AuthorizationΒΆ
- Authorization
- The act of defining access policy for a peer.
Authorization is initialized for a request once it has been authenticated, by sending a #acl_logon{} notification. Should the session get logged out, loosing its authentication, the authorization is cleared as well by sending a #acl_logoff{} notification.
Once authorization has been initialized for a request context, operations against objects can be checked by the z_acl module from erlang code, and by the m_acl model from Templates.
The first point of contact for authorization is in the controller is_authorized/2 function. controller_page and controller_template checks for acl options in the dispatch rule that matched the current request.
Each controller is in charge of what checks to perform in the is_authorized/2 controller function. Both controller_page and controller_template support the acl option with a value of:
is_auth: request authorized to proceed processing if the session is authenticated.
- logoff: request authorized to proceed, after removing any authentication from the session.
Notice: this also clears any “remember me” cookie.
[{Action, Object}, ...]: request authorized to proceed if all operations are allowed.
Refer to the documentation of respective controller for a complete list of options available.
Requested operations are authorized by sending notifications to be checked by a ACL module.
This table lists the ACL notifications:
| Notification | Type | Return | Description |
|---|---|---|---|
| #acl_is_allowed{action, object} | first | boolean() | Check if user is authorized to perform operation on object. Default is false. |
| #acl_is_allowed_prop{action, object, prop} | first | boolean() | Check if user is authorized to perform operation on property of object. Default is true. |
| #acl_rsc_update_check{id}, Props | foldl | Props’ | Filter properties about to be updated for a resource. |
| #acl_can_see{} | first | integer() | Get max visible_for that the user can see. |
| #acl_logon{id} | first | Context | Initialize context with the access policy for the context. |
| #acl_logoff{} | first | Context | Clear the associated access policy for the context. |
Previous topic
Next topic
Versions
- Latest (0.12.4)
- 0.12 - Stable
- 0.11 - Stable (Bootstrap 2.x)
- 0.10