', $photo_id)) )
{
Engine_Api::_()->core()->setSubject($photo);
}

else if( 0 !== ($album_id = (int) $this->_getParam('album_id')) &&
null !== ($album = Engine_Api::_()->getItem('album', $album_id)) )
{
Engine_Api::_()->core()->setSubject($album);
}
}

public function editAction()
{
if( !$this->_helper->requireUser()->isValid() ) return;
if( !$this->_helper->requireSubject('album')->isValid() ) return;
if( !$this->_helper->requireAuth()->setAuthParams(null, null, 'edit')->isValid() ) return;

init , editAction . requireSubject requireUser :

  • requireSubject , , init
  • requireUser ,

requireAuth . . Authorization_Api_Core:: isAllowed: ////Api.php

/**
* Gets the specified permission for the context
*
* @param Core_Model_Item_Abstract|string $resource The resource type or object that is being accessed
* @param Core_Model_Item_Abstract $role The item (user) performing the action
* @param string $action The name of the action being performed
* @return mixed 0/1 for allowed, or data for settings
*/
public function isAllowed($resource, $role, $action = 'view')

$resource $role, , Zend_Db_Table_Row, SocialEngine , , . isAllowed, api engine4_authorization_allow, engine4_authorization_levels engine4_authorization_permissions.

  • engine4_authorization_levels SocialEngine , , " > " .
  • engine4_authorization_permissions , .
  • engine4_authorization_allow . , , , . , 4_authorization_allow.role_id ( id ) engine4_authorization_allow.resource_id ( ) engine4_authorization_allow.value 0-5.

///Api/core.php

class Authorization_Api_Core extends Core_Api_Abstract
{
/**
* Constants
*/
const LEVEL_DISALLOW = 0;
const LEVEL_ALLOW = 1;
const LEVEL_MODERATE = 2;
const LEVEL_NONBOOLEAN = 3;
const LEVEL_IGNORE = 4;
const LEVEL_SERIALIZED = 5;

0) . , , allow

1)

2) ( Superadmin, Admin Moderator)

3-5). . , .

+7

SocialEngine, Zend Framework. , , - , .

, SE Zend_Auth Zend_Acl , .

Zend_Auth , , . Zend_Acl - , , , .

Zend_Auth Zend_Acl , Zend_Auth . , - , , , (, , ). Zend_Acl, , .

, Zend_Auth , , , , . Zend_Acl - , , ().

, , Engine_Api::_()->user()->getViewer()->getIdentity();, , , null, id . , , .

, , requireAuth, auth , . Social Engine, ZF ZF, , .

, Zend_Acl::isValid(), , . Zend_Acl . resources role . , .

, , , poll, , view edit .

Zend_Acl, . , , , . , Social Engine, ACL .

, .

+1

More articles:


All Articles