Difference between revisions of "Developing a MVC Component/Adding ACL"
From Joomla! Documentation
Ilie.pandia (talk | contribs) (added working examples of checking permissions on the server side (just declaring them is no use...)) |
Ilie.pandia (talk | contribs) m (signature fix) |
||
| Line 59: | Line 59: | ||
Once you implement the changes above the tutorial should work as intended. (''allowAdd'' should also be implemented to check for category permission at least, but since the author of the tutorial did not add a "core.add" action for the "message" section, I'll leave like it is. | Once you implement the changes above the tutorial should work as intended. (''allowAdd'' should also be implemented to check for category permission at least, but since the author of the tutorial did not add a "core.add" action for the "message" section, I'll leave like it is. | ||
| − | [[User:Ilie.pandia|Ilie.pandia]] ([[User talk:Ilie.pandia|talk]]) | + | [[User:Ilie.pandia|Ilie.pandia]] ([[User talk:Ilie.pandia|talk]]) 06:06, 11 October 2012 (CDT) 06:06, 11 October 2012 (CDT) |
Somehow the ACL doesn't work on Edit permission for me. It shows both Save & New and Save as Copy buttons when it has no create rights. Gone through the code twice, but cannot see anything wrong with it... Anybody else have same problem? --[[User:A2Ggeir|A2Ggeir]] 10:19, 6 December 2010 (UTC) | Somehow the ACL doesn't work on Edit permission for me. It shows both Save & New and Save as Copy buttons when it has no create rights. Gone through the code twice, but cannot see anything wrong with it... Anybody else have same problem? --[[User:A2Ggeir|A2Ggeir]] 10:19, 6 December 2010 (UTC) | ||
Revision as of 06:06, 11 October 2012
Checking the permissions on the Server Side[edit]
The tutorial at the moment of writing is not enforcing the permissions on the server side, allowing a forged request to modify data. (Permissions are only declared and set, but not checked!)
Looking at how this is handled in other components in Joomla I've noticed that:
"core.delete" is enforced in the model class: admin/models/helloworld.php by adding these lines:
/**
* Method to check if it's OK to delete a message. Overwrites JModelAdmin::canDelete
*/
protected function canDelete($record)
{
if( !empty( $record->id ) ){
$user = JFactory::getUser();
return $user->authorise( "core.delete", "com_helloworld.message." . $record->id );
}
}"core.edit" (and core.add if you wish) are enforced in the sub-controller (NOT in the model). I don't know why this is so, but that's how other components do it. You need to add the following lines in the file: /admin/controllers/helloworld.php
/**
* Implement to allowAdd or not
*
* Not used at this time (but you can look at how other components use this....)
* Overwrites: JControllerForm::allowAdd
*
* @param array $data
* @return bool
*/
protected function allowAdd($data = array())
{
return parent::allowAdd($data);
}
/**
* Implement to allow edit or not
* Overwrites: JControllerForm::allowEdit
*
* @param array $data
* @param string $key
* @return bool
*/
protected function allowEdit($data = array(), $key = 'id')
{
$id = isset( $data[ $key ] ) ? $data[ $key ] : 0;
if( !empty( $id ) ){
$user = JFactory::getUser();
return $user->authorise( "core.edit", "com_helloworld.message." . $id );
}
}Once you implement the changes above the tutorial should work as intended. (allowAdd should also be implemented to check for category permission at least, but since the author of the tutorial did not add a "core.add" action for the "message" section, I'll leave like it is.
Ilie.pandia (talk) 06:06, 11 October 2012 (CDT) 06:06, 11 October 2012 (CDT)
Somehow the ACL doesn't work on Edit permission for me. It shows both Save & New and Save as Copy buttons when it has no create rights. Gone through the code twice, but cannot see anything wrong with it... Anybody else have same problem? --A2Ggeir 10:19, 6 December 2010 (UTC)
Did a little debug and it seems the values from function canDo() in Helper does not return the right values when it is in edit view.
Result when in listview:
'core.admin' => NULL,
'core.manage' => true,
'core.create' => false,
'core.edit' => true,
'core.delete' => false,
Result when in editview:
'core.admin' => NULL,
'core.manage' => NULL,
'core.create' => true,
'core.edit' => true,
'core.delete' => true,
--A2Ggeir 12:02, 7 December 2010 (UTC)
Delet dosn't work[edit]
when you want to delete a message it goes wrong and the message appears:
500 - Es ist ein Fehler aufgetreten
Layout „default“ nicht gefunden
downt know why its not working... maybee some can check this out.
Greetz
Ok, so I have carefully followed the tutorial to here. What I need to know now is HOW do I allow a user who only has edit.own rights to get to the admin edit for the component??
I tried for a while to create an edit page on the front end, but no luck and no help. It occurred to me that perhaps if I could not bring the mountain to Mohammed, I could get Mohammed access to the mountain. But how to do it without making every user an administrator? Even a manager has too much other access.
"In theory, there's no difference between theory and practice; in practice, there is" --Yogi Berra 10:14, 12 November 2011 (CST) Using v1.7
I think that this example is missing something in the bind method.
// Bind the rules.
if (isset($array['rules']) && is_array($array['rules']))
{
$rules = new JAccessRules($array['rules']);
$this->setRules($rules);
}
If we don't bind the rules then they are not saved in the asset table for the message/item...
Missing asset_id field[edit]
I think database table is missing field "asset_id", which is required. Watch this link here.
https://www.joomlajingle.com/blog/39-joomla-acl-for-developers
Vipantonio 06:19, 9 August 2012 (CDT)