Boost:Admin Interface Privileges

From Metro Studios Knowledgebase

Jump to: navigation, search

The Boost administrative interface has a built in privilege system that can be used to restrict the functions that each user can access. Privileges are configured per administrator group, and in turn each administrative user can be assigned to a specific group.


Contents

[edit] Defining Privileges

The administrative interface privileges are defined in the AdminPrivileges class which is located in the site/lib/Admin/Privileges.php file. In that class there are a number of array instance variables where you can set options to control the privileges that can be assigned to an administrator group.

[edit] $models

Each element of this array is the name of a model class which will be controlled by the privilege system. When a model is added to this list, it will add 4 options to the administrator group privileges for that model: view, create, update, and delete.

Example:

protected $models = array(
    '_Product',
    '_ProductCategory',
    '_ProductBrand'
);


[edit] $views

An associative array containing the views that will be controlled by the privilege system. Each view that you want to be controlled by privileges must be added to this array individually. The array key will be the name of the view as it appears in the v= request paramater; the value will be the label as you want it to appear in the administrator group create/update interface.

Example:

protected $views = array(
    'appointments' => 'View Appointments',
    'orders' => 'View Orders'
);


[edit] $actions

An associative array containing the actions that will be controlled by the privilege system. Each action that you want to be controlled by privileges must be added to this array individually. The array key will be the name of the action as it appears in the a= request paramater; the value will be the label as you want it to appear in the administrator group create/update interface.

Example:

protected $views = array(
    'createAppointment' => 'Create Appointments',
    'updateAppointment' => 'Update Appointments',
    'createOrder' => 'Create Orders',
    'updateOrder' => 'Update Orders'
);

[edit] Privilege Verification

Privileges are checked on every administrative interface request. If a user does not have the necessary privileges to access a function, an error message will be displayed letting them know that they are not allowed to access the function.

[edit] Superuser Accounts

The privilege system does not apply to administrator accounts defined as being a superuser. In that case the privilege check is always skipped and the superuser is allowed to access all of the administrative interface functions.

[edit] Filtering Admin Tabs Based On Priveleges

Sometimes clients will want certain people to be able to access certain pieces of the admin section. In order to accomplish this, you'll need to create groups and assign privileges to those groups. Follow the instructions below to properly set up these new groups.



[edit] Adding models to list of privileges

  1. Open "Privileges.php" in the _boost/site/lib directory.
  2. Add the models you wish to assign privileges for to the $models array.

[edit] Setting up privileges and limiting access to models

[edit] Creating the groups and setting permissions
  1. Create the new group in the Administrators > Groups menu in the boost admin panel.
  2. Assign permissions to the new group.

(By default the groups will now be restricted from accessing those models they do not have permissions for. However, they will still see them in the admin tabs.)


[edit] Hiding admin tabs from limited groups
  1. Open "global-menu.php" in the _boost/site/admin/includes directory
  2. Add the following lines of code to the top of the file to fetch the logged in admin and unserialize the privileges for the associated group. (We'll use the $is_super variable in our conditional statements on the next step):
  3.     $admin = bstAdminAuth::getAdministrator();
        $is_super = ($admin->is_superuser == '1' ? TRUE:FALSE);
        $privileges = unserialize($admin->group->privileges);
  4. Use the following code-snippet template to check if the privileges for the current admin contain the model and then show the tab if true or move on to the next model if false.
  5.     <? if($is_super || isset($privileges['models']['_SiteAdministrator']) && $privileges['models']['_SiteAdministrator']['manage'] == '1' ): ?>
              <li>
                <a>Administrators</a>
                <ul>
                  <li><a href="index.php?v=manage&m=<?php echo ADMINISTRATOR_MODEL; ?>">Manage</a></li>
                  <li><a href="index.php?v=create&m=<?php echo ADMINISTRATOR_MODEL; ?>" class="dialog">Create</a></li>
     
                  <li>
                    <a class="sub">Groups</a>
                    <ul>
                      <li><a href="index.php?v=manage&m=_AdministratorGroup">Manage</a></li>
                      <li><a href="index.php?v=create&m=_AdministratorGroup" class="dialog">Create</a></li>
                    </ul>
                  </li>
                </ul>
              </li>
        <?endif;?>


Personal tools
Namespaces
Variants
Actions
Wiki Navigation
Knowledgebase
Toolbox