The permissions system allows you to:
- Check whether a user is allowed to take a certain action, and
- Customize whether a user is allowed to take a certain action.
[!!] Restricting the visibility of a certain entity is handled by ACLs. [Read more about Elgg's ACLs here.][AccessControl]
We stick to ActivityStreams verbs as much as possible, and encourage you to do the same. Here are some common examples:
- post
- edit
- delete
- follow
- join
- like
More verbs: http://activitystrea.ms/specs/json/schema/activity-schema.html#verbs
Some custom verbs that Elgg supports out of the box:
- ... list some ...
Note that you can support your new verbs simply by passing a custom string to the $verb argument and registering a hook handler for that verb. If you do this, we recommend namespacing your verb to avoid conflicts.
Can the user edit a blog?
// For the current user
$session->userCan('edit', $blog);
elgg_user_can('edit', $blog);
// For a particular user, not necessarily logged in
$user->can('edit', $blog);
Register a handler for the can, $verb
[plugin hook][Hooks] to customize permissions.
elgg_register_plugin_hook_handler('can', 'edit', 'pages_edit_handler');
Your handler will be passed 3 $params
arguments:
subject: The user who would be taking the action. A null value should be interpreted as the logged out user.
object:
The ElggEntity to be acted upon. E.g. Can $user
edit $object
. Might be null depending on the verb in use.
target:
The target of the action. E.g. Can $user
move $blog
to $target
. Might be null depending on the verb in use.
Open up edit privileges for Elgg pages.
// start.php
elgg_register_plugin_hook_handler('can', 'edit', 'pages_edit_handler');
function pages_edit_handler($hook, $verb, $defaultResult, array $params) {
$subject = $params['subject'];
$page = $params['object'];
$target = $params['target']; // The 'edit' verb has no target, so this is null
if ($verb == 'edit' && elgg_instanceof($page, 'object', 'page')) {
// Always check for existence of $subject since user could be logged out.
return $subject && (elgg_acl_has_member($page->write_access_id, $subject->guid));
} else {
return $defaultResult;
}
}
Very cool and easy to understand. Implementing a few more examples would provide some idea on how most of the boilerplate is going to look and how we could minimize it.
Depending on plugin design, there could be lots of handlers for "can" hooks. Could get interesting!