Some really wise guy wanna tell us something about ACL

Started by simbus82, January 26, 2012, 11:03:04 AM

Previous topic - Next topic

simbus82

Please this can take only few minutes to add!!!!

http://www.aclmanager.net/blog/general/31-how-to-add-basic-acl-support-to-your-extension


Step 1: Add/modify config.xml

The first step is to define the possible actions for your extensions. We want to add support for Configure: (core.admin) and Access Component (core.manage). We need to define these actions in the config.xml file of your extension. Create the following file and add the code below.

File: administrator/components/com_virtuemart/config.xml
<?xml version="1.0" encoding="utf-8"?>
<config>
<fieldset name="permissions" label="JCONFIG_PERMISSIONS_LABEL" description="JCONFIG_PERMISSIONS_DESC">
<field name="rules" type="rules" label="JCONFIG_PERMISSIONS_LABEL" filter="rules" component="com_virtuemart" section="component">
<action name="core.admin" title="JACTION_ADMIN" description="JACTION_ADMIN_COMPONENT_DESC" />
<action name="core.manage" title="JACTION_MANAGE" description="JACTION_MANAGE_COMPONENT_DESC" />
</field>
</fieldset>
</config>


If you already have the config.xml file you just need to add the permissions fieldset part.
As you can see in the code above we have added two actions, core.admin and core.manage.
The 'core' part of the action names means that this action is a Joomla core actions.
If you add custom actions you need to use the format virtuemart.actionname, more about this in a next article.
Don't forget to replace the component name (com_virtuemart) with the component name of your extension.


Step 2: Add access check

The next step is to add the access check to the entire component, add the following code just below the direct access check (defined('_JEXEC') or die;).

File: administrator/components/com_virtuemart/admin.virtuemart.php
// Access check.
if (!JFactory::getUser()->authorise('core.manage', 'com_virtuemart')) {
return JError::raiseWarning(404, JText::_('JERROR_ALERTNOAUTHOR'));
}


So a user without Access Component permission is not able to access the component and will get an 404 error message.
The component will not be visible in the components menu if the user is not allowed to access the component.
So the user will only see the error message via a direct link to the component. Otherwise the user possible will not even know the extension is there.


Step 3: Add the 'Options' toolbar button

Ok, almost there. We only need to add the Options toolbar button in the extension toolbar.
You will probably already have the addToolbar() function in your view file of the extension, extend this by adding the following code.

File: administrator/components/com_virtuemart/views/IN-ALL-ADMIN-PAGE-FOLDERS/view.html.php
// Options button.
if (JFactory::getUser()->authorise('core.admin', 'com_virtuemart')) {
JToolBarHelper::preferences('com_virtuemart');
}


This code adds the Options button to the toolbar and also do an access check so only User Groups with Configure permission for the extension are able to see and click the button to configure the extension.
You may need to repeat this for more views if applicable.


Step 4: Add one language string

Users are now able to click on the Options button in the toolbar.
By clicking on this button a modal window will show up where you can set the permissions of the extension.
The title of this window needs to be added to your language file, so add the following language string to your language file(s).

File: administrator/language/en-GB/en-GB.com_virtuemart.ini
COM_VIRTUEMART_CONFIGURATION="VirtueMart Options"
Joomla! 2.5.16 & VM 2.0.24b

Milbo

? Read the code first please. The tutorial you posted is known, the access code is added to the xml already, so I am wondering.
It is not completly implemented. Yes, you cant use the j1.7 ACL to finetune the rights. We have "non admin", or "admin", thats it. and we have a check, try todo stuff as non admin and you will see it is secured. So stop screaming around, when you did not tested it. It would be different, when you could actually tell us, how you was able as non admin to enter the BE, or to change products. Look in  class Permissions to see how it is implemented. You can also join the team and write it :-). But atm it looks like you just noticed there is no config option for j1.7 ACL and therefore you got the idea, we do not check for this. Remembers me to http://en.wikipedia.org/wiki/Straw_man , but maybe I do it myself.
Should I fix your bug, please support the VirtueMart project and become a [url=http://extensions.virtuemart.net/support/virtuemart-supporter-membership-detail]member[/url]
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

simbus82

#2
Quote from: Milbo on January 26, 2012, 11:46:28 AM
? Read the code first please. The tutorial you posted is known, the access code is added to the xml already, so I am wondering.
It is not completly implemented. Yes, you cant use the j1.7 ACL to finetune the rights. We have "non admin", or "admin", thats it. and we have a check, try todo stuff as non admin and you will see it is secured. So stop screaming around, when you did not tested it. It would be different, when you could actually tell us, how you was able as non admin to enter the BE, or to change products. Look in  class Permissions to see how it is implemented. You can also join the team and write it :-). But atm it looks like you just noticed there is no config option for j1.7 ACL and therefore you got the idea, we do not check for this. Remembers me to http://en.wikipedia.org/wiki/Straw_man , but maybe I do it myself.

First of all congratulations for having changed the title, nice joke ... -_- What a good impression!

LOT of customers (People who do not want problems when managing an ecommerce) want to see only the backend in which they can work.

If I adjust the ACL in this way, my clients can not get access to your component, because I, from within the component, I can not give them access!

Without the simple basic ACL can not be given exclusive access.
With your system, for example, an administrator is obliged to fill in the required fields like a shopper to be able to assign permissions for use of VM

Then I really can not understand your conceited and pedantic way of writing to a person who has shown a VM limit. Be more humble, man! I never have "scream around".

PS: i have edited some "views" in admin to test... it works.
Joomla! 2.5.16 & VM 2.0.24b

Milbo

Your title gave the impression, that there is a bug with the ACL, which gives the impression, that we did not worked clean and vm2 is unsecure, which is not true. There are a lot people who watch the forum and most time do not read the threads themselves. It is like a misleading headline in a newspaper.

It is not a question if it works. The problem is a lot deeper. Just so, you may not noticed, but vm2 must also work on j1.5. Your idea works only for j1.7! We must implement that in the Permissions file and do that with care.

And it is not true, what you say. Every admin in a singlevendor store can enter com_virtuemart. Editors not. They do not need to fill any special fields. Just joomla admin is enough.

That the system is quite rough atm is a known fact and written in the news and here in the forum. It is even written down, when we start with the implementation of it. We start with this, when all features work and vm2.0.x is stable. Then we start with things like this, maybe for 2.2 or 2.4.
Should I fix your bug, please support the VirtueMart project and become a [url=http://extensions.virtuemart.net/support/virtuemart-supporter-membership-detail]member[/url]
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/