ACL notifications

acl_context_authenticated

Set the context to a typical authenticated uses. Used by m_acl.erl

Type:

first

Return:

authenticated #context{} or undefined

#acl_context_authenticated{} properties: none

acl_is_allowed

Check if a user is authorized to perform an operation on a an object (some resource or module). Observe this notification to do complex or more fine-grained authorization checks than you can do through the ACL rules admin interface. Defaults to false.

Type:

first

Return:

true to allow the operation, false to deny it or undefined to let the next observer decide

#acl_is_allowed{} properties:

• action: view|update|delete|insert|use|atom
• object: term

Example

Deny anyone from viewing unpublished resource except those who have update rights on the resource (usually the creator and the administrator):

observe_acl_is_allowed(#acl_is_allowed{action = view, object = Id}, Context) ->
    case m_rsc:p_no_acl(Id, is_published_date, Context) of
        undefined ->
            %% Let next observer decide
            undefined;
        true ->
            %% Resource is published: let next observer decide
            undefined;
        false ->
            %% Resource is unpublished
            case z_acl:is_allowed(update, Id, Context) of
                true ->
                    %% User has update rights, so let next observer decide
                    undefined;
                false ->
                    %% Deny viewing rights on unpublished resource
                    false
            end
    end;
observe_acl_is_allowed(#acl_is_allowed{}, _Context) ->
    %% Fall through
    undefined.

In this observer, we return undefined in those cases where we do not want to deny access. We don’t grant the access right away but give the next observer the change to decide whether viewing is allowed (for instance, based on the resource’s category and content group and the user’s group).

acl_is_allowed_prop

Check if a user is authorizded to perform an action on a property. Defaults to true.

Type:

first

Return:

true to grant access, false to deny it, undefined to let the next observer decide

#acl_is_allowed_prop{} properties:

• action: view|update|delete|insert|atom
• object: term
• prop: atom

acl_is_owner

Check if a user is the owner of a resource. id is the resource id.

Type:

first

Return:

true, false or undefined to let the next observer decide

#acl_is_owner{} properties:

• id: integer
• creator_id: integer
• user_id: integer

acl_logoff

Clear the associated access policy for the context.

Type:

first

Return:

updated #context{} or undefined

#acl_logoff{} properties: none

acl_logon

Initialize context with the access policy for the user.

Type:

first

Return:

updated #context or undefined

#acl_logon{} properties:

• id: unknown

acl_mqtt

MQTT acl check, called via the normal acl notifications. Actions for these checks: subscribe, publish

Type:

first

Return:

#acl_mqtt{} properties:

• type: wildcard|direct
• topic: binary
• words: list
• site: binary
• page_id: undefined|binary