Title: Xaraya: Privileges and Content Filtering

Author: jrojr

Date: September 14, 2005 3:23:08 AM or Wed, 14 September 2005 03:23:08

Summary: 

Security checks and masks are there to facilitate the filtering of content to your users in Xaraya.

Body: 

In many websites that are community-based, administrators must create different levels of access for content to control how their members interact with the website. For example, a website may have the following categories of users:

• administrators that are able to add, edit, and delete any content on the website
• editors that are able to add and edit any content on the website, but are explictly denied permission to delete content
• registered users that are only able to add content (meaning they are disallowed from editing or deleting existing content)
• visitors that are unable to contribute any content

A Hypothetical Example

Usually, the presence of Xaraya's administration panel is determined behind the scenes in PHP, but:

• What if we don't want to rely on the administration panel to allow users to contribute content?
• What if we want editors to click on an "Edit this Article" link in an article they're currently viewing, to reduce the amount of clicks it takes them to edit an article?
• What if we don't want users who haven't been given the privilege to edit the article to be able to see the "Edit this Article" link?

Solution? Use a Security Check

This kind of situation is solved easily through the use of Xaraya security checks. A security check takes a predefined security mask as an argument and compares the privileges specified by the mask against a user's own privileges. If the user's privileges pass the security check, they are allowed to see the content. If not, the content is hidden.

What are Security Masks?

Security masks are a specification of the minimum privileges required to pass a security check. They are defined individually by each Xaraya module at the time of the module's installation. Scrolling through a module's xarinit.php file will eventually lead you to several lines of xarRegisterMask functions — these are the masks that are available for the module.

Anatomy of xarRegisterMask

Below is an example mask from the xarinit.php file from the Articles module, analyzed in parameter order:

xarRegisterMask('EditArticles','All','articles','Article','All','ACCESS_EDIT');

• 'EditArticles': unique name for this mask, will be used when we need to refer to it in security checks
• 'All': realm, really has no purpose according to RFC 30
• 'articles': the module to which this mask belongs
• 'Article': the component for which the mask applies, components are defined by the xarDefineInstance function calls in xarinit.php
• 'All': instances this mask will be applied to
• 'ACCESS_EDIT': access level required for a security check to pass

In a sentence, the mask above will pass all users that have at least edit privileges on all articles in the articles module, and it will block all other users.

Security Checks and Security Masks

Once you've discovered the name of a particular security mask, you can use it to perform security checks:

<xar:sec id="unique1" mask="EditArticles" catch="false" component="mycomponent">
    <a href="#xarModURL('articles', 'admin', 'modify', array('aid' => $aid))#&quot;&gt;Edit this Article</a>
&lt;/xar:sec&gt;

In the <xar:sec> tag above, there are three attributes:

• id: gives a unique name to the tag
• mask: the name of the mask you want to check against
• catch: if the security check fails, setting this to "false" prevents an exception from being displayed

If the user's credentials are sufficient, they will see the link to edit the article. For all other users, the link is not displayed, accomplishing the goals set out above.

For more information about security checks, take a look at the reference for the <xar:code><xar:sec></xar:code> tag, as well as Xaraya's Security RFC.

Notes: 

More fields may be available via dynamicdata ..