Warning: This page has not been updated in over over a year and may be outdated or deprecated.
configuration:permission_options
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
configuration:permission_options [2017/08/30 13:44] – [Structure of permissionBehavior.ini] demiankatz | configuration:permission_options [2023/11/09 19:10] (current) – demiankatz | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Permission Configuration ====== | ====== Permission Configuration ====== | ||
- | VuFind | + | VuFind® |
- | VuFind | + | VuFind® |
+ | VuFind® 6.1 adds a significant new option to permissionBehavior.ini: | ||
===== Structure of permissionBehavior.ini ===== | ===== Structure of permissionBehavior.ini ===== | ||
Each permission rule (sections in permissions.ini) can get a section in permissionBehavior.ini. Please use the name of the permission rule as specified in the permission attribute in permissions.ini as the section name in permissionBehavior.ini. Each section in permissionBehavior.ini may have two attributes: deniedTemplateBehavior and deniedControllerBehavior. | Each permission rule (sections in permissions.ini) can get a section in permissionBehavior.ini. Please use the name of the permission rule as specified in the permission attribute in permissions.ini as the section name in permissionBehavior.ini. Each section in permissionBehavior.ini may have two attributes: deniedTemplateBehavior and deniedControllerBehavior. | ||
- | deniedTemplateBehavior controls the display of template content associated with the permission. If you want to show the content only to people who have logged in, you could define a permission rule in permissions.ini and reference that in permissionBehavior.ini, | + | deniedTemplateBehavior controls the display of template content associated with the permission. If you want to show the content only to people who have logged in, you could define a permission rule in permissions.ini and reference that in permissionBehavior.ini, |
- | deniedControllerBehavior controls | + | deniedControllerBehavior controls |
As noted above, all possible values for these options are documented in permissionBehavior.ini. | As noted above, all possible values for these options are documented in permissionBehavior.ini. | ||
See also the following examples, which should illustrate some use cases with permissionBehavior. | See also the following examples, which should illustrate some use cases with permissionBehavior. | ||
+ | |||
+ | ===== Other useful configuration settings ===== | ||
+ | |||
+ | ==== Search Tabs Permissions ==== | ||
+ | |||
+ | VuFind® 4.1 introduces a [SearchTabsPermissions] section in [[configuration: | ||
+ | |||
+ | Note that [SearchTabsPermissions] ONLY controls the rendering of tabs. It does not prevent users from accessing the searches that those tabs can produce. To restrict actual searching, you will need to pair some controller-specific rules with your search tab permissions. Examples can be found below. | ||
+ | |||
+ | ===== Checking permissions in code ===== | ||
+ | |||
+ | Starting with VuFind® 4.1, the code includes some convenient tools to help with permission management. | ||
+ | |||
+ | ==== Controllers ==== | ||
+ | |||
+ | Since VuFind® 2.4, it has been possible to make a controller check a particular permission before dispatching any actions. A controller simply needs to set its $accessPermission property to the name of a permission from permissions.ini to enforce this simple check. | ||
+ | |||
+ | VuFind® 4.0 added the $accessDeniedBehavior property, which a controller can set to either ' | ||
+ | |||
+ | VuFind® 4.1 added even greater flexibility by adding permissionBehavior.ini (which overrides $accessDeniedBehavior for configured permissions, | ||
+ | |||
+ | < | ||
+ | // Check permission: | ||
+ | $defaultBehavior = ' | ||
+ | $response = $this-> | ||
+ | if (is_object($response)) { | ||
+ | return $response; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== Templates ==== | ||
+ | |||
+ | It was not possible to check permissions in templates until VuFind® 4.1, which introduced the permission view helper. This can be used in templates like this: | ||
+ | |||
+ | < | ||
+ | <? if ($this-> | ||
+ | You have permission to see this block of code! | ||
+ | <? elseif ($block = $this-> | ||
+ | <? | ||
+ | <? endif; ?> | ||
+ | </ | ||
===== Examples ===== | ===== Examples ===== | ||
Line 23: | Line 65: | ||
==== Global settings ==== | ==== Global settings ==== | ||
- | * If a user does something he is not allowed to, show a login page as default (unless | + | === Show login page unless |
- | PermissionBehavior.ini: | + | // If a user accesses a restricted page, show a login page as default (unless a deniedControllerBehavior directive overrides that). // |
+ | |||
+ | permissionBehavior.ini: | ||
[global] | [global] | ||
- | | + | |
- | * If a user does something he is not allowed to, show a note as default (unless | + | === Show custom message |
- | PermissionBehavior.ini: | + | // If a user accesses a restricted page, show a note as default (unless a deniedControllerBehavior directive overrides that). // |
