Adding and checking permissions

Started by Compuart, December 05, 2005, 11:33:58 AM

Previous topic - Next topic

Compuart

Please note this tutorial extends an already existing tuturial. It's aimed to show how a permission can be added and checked. It would most likely be useful for those who wish to write modifications of SMF.

Deciding on the type of permission
Before adding a permission you need to make some decisions on what the permission will be needed for.

1. Whether the permission will be a board permission or a membergroup permission. A board permission can be set differently for each board (e.g. make_sticky), while a membergroup permission can only be set globally (e.g. manage_membergroups).

2. Whether the permission will have two options or just one. For instance, the lock permission consists of two permissions: lock_own and lock_any for locking your own topics or any topics respectively.

3. The name. Chose a logical name that consists of lowercase letters, using underscores (_) as word seperators. The maximum length of a permission name is 30 characters.

4. The permission group to put the permission in. In the permission interface, the permissions are grouped (e.g. the 'Calendar' group contains calender_view, calendar_post, and calendar_edit). You can chose to add your own group, or insert your permission in an existing group. Remember that some of the permission groups (like 'Forum administration') are not visible when editing permissions for the guest group.

5. The restriction level of the permission: restrict, standard, moderator, maintenance. Use 'restrict' for low-security permissions, while 'maintenance' permissions you'd only give to those you really trust.


Adding the permission

1. Add the permission to one of the arrays that represents the chosen restriction level inside ManagePermisssions.php.

E.g. a high-security membergroup permission would be added after:
$groupLevels['global']['maintenance'] = array_merge($groupLevels['global']['moderator'], array(

while a low-security board permission would be added after:
$groupLevels['board']['restrict'] = array(

2. Add the permission to the $permissionList array in ManagePermissions.php. The array consists of four levels: 'membergroup'/'board' -> permission group -> permission -> whether it has multiple options or not. Based on the choices made above, you can insert the permission in the proper place.

E.g. to add a membergroup permission that should be in the 'general' permission group with no '_own' or '_any' variants, find:
Code (ManagePermissions.php) Select
$permissionList = array(
'membergroup' => array(
'general' => array(


Add after:
'my_permission' => false,

3. Add the language entries for each permission in the ManagePermissions language files.

For each permission, add:
Code (ManagePermissions.enlish.php) Select

$txt['permissionname_my_permission'] = 'My permission';
$txt['permissionhelp_my_permission'] = 'With "My Permission" you can take over the world.';


Also when the permission is not present, an error is shown. Add the error like this:
Code (Errors.english.php) Select

$txt['cannot_my_permission'] = 'Sorry, you\'re not allowed to use "My Permission"';


For each added permission group, add:
Code (ManagePermissions.enlish.php) Select

$txt['permissiongroup_my_permission_group'] = 'My permission group';



Adding default values for the new permission
If you want some groups to have the new permission by default, you need to run some database queries. Some examples:

Example: Add a certain membergroup permission (my_permission) to all registered members:
<?php
// Initialize the groups array with 'ungrouped members' (ID: 0).
$groups = array(0);

// Get all the non-postcount based groups.
$request db_query("
SELECT ID_GROUP
FROM 
{$db_prefix}membergroups
WHERE minPosts = -1"
__FILE____LINE__);
while ($row mysql_fetch_assoc($request))
$groups[] = $row['ID_GROUP'];

// Give them all their new permission.
$request db_query("
INSERT IGNORE INTO 
{$db_prefix}permissions
(permission, ID_GROUP, addDeny)
VALUES
('my_permission', " 
implode(", 1),
('my_permission', "
$groups) . ", 1)"__FILE____LINE__);
?>


Example: Add a certain board permission (my_board_permission) to all registered members and guests
<?php
// Initialize the groups array with 'ungrouped members' (0) and guests (-1).
$groups = array(-10);

// Get all the non-postcount based groups.
$request db_query("
SELECT ID_GROUP
FROM 
{$db_prefix}membergroups
WHERE minPosts = -1"
__FILE____LINE__);
while ($row mysql_fetch_assoc($request))
$groups[] = $row['ID_GROUP'];

