I need to do a screen to manage permissions. Someone knows some toturial to help me. Is there any way to read existing modules to view and configure access to it?
Is the users_role_permissions table used by the Auth library?
I am creating a screen where it will be possible to select which actions a group can execute, but I do not know if it is possible to save this type of configuration in the existing tables of the Auth library. If it is possible, could you explain it to me?
Yes, all permissions tables are used by the Auth library. The OrmAcl class will compile the users effective rights using all of them (so direct assigned permissions plus group and role assigned permissions).
Check the definitions of the models in the Auth package.
There are a lot of relations defined by the models. The first link to the docs in my previous post lists them all. There is a many-many relationship between Group and Roles, which is defined using the through table "user_group_roles". It allows you to assign roles to a group of users, instead of to a user directly.
You use standard model commands, for example to assign users to a group, and a group to a role:
// get a "random" user, a group and a role $user = \Auth\Model_User::find(1); $group = \Auth\Model_Group::find(1); $role = \Auth\Model_Role::find(1);
// make the user part of the group $group->users[] = $user;
// assign the role to the group $group->roles[] = $role;
// update the group $group->save();
So there is no need for manual table updates, everything is done through normal ORM calls.
Permissions are also assigned via ORM relations. So for example you could have a permission record for "app.forum", with actions "read", "post", "edit", "moderate", "delete", "move", "merge", etc...
You can simply assign a permission using:
// get a "random" user and permission $user = \Auth\Model_User::find(1); $permission = \Auth\Model_Permission::find(1);
// assign the permission to the user $user->permissions[] = $permission;
// and save it $user->save();
This will allow you to use \Auth::has_access('app.forum') in your code, which will now return True for this user (assuming this permission record has id #1).
If you want to limit access to a subset of actions, say only "read" and "post", you do:
// get the user permission record $userpermission = \Auth\Model_Userpermission::query() ->where('user_id', '=', $user->id) ->where('perms_id', '=', $permission->id) ->get_one();
// define the permissions we want to assign $wanted = array('read', 'post');
// assign them $userpermission->actions = array_keys(array_intersect($permssion->actions, $wanted));
// update the record $userpermission->save();
Now you can check if the user has add rights using \Auth::has_access('app.forum[add]'), or add and post rights using \Auth::has_access('app.forum[add,post]').
Isn't that logical, as there is no "add" or "post" permission? And of the 4 possible actions, only "read" and "create" are set on this user permission.
So "app.forum", "app.forum.read", "app.forum.create" and "app.forum[read,create]" should return true, all others should return false.
And yes, you do have to flush the auth cache, at least for this user, when you change the permissions.
Can you post the contents of the action colomn from both the permission record and the relation record (in serialized form), so I can have a look at it?
I took this part of the code in ormacl file, I took this part of the code in oracle file, and I noticed an array_flip command.
I removed the array_flip, and \Auth::has_access('admin.group[read]') worked fine.
My serialized relations with array_flip a:3:{i:0;a:1:{s:5:"admin";a:1:{s:5:"group";a:0:{}}}i:1;a:0:{}i:2;N;} .
Without array_flip a:3:{i:0;a:1:{s:5:"admin";a:1:{s:5:"group";a:2:{i:0;s:4:"read";i:1;s:6:"create";}}}i:1;a:0:{}i:2;N;}, read and create actions are allowed.
and what is the contents of the actions column in users_user_permissions? Or users_group_permissions if your premissions are assigned to a group instead of a user?
If you have to remove array_flip(), to get it to work, it suggests that value is wrong.
Donate
