[mambo] Access Control Question
Ryan Ozimek
cozimek at picnet.net
Wed Jul 6 14:03:26 EDT 2005
Hans,
Thanks for the detailed email. This is definitely something to munch on
now, but I'm eager to hear what Mitch has to say.
-Ryan
-----Original Message-----
From: mambo-bounces at lists.nyphp.org [mailto:mambo-bounces at lists.nyphp.org]
On Behalf Of Hans C. Kaspersetz
Sent: Wednesday, July 06, 2005 1:51 PM
To: NYPHP at nyphp.org; SIG at nyphp.org:Mambo
Subject: Re: [mambo] Access Control Question
Ryan,
You pass the allowAccess function the groupId of the user and the
groupId of allowed users and it does a comparison to see if that user is
allowed access. The allowAccess function also checks to see if you are
in the Admin group, Super Admin or root groups. If you are in any of
those groups the function returns true. The function also supports
recursing through Child Groups which is nice.
I imagine you can use these functions anywhere. It is a matter of
passing it the correct allowed group ids. I have been calling the
allowAccess function inside the Switch statements that control what
action is to be taken by the component. If the user is not in an
authorized group, I break out of the switch state and echo an error.
You can store what groups are allowed to access your component with your
component and just pass it to the function in the switch statement. I
have also hardcoded the allowed groups to group 18 in a couple of
places. Group 18 is the registered users group. If you want more info
about group ids take a look at the mos_core_acl_aro_groups table.
I hope this is helpful. My advice is to wait for Mitch to chime in on
if these functions are in the core and where. Someone told me they
might be available as part of the ACL libraries but I was unable to find
them. Mitch, have any pearls of wisdom here?
Hans
Hans C. Kaspersetz
Cyber X Designs
Office: 201-558-7929
Mobile: 201-681-4156
http://www.cyberxdesigns.com
Ryan Ozimek wrote:
>Hans,
>
>So, if I'm reading this right, these functions you have below can
>control front-end access to components, such as those you're developing
>or adding to, correct? I'm wondering if anyone has done this on the
>back-end as well. It would be great to have some funcs I can drop into
>our homemade components that will allow access to the components only
>if the administrator has the right level of access in the backend
>permissions.
>
>Did that make sense?
>
>-Ryan
>
>-----Original Message-----
>From: mambo-bounces at lists.nyphp.org
>[mailto:mambo-bounces at lists.nyphp.org]
>On Behalf Of Hans C. Kaspersetz
>Sent: Wednesday, July 06, 2005 9:35 AM
>To: NYPHP at nyphp.org; SIG at nyphp.org:Mambo
>Subject: [mambo] Access Control Question
>
>
>Over the last week I have been developing a site using components
>developed by third parties. One of the biggest problems I have found is
>the inconsistent or non-existent support of access controls in
>components. Below you will find two functions I pulled from
>com_comprofiler. I have been adding these functions to other components
>like com_mtree and com_akoForms to control access to them. I am
>interested to know if the Mambo core has functions that do what
>allowAccess and userGID do? I would like to use Mambo core code and not
>access control code placed in each component. I looked through the API
>documentation on the Mambo site and nothing jumped out at me.
>
>Also, is there a standard way component developers should implement
>access control in their components? Has the Mambo team documented the
>recommended implementation?
>
>I regularly find it mind numbing that component developers charge for
>incomplete or buggy components. For example, Mosets Tree offers no
>access controls to their content. I emailed the developer and he said
>that I should not post the link to the content, to control access.
>Arrgg....... My one bit of gratitude is that I have to source and can
>add access controls if I like and can submit the patches.
>
>Thanks,
>Hans
>
>So here is the source:
>
>/*************************************************************
>* Mambo Community Builder
>* Author MamboJoe
>* @ Released under GNU/GPL License :
>http://www.gnu.org/copyleft/gpl.html
>*************************************************************/
>
>
>function allowAccess( $accessgroupid,$recurse, $usersgroupid, &$acl)
> {
> // "agroup:".$accessgroupid." ugroupid:".$usersgroupid." recurse
>".$recurse;
> if ($accessgroupid == -2 || ($accessgroupid == -1 && $usersgroupid
> > 0) || $usersgroupid == 17 || $usersgroupid == 23|| $usersgroupid ==
>24|| $usersgroupid == 25) {
> //grant public access or access to all registered users
> return 1;
> }
> else {
> //need to do more checking based on more restrictions
> if( $usersgroupid == $accessgroupid ) {
> //direct match
> return 1;
> }
> else {
> if ($recurse=='RECURSE') {
> //check if there are children groups
> $groupchildern=array();
> $groupchildren=$acl->get_group_children( $accessgroupid,
>'ARO', $recurse );
>
> if ( is_array( $groupchildren ) && count( $groupchildren
>) > 0) {
> if ( in_array($usersgroupid, $groupchildren) ) {
> //match
> return 1;
> }
> }
> }
> }
> //deny access
> return 0;
> }
>}
>
>function userGID($oID){
> global $database;
> if($oID > 0) {
> $query = "SELECT gid FROM #__users WHERE id = '".$oID."'";
> $database->setQuery($query);
> $gid = $database->loadResult();
> return $gid;
> }
> else return 0;
>}
>_______________________________________________
>New to Mambo? Get a great start here:
>http://forum.mamboserver.com/showthread.php?t=42100
>
>New York PHP SIG: Mambo Mailing List
>AMP Technology
>Supporting Apache, MySQL, PHP & Mambo!
>http://lists.nyphp.org/mailman/listinfo/mambo
>http://www.nyphp.org
>
>
>
>_______________________________________________
>New to Mambo? Get a great start here:
>http://forum.mamboserver.com/showthread.php?tB100
>
>New York PHP SIG: Mambo Mailing List
>AMP Technology
>Supporting Apache, MySQL, PHP & Mambo!
>http://lists.nyphp.org/mailman/listinfo/mambo
>http://www.nyphp.org
>
>
>
>
>
_______________________________________________
New to Mambo? Get a great start here:
http://forum.mamboserver.com/showthread.php?t=42100
New York PHP SIG: Mambo Mailing List
AMP Technology
Supporting Apache, MySQL, PHP & Mambo!
http://lists.nyphp.org/mailman/listinfo/mambo
http://www.nyphp.org
More information about the Joomla
mailing list