Adding custom security policy limitations to your modules

Controlling access to our module

Now that our limitations are defined, we now need to filter access to our module depending on the rights that have been affected to a user. Indeed, this control is made in index.php for content module, and only for this one. As a consequence, we are forced to control the access ourselves. We can imagine changes in this regard in the future versions of eZ Publish.

Playing with eZJSCore

Manual access control of those limitations using the framework can easily become a real pain as the system is pretty complex. While a little refactoring would be nice on this part, workarounds exist that will make your life easier! Developer Andrè Rømcke have implemented in eZJSCore extension a simplified access control method in the shape of a template operator. This extension being now part of eZ Publish distribution, it would be a shame not to use it ! Besides, you can find a real good article presenting this extension on the community portal.

Here is the best way to proceed :

extension/myextension/modules/mymodule/myview.php :

$userHasAccess = ezjscAccessTemplateFunctions::hasAccessToLimitation( 'mymodule', 'myfunction' ); // Returns a boolean for current user

// Or if you want to check using limitations as well using ezjscore 1.2 (comes with eZ Publish 4.4) and up
// In this case providing list of languages user must have access to
$userHasAccess = ezjscAccessTemplateFunctions::hasAccessToLimitation( 'mymodule', 'myfunction', array( 'Language' => $languageList ) );

Get the limitations list for current user

Unfortunately, older versions of eZJSCore then 1.1.1 / 1.2 doesn't have any method allowing us to get available limitations for current user, which could be very useful to display a combo box containing limitations granted to the user for example (available languages in our case).

To do this, we will need to write a method returning those limitations in a simplified way. Indeed, eZUser class does have hasAccessTo() method, but its result is absolutely unreadable and needs to be strongly simplified. We will thus write a complementary method returning simplified limitations.

class MyClass
{
    /**
     * Shorthand method to check user access policy limitations for a given module/policy function.
     * Returns the same array as eZUser::hasAccessTo(), with "simplifiedLimitations".
     * 'simplifiedLimitations' array holds all the limitations names as defined in module.php.
     * If your limitation name is not defined as a key, then your user has full access to this limitation
     * @param string $module Name of the module
     * @param string $function Name of the policy function ($FunctionList element in module.php)
     * @return array
     */

    public static function getSimplifiedUserAccess( $module, $function )
    {
        $user = eZUser::currentUser();
        $userAccess = $user->hasAccessTo( $module, $function );

        $userAccess['simplifiedLimitations'] = array();
        if( $userAccess['accessWord'] == 'limited' )
        {
            foreach( $userAccess['policies'] as $policy )
            {
                foreach( $policy as $limitationName => $limitationList )
                {
                    foreach( $limitationList as $limitationValue )
                    {
                        $userAccess['simplifiedLimitations'][$limitationName][] = $limitationValue;
                    }
                        
                    $userAccess['simplifiedLimitations'][$limitationName] = array_unique($userAccess['simplifiedLimitations'][$limitationName]);
                }
            }
        }
        return $userAccess;
    }
}

This method returns an array containing result from eZUser::hasAccessTo(), with a new key : simplifiedLimitations. This key is also an array, containing the precious limitations.

In our example, for a user whom we would have affected a limitation Language allowing only fre-FR and eng-GB, this array would contain :

$limitations = MyClass::getSimplifiedUserAccess( 'mymodule', 'myfunction' );
print_r( $limitations['simplifiedLimitations'] );

// Result
Array
(
    [Language] => Array
        (
            [0] => fre-FR
            [1] => eng-GB
        )

)

As a result, in our module where we need to display a combo box with authorized languages, we would have :

extension/myextension/modules/mymodule/myview.php :

$tpl = eZTemplate::factory(); // Template init – from 4.3.0

$authorizedLang = eZINI::instance('site.ini')->variable( 'RegionalSettings', 'SiteLanguageList' ); // Default is all languages
$limitations = MyClass::getSimplifiedUserAccess( 'mymodule', 'myfunction' );
if( isset( $limitations['simplifiedLimitations']['Language'] ) ) // Found limitations on language. These will be the only available in the dropdown menu
    $authorizedLang = $limitations['simplifiedLimitations']['Language'];
$tpl->setVariable( 'languages', $authorizedLang );

$Result['content'] = $tpl->fetch( 'design:mydesignsubdir/myview.tpl' );

extension/myextension/design/standard/templates/mydesignsubdir/myview.tpl :

<select name="LanguageSelection">
{foreach $languages as $language}
    <option value=”{$language}”>{$language}</option>
{/foreach}
</select>