Threaded Mode | Linear Mode

akhasis · 10-Aug-2012, 07:03 AM

Hello:

I have extended the cms module to allow personal messages and show groups and categories at the same time. So now I have a new module, myfirm-cms, with pretty much the same functionality as the original one.

What I want to do now is to allow the users to edit and delete their own contents despite they may be forbidden to do so at the roles admin section. That is, only admins can edit/delete any content, but each user can do so with their own content.

I don't know where to override the default behaviour (I think the method is isAllowed) only for this module so that the user doesn't get a "YOU DONT HAVE PERMISSIONS" message when they go to myfirm-cms/edit/edit on one of their contents even if they don't have such permissions.

Thank you,

***mayorbrain*** · (This post was last modified: 10-Aug-2012 12:40 PM by mayorbrain.)

Yea, you could work on isAllowed(), but I think it will be easier to move higher in the execution heirarchy. Go to Initializer::performAcl().

In the performAcl() function, you will come across this

PHP Code:

if($request->getModuleName() == 'cms')//the cms module has its controller has the privilege and not its action
        {
            $resource = new Precurio_Resource('cms_index');
            $privilege = new Precurio_Privilege($request->getControllerName());
        }
        else
        {
            $resource = new Precurio_Resource($request->getModuleName().'_'.$request->getControllerName());
            $privilege = new Precurio_Privilege($request->getActionName());
        } 

Just before that snippet, add this line

PHP Code:

if($request->getModuleName() == 'myfirm-cms')
{
                Zend_Registry::set('ignoreAcl',true);
                return;
} 

This will ignore access control for the 'myfirm-cms' module.

akhasis · 13-Aug-2012, 12:56 AM

Thank you for pointing out where to find the code for the permissions logic.

Based on the code you provided, I finally took a slightly different approach. In case somebody is interested:

PHP Code:

        if($request->getModuleName() == 'cms')//the cms module has its controller has the privilege and not its action
        {
            $resource = new Precurio_Resource('cms_index');
            $privilege = new Precurio_Privilege($request->getControllerName());
        }
        else
        {        
            $resource = new Precurio_Resource($request->getModuleName().'_'.$request->getControllerName());
            $privilege = new Precurio_Privilege($request->getActionName());
        
            // Lines added by akhasis to override default permissions system    
            if($request->getModuleName() == 'myfirm-cms')
            {
                if($privilege == 'edit') 
                {
                    $content_id = $this->getRequest()->getParam('c_id');
                    $myfirmContent = new MyfirmContents(); // MyfirmContents extends MyContents
                    $content = $myfirmContent->getContent($content_id);
                    
                    if($content->canEdit(Precurio_Session::getCurrentUserId()))  // canEdit checks wether the current user is the author of the contents
{                    
                        $privilege = new Precurio_Privilege('view'); // The premise is: "if this content belongs to the user and he or she can view it, then is also allowed to edit it
                    }
                }     
            } 
            // End of lines added by akhasis
        } 