Item Level User Permissions Plugin

sashafr · November 8, 2018, 5:42pm

Hello! I’ve been working on a plugin that uses the Guest User role to allow some non-dashboard users to see a private item’s show page if they are set to be allowed for that specific item.

I’ve been following the advice of some of the other posts on here, but I’m stuck now making the check against my permissions table because I can’t figure out how to access the Record’s id below:

class PermissionsAccessAclAssertion implements Zend_Acl_Assert_Interface {

    public function assert(
        Zend_Acl $acl,
        Zend_Acl_Role_Interface $role = null,
        Zend_Acl_Resource_Interface $resource = null,
        $privilege = null)
    {

        if ($privilege == 'showNotPublic') {
            if (($role instanceof User) && $resource->getResourceId() == 'Items') {
                    $db = get_db();
                    $accessTable = $db->getTable('UserPermissionsPermsissions');
                    $accessRecords = $accessTable->findBy(array('user_id' => $role->id,
                                                                'item_id' => $resource->id, ));   // <----this right here is my problem, I can't figure out how to get the Item ID, this doesn't work because $resource->id returns "Items")
...
...
...

Here is where I call the code above:

    public function hookDefineAcl($args) {
        $acl = $args['acl'];
        $acl->allow('guest',
                    'Items',
                    array('view','showNotPublic'),
                    new PermissionsAccessAclAssertion());
    }

I have a feeling I’m just using the Resource interface wrong, can anyone point me in the right direction?

jflatnes · November 10, 2018, 1:04am

Generally the $resource in a view permissions check will actually be the Item object itself so you can just access the id property from there.

The problem with viewing of private items is that the item’s visibility is really handled at the SQL level: that’s what you’re handling with the showNotPublic part. A check like that is going to be just against the string ‘Items’ as the resource (since we’re adding a filter to the SQL, we don’t actually have a specific item to work with when that check happens).

There might need to be some kind of change to Omeka_Db_Select_PublicPermissions (the code that applies the SQL filtering for private items) to allow this kind of thing to work.

sashafr · November 12, 2018, 8:23pm

Would this be something I could do with hookItemsBrowseSql or is that private check already run before this hook is called?

jflatnes · November 12, 2018, 9:34pm

The main issue is that it will affect things beyond browsing, like the select to get just one item by ID.

system · July 16, 2019, 5:42pm

This topic was automatically closed after 250 days. New replies are no longer allowed.