NYCPHP Meetup

NYPHP.org

[mambo] Access Control Question

Hans C. Kaspersetz hans at cyberxdesigns.com
Wed Jul 6 13:51:19 EDT 2005


Ryan,

You pass the allowAccess function the groupId of the user and the 
groupId of allowed users and it does a comparison to see if that user is 
allowed access.  The allowAccess function also checks to see if you are 
in the Admin group, Super Admin or root groups. If you are in any of 
those groups the function returns true.  The function also supports 
recursing through Child Groups which is nice.

I imagine you can use these functions anywhere.  It is a matter of 
passing it the correct allowed group ids.  I have been calling the 
allowAccess function inside the Switch statements that control what 
action is to be taken by the component.  If the user is not in an 
authorized group, I break out of the switch state and echo an error.  
You can store what groups are allowed to access your component with your 
component and just pass it to the function in the switch statement.  I 
have also hardcoded the allowed groups to group 18 in a couple of 
places.  Group 18 is the registered users group.  If you want more info 
about group ids take a look at the mos_core_acl_aro_groups table.

I hope this is helpful.  My advice is to wait for Mitch to chime in on 
if these functions are in the core and where.  Someone told me they 
might be available as part of the ACL libraries but I was unable to find 
them.  Mitch, have any pearls of wisdom here?

Hans

Hans C. Kaspersetz
Cyber X Designs

Office: 201-558-7929
Mobile: 201-681-4156
http://www.cyberxdesigns.com



Ryan Ozimek wrote:

>Hans,
>
>So, if I'm reading this right, these functions you have below can control
>front-end access to components, such as those you're developing or adding
>to, correct?  I'm wondering if anyone has done this on the back-end as well.
>It would be great to have some funcs I can drop into our homemade components
>that will allow access to the components only if the administrator has the
>right level of access in the backend permissions.
>
>Did that make sense?
>
>-Ryan
>
>-----Original Message-----
>From: mambo-bounces at lists.nyphp.org [mailto:mambo-bounces at lists.nyphp.org]
>On Behalf Of Hans C. Kaspersetz
>Sent: Wednesday, July 06, 2005 9:35 AM
>To: NYPHP at nyphp.org; SIG at nyphp.org:Mambo
>Subject: [mambo] Access Control Question
>
>
>Over the last week I have been developing a site using components 
>developed by third parties.  One of the biggest problems I have found is 
>the inconsistent or non-existent support of access controls in 
>components.  Below you will find two functions I pulled from 
>com_comprofiler.  I have been adding these functions to other components 
>like com_mtree and com_akoForms to control access to them.  I am 
>interested to know if the Mambo core has functions that do what 
>allowAccess and userGID do?  I would like to use Mambo core code and not 
>access control code placed in each component.  I looked through the API 
>documentation on the Mambo site and nothing jumped out at me.
>
>Also, is there a standard way component developers should implement 
>access control in their components?  Has the Mambo team documented the 
>recommended implementation?
>
>I regularly find it mind numbing that component developers charge for 
>incomplete or buggy components.  For example, Mosets Tree offers no 
>access controls to their content.  I emailed the developer and he said 
>that I should not post the link to the content, to control access.  
>Arrgg.......  My one bit of gratitude is that I have to source and can 
>add access controls if I like and can submit the patches.
>
>Thanks,
>Hans
>
>So here is the source:
>
>/*************************************************************
>* Mambo Community Builder
>* Author MamboJoe
>* @ Released under GNU/GPL License : http://www.gnu.org/copyleft/gpl.html
>*************************************************************/
>
>
>function allowAccess( $accessgroupid,$recurse, $usersgroupid, &$acl)
>   {
>    // "agroup:".$accessgroupid." ugroupid:".$usersgroupid." recurse 
>".$recurse;
>      if ($accessgroupid == -2 || ($accessgroupid == -1 && $usersgroupid 
> > 0)  || $usersgroupid == 17 || $usersgroupid == 23|| $usersgroupid == 
>24|| $usersgroupid == 25) {
>    //grant public access or access to all registered users
>         return 1;
>      }
>      else {
>    //need to do more checking based on more restrictions
>         if( $usersgroupid == $accessgroupid ) {
>         //direct match
>         return 1;
>         }
>         else {
>            if ($recurse=='RECURSE') {
>               //check if there are children groups
>               $groupchildern=array();
>               $groupchildren=$acl->get_group_children( $accessgroupid, 
>'ARO', $recurse );
>
>               if ( is_array( $groupchildren ) && count( $groupchildren 
>) > 0) {
>                  if ( in_array($usersgroupid, $groupchildren) ) {
>                     //match
>                     return 1;
>                  }
>               }
>            }
>         }
>     //deny access
>     return 0;
>   }
>}
>
>function userGID($oID){
>      global $database;
>    if($oID > 0) {
>    $query = "SELECT gid FROM #__users WHERE id = '".$oID."'";
>    $database->setQuery($query);
>    $gid = $database->loadResult();
>    return $gid;
>    }
>    else return 0;
>}
>_______________________________________________
>New to Mambo? Get a great start here:
>http://forum.mamboserver.com/showthread.php?t=42100
>
>New York PHP SIG: Mambo Mailing List
>AMP Technology
>Supporting Apache, MySQL, PHP & Mambo!
>http://lists.nyphp.org/mailman/listinfo/mambo
>http://www.nyphp.org
>
>
>
>_______________________________________________
>New to Mambo? Get a great start here:
>http://forum.mamboserver.com/showthread.php?tB100
>
>New York PHP SIG: Mambo Mailing List
>AMP Technology
>Supporting Apache, MySQL, PHP & Mambo!
>http://lists.nyphp.org/mailman/listinfo/mambo
>http://www.nyphp.org
>
>
>
>  
>



More information about the Joomla mailing list