Understanding user->authorize("core.edit.own", "component.<view-element>.id")
1,463 views
Skip to first unread message
Patrick Hertling
Dec 3, 2013, 10:18:00 AM12/3/13
to joomla-de...@googlegroups.com
Hi,
Im starting to develop components and would like to understand the user->authorize("core.edit.own", "...") function.
My question is what do I need to have implemented / declared to make it work?
Lets say I have multiple views.
One view set is Cars and car.
When I list the cars i want to show only the public cars and the cars owned by the user.
I have a "created_by" field in every database car record.
If I call authorize("core.edit.own", "<component>.<view-item>.id"), where do I have to declare the "view-item" permission?
Is this written in the JDatabase or JTable core?
Thank you for your time
Patrick
Mark Dexter
Dec 3, 2013, 10:55:30 AM12/3/13
to Joomla! General Development
If you look at one of the core components, say com_contact, you will see this file: administrator/components/com_contact/access.xml. That is where the UI to set the permissions comes from (in the configuration for the component). This creates the "Permissions" tab in the component configuration options. Good luck. Mark
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send an email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general.
For more options, visit https://groups.google.com/groups/opt_out.
Ove
Dec 3, 2013, 12:05:10 PM12/3/13
to joomla-de...@googlegroups.com
If you think of a backend list/single item combination there are two
things involved. Both on user group level
1. What you see in the list depends on the table field accesslevel.
Defined in the user menu, set per item
2. The actions (create/edit..) allowed is controlled by the Acl. Set in
the component options. Defined where Mark said.
If core.edit.own is set to yes for the users user-group he can edit
otherwise not. You can define other actions like custom.view.own but
they are controlled on user group level.
Hope that helps.
things involved. Both on user group level
1. What you see in the list depends on the table field accesslevel.
Defined in the user menu, set per item
2. The actions (create/edit..) allowed is controlled by the Acl. Set in
the component options. Defined where Mark said.
If core.edit.own is set to yes for the users user-group he can edit
otherwise not. You can define other actions like custom.view.own but
they are controlled on user group level.
Hope that helps.
Patrick Hertling
Dec 3, 2013, 3:18:55 PM12/3/13
to joomla-de...@googlegroups.com
Thank you both very much for your time. I bought your Joomla Development book and its great.
I understand ACL and know where to set the permissions. I understand everything exept how core.edit.own works internally.
When I say $user->authorize("core.edit.own", "component.listview.id"), what do I need to make it work? I have established the action and section tabs in the access.xml. But how does the joomla core know if the item belongs to the user I am asking for. I assume I need to have a "created_by" field in the database. I that all, or do I need something else to make it work?
Thank you again :)
Patrick Hertling
Dec 3, 2013, 3:36:23 PM12/3/13
to joomla-de...@googlegroups.com
Let me put an example:
Lets say com_content. How does the core.edit.own know which article belongs to which user? Of course I need to create the privileges in the access.xml file in order to call for it, but what else?
Lets say com_content. How does the core.edit.own know which article belongs to which user? Of course I need to create the privileges in the access.xml file in order to call for it, but what else?
Bakual
Dec 3, 2013, 5:23:14 PM12/3/13
to joomla-de...@googlegroups.com
core.edit.own itself doesn't know if the item belongs to the user. It just knows that the user is allowed to edit his own items.
If the user is authorised, it's the responsibility of the component to check if the user owns the item. This is usually done by comparing the user id to the created_by property of the item.
See how com_content does it as an example: https://github.com/joomla/joomla-cms/blob/master/administrator/components/com_content/controllers/article.php#L113
Am Dienstag, 3. Dezember 2013 21:36:23 UTC+1 schrieb Patrick Hertling:
Adam Rifat
Dec 3, 2013, 5:25:25 PM12/3/13
to joomla-de...@googlegroups.com
I don't think that joomla 'knows' which articles belongs to which user. It's derived via the 'created_by' property in the content table.
administrator/components/com_content/controllers/article.php - this contoller has a method called allowEdit. So when a user tries to edit an article there is an explicit check whether the created_by user id is also the current user trying to edit the record (if that user doesn't have core.edit permissions).
Also, check out the default template in the articles view of com_content. You see this on line 119:
$canEditOwn = $user->authorise('core.edit.own', 'com_content.article.'.$item->id) && $item->created_by == $userId;
which seems to be the similar logic to that in the controller.
So basically, you need to track the user who 'owns' the asset, and then assign a user group to that user that doesn't have global edit permission on the component. So when the core.edit fails you fall back and check if the user is the 'creator'.
HTH
administrator/components/com_content/controllers/article.php - this contoller has a method called allowEdit. So when a user tries to edit an article there is an explicit check whether the created_by user id is also the current user trying to edit the record (if that user doesn't have core.edit permissions).
Also, check out the default template in the articles view of com_content. You see this on line 119:
$canEditOwn = $user->authorise('core.edit.own', 'com_content.article.'.$item->id) && $item->created_by == $userId;
which seems to be the similar logic to that in the controller.
So basically, you need to track the user who 'owns' the asset, and then assign a user group to that user that doesn't have global edit permission on the component. So when the core.edit fails you fall back and check if the user is the 'creator'.
HTH
Patrick Hertling
Dec 3, 2013, 5:53:49 PM12/3/13
to joomla-de...@googlegroups.com
Thank you so much people. Now its clear. Great exponations.
Reply all
Reply to author
Forward
0 new messages