+ | |||
+ | permissionBehavior.ini: | ||
[global] | [global] | ||
- | | + | |
==== Admin Module ==== | ==== Admin Module ==== | ||
- | * Only users from certain IPs are allowed to use the AdminModule. If a user, who is not allowed to use it, enters the Admin module, show a note. | + | === Show note to users accessing |
- | Permissions.ini: | + | // Only users from certain IPs are allowed to use the AdminModule. If an unauthorized user enters the Admin module, show a note. // |
+ | |||
+ | permissions.ini: | ||
[default.AdminModule] | [default.AdminModule] | ||
ipRange = " | ipRange = " | ||
Line 46: | Line 94: | ||
permissionBehavior.ini: | permissionBehavior.ini: | ||
[access.AdminModule] | [access.AdminModule] | ||
- | | + | |
==== Favorites ==== | ==== Favorites ==== | ||
- | * The button to save a record as a favorite record should be only displayed, after a user has logged in. | + | === Only show favorites |
- | Permissions.ini: | + | // The button to save a record as a favorite record should be only displayed after a user has logged in. // |
- | [default.favoritesSave] | + | |
+ | permissions.ini: | ||
+ | [default.Favorites] | ||
role[] = loggedin | role[] = loggedin | ||
- | permission = favorites.save | + | permission = feature.Favorites |
- | PermissionBehavior.ini: | + | permissionBehavior.ini: |
- | [favorites.save] | + | [feature.Favorites] |
- | | + | |
- | * The button | + | === Always show favorites |
- | That's the default in VuFind now. | + | |
- | Permissions.ini: | + | // The button to save a record as a favorite record should be always displayed, but if a user is not logged in, he should be forced to login. // |
- | [default.favoritesSave] | + | |
+ | (This is the default behavior in VuFind® now). | ||
+ | |||
+ | permissions.ini: | ||
+ | [default.Favorites] | ||
role[] = loggedin | role[] = loggedin | ||
- | permission = favorites.save | + | permission = feature.Favorites |
- | PermissionBehavior.ini: | + | permissionBehavior.ini: |
- | [favorites.save] | + | [feature.Favorites] |
- | | + | |
==== Primo Central ==== | ==== Primo Central ==== | ||
- | * You are using the PrimoCentral index and are offering it with a seperate register (SearchTab). The user should be allowed to see the register | + | === Suppress |
- | Permissions.ini: | + | // You are using the PrimoCentral index and are offering it with a separate search tab. The user should be allowed to see the tab only if logged in or within a certain IP range. Otherwise the search tab should not get displayed. // |
+ | |||
+ | config.ini: | ||
+ | [SearchTabs] | ||
+ | Solr = Main | ||
+ | Primo = Extra | ||
+ | |||
+ | [SearchTabsPermissions] | ||
+ | Primo = access.PrimoModule | ||
+ | |||
+ | permissions.ini: | ||
[default.primo] | [default.primo] | ||
require = ANY | require = ANY | ||
ipRange = " | ipRange = " | ||
role[] = loggedin | role[] = loggedin | ||
- | permission = access.Primo | + | permission = access.PrimoModule |
- | PermissionBehavior.ini: | + | permissionBehavior.ini: |
- | [access.Primo] | + | [access.PrimoModule] |
- | | + | |
- | * You are using the PrimoCentral index and are offering it with a seperate register (SearchTab). Any user should be allowed to see the register tab, but if the tab is clicked, the user should see a note telling him that he needs to be in a certain | + | === Show note outside of IP range === |
- | Permissions.ini: | + | // You are using the PrimoCentral index and are offering it with a separate search tab. Any user should be allowed to see the tab, but if the tab is clicked, the user should see a note telling him that he needs to be logged in or within a certain IP range to use this tab. // |
- | [default.primo] | + | |
- | require = ANY | + | |
- | ipRange = " | + | |
- | role[] = loggedin | + | |
- | permission = access.Primo | + | |
- | PermissionBehavior.ini: | + | config.ini and permissions.ini should be the same as the previous example. |
- | [access.Primo] | + | |
- | permissionDeniedAction = " | + | |
- | * You are using the PrimoCentral index and are offering it with a seperate register (SearchTab). Any user should be allowed to see the register tab, but if the tab is clicked, system should throw an exception. | + | permissionBehavior.ini: |
+ | [access.PrimoModule] | ||
+ | deniedControllerBehavior = " | ||
- | Permissions.ini: | + | === Throw exception outside of IP range === |
- | [default.primo] | + | |
- | require | + | |
- | ipRange | + | |
- | role[] | + | |
- | permission | + | |
- | PermissionBehavior.ini: | + | // You are using the PrimoCentral index and are offering it with a separate search tab. Any user should be allowed to see the tab, but if the tab is clicked, the system should throw an exception when permission is denied. // |
- | [access.Primo] | + | |
- | | + | config.ini and permissions.ini should be the same as the previous example. |
+ | |||
+ | permissionBehavior.ini: | ||
+ | [access.PrimoModule] | ||
+ | | ||
---- struct data ---- | ---- struct data ---- | ||
+ | properties.Page Owner : | ||
---- | ---- | ||
configuration/permission_options.1504100640.txt.gz · Last modified: 2017/08/30 13:44 by demiankatz