[Typo3-dev] backend ACLs
"Stig N. Færch"
stig at 8620.dk
Wed Jun 1 09:36:43 CEST 2005
Hi List, Hi Kasper,
Bernhard Kraft urged me to write to this thread about some BE-group-role
system I have been playing around with.
I will 'hook' in here as Kasper talks about implementing hooks.
Maybe what I have done is already covered by what you all have in mind?
Anyway, this is what I have done:
I have created a hook in the beginning of the method fetchGroups() in
the class t3lib_userauthgroup. Also I added a new field called 'role' to
the 'be_groups' table.
Now the smart thing is if I check some be_groups as roles, I can now
select among these roles from a selectorbox in the topmenu frame. When I
select a new role, the menu and content frames are reloaded, and only
the currently selected role(be-group) and non-role be-groups will be
activated.
This is a great advantage for backend-users with more than 2 be-groups
attached. Because now he will only see (and have access) to what he
currently want's to work with, - hence retaining the good overview.
As a very positive side effect, it also solves another problem. Before
if something were allowed in one be-group, it would also be allowed in
another be-group. But now, when you select a role, - other roles will
not influence what you can access.
My extension is almost finished. If you think that other people could
enjoy this extension I hope the hook can be implemented.
Best Regards,
Stig N. Færch
The hook in fetchGroups() class t3lib_userauthgroup:
after $lockToDomain_SQL = ' AND(.....
if
(is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauthgroup.php']['limitAccess']))
{
foreach
($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauthgroup.php']['limitAccess']
as $classRef) {
$hookObj = &t3lib_div::getUserObj($classRef);
if(method_exists($hookObj,'limitAccess')){
$addWhereSQL = $hookObj->limitAccess($this,
$grList);
}
}
}
$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*',
$this->usergroup_table, 'deleted=0 AND hidden=0 AND pid=0 AND uid IN
('.$grList.')'.$addWhereSQL.$lockToDomain_SQL);
Kasper Skårhøj wrote:
> Hi Sune and Sebastian.
>
> I suggest you exchange ideas. Sebastian can complete his current work
> for his needs and at least it will make for an experience-base.
>
> I will think about implementing the permission-API I discussed with Sune
> and if that is possible it will open the door for you to implement any
> scheme on top of that as you like.
>
> Fundamentally TYPO3 will not change (as usual) but a new methodology is
> made possible through hooks.
>
> - kasper
>
>
> On Wed, 2005-03-23 at 07:57, Sebastian Kurfuerst wrote:
>
>>Hi Sune,
>>
>>Of course I am always interested in joining forces. An Access-API would
>>be great, but I need the acl system in a very short time and that's why
>>I developed it so far just as an extension to the current BE rights
>>system. So maybe the extension I am developing is the "short-term"
>>solution, and the API from Kasper the long-term solution. Of course, I
>>would be highly interested in helping with the API part as well... What
>>do you think of that? I don't know, do you already have a concept for
>>this or is it just an "idea"? The best thing might be that I show you my
>>(current) ACL system, and you share your thoughts on this, to make the
>>concept of the general ACL system even better.
>>I will keep you updated on my progress, and if you are interested, I
>>could show you the acl system as soon as it's working (doesn't need too
>>much work anymore).
>>
>>Greets,
>>Sebastian
>>
>>Sune Vestergaard (dk-marketing) wrote:
>>
>>>Hi Sebastian,
>>>
>>>We currently work on extending the access-permission-system to handle rights
>>>for severel groups. I sound very very much like your thoughts. If you are
>>>interested in joining forces - and putting some actual work into the
>>>project, I can have our developer on that project contact you.
>>>The main idear is to have Kasper make an "access API" in the core - and then
>>>we put "some" effort into programming the system that actually handles
>>>permission-caculation, new backend module etc.
>>>
>>>Sune Vestergaard
>>>
>>>
>>>
>>>"Sebastian Kurfuerst" <sebastian at garbage-group.de> skrev i en meddelelse
>>>news:mailman.1.1111521522.16826.typo3-dev at lists.netfielders.de...
>>>
>>>
>>>>Hi Kasper,
>>>>I needed to give rights on a page to multiple groups and multiple users.
>>>>Currently, we just have the unix-access scheme, allowing just rights for
>>>>1 user, one group, and world. Of course it would be possible to solve
>>>>the problem via complicated nested backend-group structures, but I
>>>>didn't like that approach.
>>>>That's why I introduced a new ACL database table, storing the page id,
>>>>the type (this is just the field where it is stored if the ACL is a user
>>>>or a group ACL), the user/group-id and the rights. Additionally, there
>>>>is the possibility to mark an ACL as recursive, so the ACL will be
>>>>applied to these pages as well. I didn't do it via changing ACLs
>>>>recusrively, because in a large-scale scenario I think it would be bad
>>>>to have maybe 20 000 ACL records in the table for 1000 pages and 20 ACLs
>>>>per page. (And it would be difficult to "clean up" the ACL table, ...)
>>>>This is why ACLs can work recursively as well without creating a copy of
>>>>the ACL for every page.
>>>>Technically, I extended the web->access module and overwrote the
>>>>function t3lib_userAuthGroup::calcPerms and
>>>>t3lib_userAuthGroup::getPagePermsClause, at least that's the current
>>>>status of developement. Maybe I need to overwrite some other functions
>>>>as well. Of course, an API sounds very very interesting in this field,
>>>>but I think this will need some time. The ACL system will be available
>>>>in not too much long time.
>>>>
>>>>Sebastian
>>>
>>>
>>>
>>_______________________________________________
>>Typo3-dev mailing list
>>Typo3-dev at lists.netfielders.de
>>http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
More information about the TYPO3-dev
mailing list