[Typo3-dev] RFC: Frontend Permissions for Records within Plugins
Jeff Segars
jsegars at alumni.rice.edu
Tue Nov 8 00:03:16 CET 2005
Background
--------------------
For an upcoming extension that we're developing within Web-Empowered
Church, we have a need to limit the records returned from a Frontend
Plugin based on the group of the current frontend user. It's probably
easiest to describe this functionality in terms of existing extensions.
For something like tt_news, we would create a news article and assign
that article to one or more frontend user groups. When a user visits
the site, he would see only the articles that are assigned to his groups.
What this functionality really comes down to is providing the same
permissions for records within a plugin as we currently have for pages
and content elements within the page tree. I know there are ways to
build similar functionality right now (connecting categories to user
groups, and then limiting an instance of the plugin to a certain user
group) but we're shooting for something that is more automated, as it
will be used on a site with many user groups.
This seems like something that could be very useful to many extensions,
not just our own, as it allows for portal-like functionality where users
only see news and events for the groups they belong to.
Implementation
--------------------
The backend side of this functionality could mirror what is already
available for content elements and pages for the TCA setup and other
configuration-level code. Extensions would have to provide a fe_group
column within their database table, which would contain a
comma-separated list of groups, as well as the appropriate entries in
the TCA array.
After the method for selecting groups has been defined, the next
challenge is ensuring that those group permissions are checked when
extension output is rendered. This check must be performed by
including the groups of the current user in the WHERE clause of all
database calls. This could be a manual process (creating the WHERE
clause within existing DB calls) but automating this as much as possible
makes it more likely that new extension developers will implement it
correctly and that existing extensions will be updated to include the
functionality.
To this end, wrapper functions or optional arguments could be added to
the existing database calls. These functions or arguments would be used
to add group permissions for the current user into the WHERE clause that
the standard DB calls accept. This approach means that the only
extension code required to support these new permissions would be the
database calls. The rest of the codebase would not change; there would
simply be a more limited subset of records returned from the DB calls.
--------------------
To sum it up, we're really looking for comments on two main questions..
1) Is this per-record level of permissions something that would be
useful across other TYPO3 extensions?
2) Is the implementation outlined above a good way to add this
functionality or are there other suggestions?
Thanks in advance for any comments!
Jeff
More information about the TYPO3-dev
mailing list