Composr Tutorial: Advanced access control

Written by Chris Graham (ocProducts)
There are more ways that you could wish to control access than we have direct options within Composr.
Some software tries to make options for everything, but the result tends to be too many assumptions and too much configuration complexity. Our approach is to give you some additional general-purpose tools for defining your own permissions, giving you increased flexibility overall, while keeping the core permission system relatively intuitive.

Table of contents

  1. Composr Tutorial: Advanced access control
    1. Match-key permissions
      1. An example: controlling member-directory access
    2. Match-key error messages
    3. Controlling page display in detail
    4. See also

Match-key permissions

Image

Here we have removed banner submission for guests. Normally we would restrict based on content visibility level, but that is less fine-grained.

Here we have removed banner submission for guests. Normally we would restrict based on content visibility level, but that is less fine-grained.

(Click to enlarge)

For an explanation of match-key s, see the Customising what's on the menus tutorial.

If it is not enough to specify whether a member can access a specific page based on the available view permissions and overridden privileges, you can also set things up to deny access to pages based on the URL parameters they are opened with. This could be used, for example, to allow members to browse through download categories but not actually view any download entry.
The match-key permission system is not intended to be used unless really needed - it is there to provide additional control when page and privileges won't meet your unique needs.

To add a new match-key permission, go to the "Match-key page restriction" icon in the Security section of the Admin Zone.

An example match-key that would deny access for viewing download entries would be: _WILD:downloads:entry. Usergroups could be checked to deny members in those usergroups access to the website screen that actually views a download (type=entry is that interface).

At the bottom of the same screen you can choose what error message to display if someone is denied access. This is very useful if you have a specific reason for closing down access to something that you wish to explain.

Configure Match-key permissions from:
Admin Zone > Security > Match-key page restrictions
This assumes the match_key_permissions addon is installed.

An example: controlling member-directory access

Image

Observe that permissions are now being enforced.

Observe that permissions are now being enforced.

(Click to enlarge)

Image

Set the denys.

Set the denys.

(Click to enlarge)

Image

Make sure the prerequisite addon is installed.

Make sure the prerequisite addon is installed.

(Click to enlarge)

Important: Understand that checking means 'deny access' when it comes to match-key permissions. It's the opposite of how permission checkboxes usually work.

You may wish to prevent members viewing the member directory, but let them view their own profile

This cannot be done directly using page permissions because both actions go through the same module. Match-key permissions can be used effectively here though.

  1. Make sure the match_key_permissions addon is installed.
  2. If the "Single public zone" option is on then:
    • Set to block all groups on :members:browse
    If the "Single public zone" option is not on then:
    • Set to block all groups on site:members:browse

Match-key error messages

You can define custom error messages that show when an access-denied screen is shown on a particular match-key. You can also put in URLs and page-links instead of messages, and these will work to trigger a redirect (useful if you want to design an elaborate page, e.g. a signup page).

If you put in a URL instead of a match-key, it will automatically convert to a match-key.

If you put in some text between quote marks, matching will be done on the basis of matching this to success/notice/warning/error messages (which is broader than match-keys, as Composr is programmed to mostly only consider whether these match when showing access-denied screens). You can even combine quoted strings and match-keys, for a double condition, e.g.: site:downloads "There are no entries at this time" could be given a message of Nobody has added a download yet. As you can see, this has nothing really to do with permissions: we can use this system much more broadly, to do some quite detailed specification of how Composr should message the user.

A good example of match-key error messages is in the How to disable joining tutorial.

Controlling page display in detail

You may wish to only show certain parts of screens to particular usergroups. For example, you may want to 'tease' content to non-paying users.
To implement this, you need to switch to a template editing mind-set, rather than a permissions mind-set. Use normal Tempcode techniques to fence off or change the output of templates, either:
  1. by using the IS_IN_GROUP symbol
  2. working off the back of a standard permission's setting using something like the HAS_PRIVILEGE symbol)

For example,

Code

{+START,IF,{$IS_IN_GROUP,3-7,10}}
    Only groups 3, 4, 5, 6, 7, and 10, see this.
{+END}

These techniques also work within Comcode pages.

See also


Feedback

Please rate this tutorial:

Have a suggestion? Report an issue on the tracker.