Page 1 of 1

Programming with JFactory and User info

Posted: Fri Jun 21, 2013 8:34 pm
by mkitcowt
I am developing a maintenance program using MySql and a Joomla 2.5 site and want to utilize Joomla User info to control access.

I created a new group called "Profile" (id=8) under Public with permissions "Site Login", "Create" and "Edit Own" set to "Allowed".
I want to assign a few users to this group and they will be allowed to update.
I also created a new Access Level, "Profile" and gave my new group viewing access. (although I don't know if that is necessary based on how I am using it)

I then code:
$user = JFactory::getUser();

What is the best way to verify that the user is "authorized" to update?
Is there a method I can reference?

Or do I have to code it:
$group_array = $user -> groups;
if (in_array(8, $group_array)) {echo "authorized";}else{echo "not authorized";}
And if so, how do I test "Create" and "Edit Own" permissions?

Lastly, if I want another group that can view only, do I need to create another group and/or VAL?

Re: Programming with JFactory and User info

Posted: Sun Jun 23, 2013 2:01 pm
by rcarey
Here is some code from com_content (aka, Articles) illustrating how it checks with the ACL for permission setings:

Code: Select all

$canEdit	= $user->authorise('core.edit', 'com_content.article.'.$item->id);
$canEditOwn	= $user->authorise('core.edit.own', 'com_content.article.'.$item->id) && $item->created_by == $userId;
All checks follow the same pattern: $user->authorise( , ) with the first string representing the "action" and the second string representing the "asset" (compoennt, category, or item) to which the action applies. Above you see the checks for two actions ('core.edit' and 'core.edit.own') and both are checked against the a particular article under the component com_content.

I feel com_content is a good component for modelling how extensions should be coded. So for this example, go to this file to see how the ACL results are integrated within the layout file:
/administrator/components/com_content/views/articles/tmpl/default.php


Keep in mind that each extension is free to create its own set actions (e.g.: 'core.create', 'core.edit', 'core.whatever'), and each extension is responsible for enforcing the meaning of each of these actions (i.e., if a person is allowed or denied an action on that extension, what does that allow and what does that deny).


If you want to limit access (such as viewing access) to an extension or to category/items of an extension, then typically you would set this through an access level. You might need to create your own access level and assign it to just the one or few groups that should have this type of access.


The example you gave

Code: Select all

if (in_array(8, $group_array)) {echo "authorized";}else{echo "not authorized";} 
is helpful if you are overriding a layout file and need to impose some permission to see or do something - within an extension for which you do not have control to add actions and set permissions. But the developer of an extension ought to use the ACL code such as $user->authorize(,).