Integrating MODX Revolution ACLs into your projects

Integrating MODX Revolution ACLs into your projects

These helper functions enable the integration MODX Revolution ACLs with your projects so that you can have restricted functionality based on user access.

Posted on June 19, 2014 at 21:08:00
Tags: ACLs
Words: 422
Level: Beginner
Dependencies: None

PHP Class Method Code

 
	/**
	 * Determines if the current user has the authority to perform the action protected by this check.
	 *
	 * @param string $group
	 *        	A MODX User Group Name, which has to be spelled accurately including case.
	 * @param string $minimumRole
	 *        	The MODX Role with authority to execute the action.
	 * @uses modUser defined as $this->user on class execution.
	 * @return boolean
	 */
	private function checkStaffAuthentication($group = 'Administration', $minimumRole = 'superuser') {
		$userHasAuthority = false;
		if ($group && $minimumRole) {
			
			$user = $this->user;
			
			$userRole = null;
			
			/* test the user */
			if ($user instanceof modUser) {
				
				if ($user->isMember ( $group )) {
					
					$modUserGroup = $this->modx->getObject ( 'modUserGroup', array (
							'name' => $group 
					) );
					
					/* Get thier group */
					if ($modUserGroup instanceof modUserGroup) {
						
						$criteria = $this->modx->newQuery ( 'modUserGroupMember' );
						
						$criteria->where ( array (
								'user_group' => $modUserGroup->getPrimaryKey (),
								'member' => $user->getPrimaryKey () 
						) );
						
						/* Retrieve the user's role in the group */
						$modUserGroupMember = $this->modx->getObject ( 'modUserGroupMember', $criteria );
						
						/* If they have a role retrieve it */
						if ($modUserGroupMember instanceof modUserGroupMember) {
							
							$userRole = $modUserGroupMember->UserGroupRole;
						}
					}
				}
			}
			
			/* If the user has a role to test against */
			if ($userRole instanceof modUserGroupRole) {
				
				/* Retrieve the designated role */
				$testRole = $this->modx->getObject ( 'modUserGroupRole', array (
						'name' => $minimumRole 
				) );
				
				/* if both are user roles */
				if ($testRole instanceof modUserGroupRole && $userRole instanceof modUserGroupRole) {
					
					/* Test the authority level -- lesser is more authority */
					if ($userRole->getPrimaryKey () <= $testRole->getPrimaryKey ()) {
						$userHasAuthority = true;
					}
				}
			}
		}
		return $userHasAuthority;
	}

Comments

Occasionally, I am asked to create PHP Class files which have varying level of functionality based on the MODX Revolution ACL for individual clients. This is especially true when building AJAX and JSON applications where front-end users may be tasked with providing real-time data via a web interface attached to tablets or other devices.

Eventually, I would like to see a hook added to the core which would provide similar functionality.

Overview

The function is left private so as to not be manipulated by Manager users. As a precaution, we typically encrypt our code, so there is no way for users with Media access to gain access and add a temporary function in a Class to give themselves access they do not deserve. The function expects the current user to be defined in the __construct() The function requires specific Resource Group and Role names to be designated

Usage

Simply wrap the contents of sensitive class functions as follows:


public function someSensitiveFunction($someParameter = true) {
     $someDefaultResponse = '';
		
     if ($this->checkStaffAuthentication ( 'OrganizationName', 'Management' )) {
           /* Do stuff */
     } else {
     /* Log the attempt  using an internal logger or MODX's etc.*/
     $this->logevent ( __FUNCTION__, 0, 'Attempt to do something very bad', $this->user->getPrimaryKey (), 0, 0, $this->getClientIpAddress () );
		}
		return $someDefaultResponse;
	}

MODX:
Website development platform combining security, power, and innovation.