// Give them all their new global board permission.
$request db_query("
INSERT IGNORE INTO 
{$db_prefix}board_permissions
(permission, ID_GROUP, ID_BOARD, addDeny)
VALUES
('my_board_permission', " 
implode(", 0, 1),
('my_board_permission', "
$groups) . ", 0, 1)"__FILE____LINE__);
?>



Checking permissions
One the most important parts of permissions is to check whether someone has a permission or not. There are two ways to check the permission:

1. Conditional. Only checks the permission, and return wether the user has the permission (true) or not (false).

Example:
<?php
if (allowedTo('my_permission'))
take_over_the_world();
?>


2. Deterministic. Checks the permission and shows an error if you don't have clearance.

Example:
<?php
isAllowedTo
('my_permission');

// At this point of the code, only those with my_permission are left.
// I can now safely assume you're authorized to...
take_over_the_world();
?>



There is no difference in checking membergroup or board permissions. A board permission check assumes you're inside a board, determined by the board or topic parameter given in the URL or as a $_POST variable (e.g. index.php?topic=x). If you want to check whether a user has permissions inside another board, use:
<?php
if (allowedTo('my_board_permission'$board_id_to_check))
take_over_the_world();
?>


or, if you want to know which boards a user has a certain permission use:
<?php
$my_boards 
boardsAllowedTo('my_board_permission');

if (empty(
$my_boards))
{
// User has my_board_permission permission on no boards at all.
}
elseif (
$my_boards[0] == 0)
{
// User has my_board_permission permission on ALL boards.
}
else
{
// User has my_board_permission permission on the boards that are in the $my_boards array.
}
?>
Hendrik Jan Visser
Former Lead Developer & Co-founder www.simplemachines.org
Personal Signature:
Realitynet.nl -> ExpeditieRobinson.net / PekingExpress.org / WieIsDeMol.Com

Dannii

Quote from: Compuart on December 05, 2005, 11:33:58 AM
Add after:
'my_permission' => false,
Just checking, true here will make it be a own/all permission?

This is great :D After trying for ages before, I've now got my new permission in only 10 minutes.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

Compuart

Quote from: eldacar on December 05, 2005, 10:14:20 PM
Quote from: Compuart on December 05, 2005, 11:33:58 AM
Add after:
'my_permission' => false,
Just checking, true here will make it be a own/all permission?
Indeed. It would add 'my_permission_own' and 'my_permission_any'. You'd need to add two extra language strings as well:
$txt['permissionname_my_permission_own'] = 'Own llamas';
$txt['permissionname_my_permission_any'] = 'Any llamas';

Hendrik Jan Visser
Former Lead Developer & Co-founder www.simplemachines.org
Personal Signature:
Realitynet.nl -> ExpeditieRobinson.net / PekingExpress.org / WieIsDeMol.Com

JayBachatero

Setting "$groups = array(0);" will give permission to ALL member groups?
Follow me on Twitter

"HELP!!! I've fallen and I can't get up"
This moment has been brought to you by LifeAlert

Compuart

Membergroup 0 is 'ungrouped members' (those members that have no primary membergroup set). $groups = array(0) initialializes the array of groups to that membergroup. After that, additional groups are added to the $groups array.
Hendrik Jan Visser
Former Lead Developer & Co-founder www.simplemachines.org
Personal Signature:
Realitynet.nl -> ExpeditieRobinson.net / PekingExpress.org / WieIsDeMol.Com

JayBachatero

Follow me on Twitter

"HELP!!! I've fallen and I can't get up"
This moment has been brought to you by LifeAlert

hitsquaduk

well i have tryed this and i could not get it to work dam it grrrrrr

im trying to add permisstions for the shout box so guest cant see the shouts i had to hard code it so it was


if ($user_info['is_guest'])

echo '

        <td><b><center>Sorry only member can view the shout box please</center></B> </td>';   

esle

i added that just befor it foreach the shouts and it works

but i want to add in the admin section (guest can see shouts)
i tryed what you siad and it kinda worked once i put a tick in the box guest could not see the shouts but admins could not aswell it's like it set it to all the member groups

