[Typo3-dev] RFC: Frontend Permissions for Records within Plugins

Jeff Segars jsegars at alumni.rice.edu
Tue Nov 8 00:03:16 CET 2005 

Background
--------------------
For an upcoming extension that we're developing within Web-Empowered 
Church, we have a need to limit the records returned from a Frontend 
Plugin based on the group of the current frontend user.  It's probably 
easiest to describe this functionality in terms of existing extensions. 
  For something like tt_news, we would create a news article and assign 
that article to one or more frontend user groups.  When a user visits 
the site, he would see only the articles that are assigned to his groups.

What this functionality really comes down to is providing the same 
permissions for records within a plugin as we currently have for pages 
and content elements within the page tree.  I know there are ways to 
build similar functionality right now (connecting categories to user 
groups, and then limiting an instance of the plugin to a certain user 
group) but we're shooting for something that is more automated, as it 
will be used on a site with many user groups.

This seems like something that could be very useful to many extensions, 
not just our own, as it allows for portal-like functionality where users 
only see news and events for the groups they belong to.

Implementation
--------------------
The backend side of this functionality could mirror what is already 
available for content elements and pages for the TCA setup and other 
configuration-level code.  Extensions would have to provide a fe_group 
column within their database table, which would contain a 
comma-separated list of groups, as well as the appropriate entries in 
the TCA array.

After the method for selecting groups has been defined, the next 
challenge is ensuring that those group permissions are checked when 
extension output is rendered.   This check must be performed by 
including the groups of the current user in the WHERE clause of all 
database calls.  This could be a manual process (creating the WHERE 
clause within existing DB calls) but automating this as much as possible 
makes it more likely that new extension developers will implement it 
correctly and that existing extensions will be updated to include the 
functionality.

To this end, wrapper functions or optional arguments could be added to 
the existing database calls.  These functions or arguments would be used 
to add group permissions for the current user into the WHERE clause that 
the standard DB calls accept.  This approach means that the only 
extension code required to support these new permissions would be the 
database calls.  The rest of the codebase would not change; there would 
simply be a more limited subset of records returned from the DB calls.

--------------------

To sum it up, we're really looking for comments on two main questions..
1) Is this per-record level of permissions something that would be 
useful across other TYPO3 extensions?
2) Is the implementation outlined above a good way to add this 
functionality or are there other suggestions?

Thanks in advance for any comments!
Jeff

More information about the TYPO3-dev mailing list