www-root/core/library/Entrada/Acl/Factory.php
www-root/core/library/Entrada/authentication/entrada_acl.inc.php
$ENTRADA_ACL
object is available throughout Elentra for any logged in users, and it's as easy to use as this:$ENTRADA_ACL
variable on every page.assert
:$acl
object calling it, the $role
and $resource
the permission applies to, and the $privilege
being queried. This allows you to create arbitrary code to check virtually anything about the resource or the role the permission applies to. For example, you are able to create an assertion to check if a role representing a user is the director of a course, or if the role has permission to view this user's photo based on the owner's privacy setting. Passing the appropriate information to the assertion can be complicated, but once the assertion and accompanying classes are written, one-line permission checks can be used everywhere else in the code that relies on the same logic.assert
method signature is this:assert
will never be passed an actual string as role or resource, because the ACL converts a string to a basic Zend_Acl_Role or Zend_Acl_Resource object before passing them to the assertion. However, these classes only have one method that returns the role's or resource's identifier, and no other functionality. Within the assertion, the role's or resource's string identifier getResourceId
method (which is required by the interface) would return something like "course5".$course_id
and $organisation_id
, which can be accessed cleanly and then are used in the actual assertion.amIAllowed($role, $resource, $privilege);
method. For convenience's sake, an amIAllowed($resource, $privilege);
method has been written to do the permissions query using the currently authenticated user as the role. It is also permissions-mask aware, so it can be called anywhere in the application to do a permissions query for the user viewing the page.resourceorganisation1
(representing them), but not give any permissions to Postgraduate Medicine. In combination with the ResourceOrganisationAssertion, this effectively means students within Undergraduate Medicine can "read" resources belonging to Undergraduate Medicine, and users in Postgraduate Medicine cannot.isAllowed
or amIAllowed
method. If the resource object has an $resource->organisation_id
member, the assertion will use this. It can also accept resources with $resource->course_id
and $resource->event_id
defined, however if this is all the information it's given, it must perform a query to grab the organisation_id, which can become expensive. It is recommended to pass the ResourceOrganisationAssertion a resource with $resource->organisation_id
set.$role
to perform the $privilege
on the resourceorganisation resource representing the organisation of the original resource. An example: A user from Postgraduate Medicine queries the ACL asking if it can read one of Undergraduate Medicine's courses. There is a rule in the database that says "everyone can read courses as long as they pass the ResourceOrganisationAssertion". In the database, this would look like this:organisation1
(representing Undergraduate Medicine). This query returns false because Undergraduate Medicine hasn't granted anyone other than its own users read on its resourceorganisation resource, so the assertion returns false, the rule doesn't apply, and the user is denied access.