JayBachatero

Use $context['user']['is_guest'].  You need to make $user_info a global to use it.
Follow me on Twitter

"HELP!!! I've fallen and I can't get up"
This moment has been brought to you by LifeAlert

hitsquaduk

thay way i did it works fine but when try to make a custom permission it seems to set it for all groups like i make a tick in the guests permisssions to not shout the shouts but it seems to set it for the admins as well

whats up with that how can i fix it 

JayBachatero

Make sure you added it to the group permission ection and not board permission.  Happened to me once.
Follow me on Twitter

"HELP!!! I've fallen and I can't get up"
This moment has been brought to you by LifeAlert

hitsquaduk


$permissionList = array(
'membergroup' => array(
'general' => array(
    'my_permission' => false,
'view_stats' => false,
'view_mlist' => false,
'who_view' => false,
'search_posts' => false,
'karma_edit' => false,
'see_shouts' => false,


'see_shouts' => false,
it's in the member group

Dannii

Admins can do everything. They automatically have every permission.
The false in that array means that it is a singular permission, not that the default is false or anything.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

hitsquaduk

well what i have done seems to work i want to get this work and so i understand it all as the site im working on use's smf sofware and smf is very easy to work with im going to be adding banners but im also donig permissionds for them so paid members dont see banners and none paid members see banners if i can get this permissions sorted i can start working on the banner script who knows i might make a mod for it if it turns out well..lol


but the problem im having here is i have done what you have said as you can see there but when i goto lets say guest and tick it so guest cant see shouts it seems to stop admins from seeing them to????? all the other members can see them though

please help 

Dannii

If admins are being blocked then your checking code is faulty.

Please post it too ;)
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

hitsquaduk

oh i did not do any database stuff would this be my problem?? im very unsure of what i have to do with the database

i have looked into the database and it seems to have just added them this is what it says

ID_GROUP 0
PERMISSION see_shouts
addDeny 1

im unsure of what that meens

Dannii

Do you don't need to do any database stuff. Please post the code where you are checking this permission.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

hitsquaduk

ok here is what i have done

ManagePermission.php

// Standard - ie. members.  They can do anything Restrictive can.
$groupLevels['global']['standard'] = array_merge($groupLevels['global']['restrict'], array(
    'cantsee_shouts',
    'see_shouts',
'view_mlist',
'karma_edit',
'pm_read',
'pm_send',
'profile_view_any',
'profile_extra_own',
'profile_server_avatar',
'profile_upload_avatar',
'profile_remote_avatar',
'profile_remove_own',

then

$permissionList = array(
'membergroup' => array(
'general' => array(
    'my_permission' => false,
'view_stats' => false,
'view_mlist' => false,
'who_view' => false,
'search_posts' => false,
'karma_edit' => false,
'see_shouts' => false,
'cantsee_shouts' => false,


ManagePermissions.template.php

$txt['permissionname_cantsee_shouts'] = 'cant see shouts';


and in my shout.template.php


hitsquaduk

opps sorry here is the code i put in
shout.template.php


if (allowedTo('cantsee_shouts'))
echo '
<tr class="', $alternate ? 'windowbg' : 'windowbg', '">
<td><b>Sorry only member can<br />view the shout box please</b> </td>';


else

foreach ($context['arc_shouts'] as $shout)

Dannii

You shouldn't have two permissions. Use one, and if you want to test if they can't do it, use:
if (!allowedTo('see_shouts'))
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

hitsquaduk

yea i dont use 'see_shouts'

that was testing some else..lol

ok i tryed what you said and it did not work i put a tick in the box for guest not to view the shouts and thay still can
so this
if (!allowedTo('see_shouts'))

dont work
but
   if (allowedTo('cantsee_shouts'))
does work
but if i use the second one and then set it so guest cant see shouts it stop admins from seeing them as well
i dont see how this is possable as admins have all permission?

Advertisement: