Joomla ACl problems

0
votes

I've written a component for Joomla 2.5. It works great. However I'm having access control issues. The component manages documents. It allows clients to upload them, tag them, search etc. All this works fine. The user needs to be looged in to the system to be able to view, edit and delete documents.

Unfortunately whilst the system restricts editing and deleting it doesn't seem to restrict viewing. It doesn't restrict the view to logged in users only. If you type the component url for a document directly into the browser bar it loads up the view:

http://www.mydomain.com/component/document_managment/1.html?view=document

I've searched around and can't find anything that helps. Any ideas about what I might have done wrong?

1
joomlacomponentsacl

1 Answers

0
votes

I am assuming you already have a complete ACL implemented, i.e. there is an asset column in the documents table, and you have an access.xml with some ACL rules defined i.e.

<section name="component">
  <action name="core.admin" title="JACTION_ADMIN" description="JACTION_ADMIN_COMPONENT_DESC" />
...

  1. You want to add core.view and core.view.own ACL rules in the access.xml (which is typically in your administrator-component root).

    <action name="core.view" title="View all documents"
<action name="core.view.own" title="View own documents"

  2. In the component configuration, assign privileges to the users so super users can view all (managers have core.view privilege) and every registered user has core.view.own

  3. In the view.html or -even better- in the model, you test for the privileges before loading any data: 

    $user = JFactory::getUser();
$id = $app->input->getInt('id') // load the document id
$canView = false;
if($id){
    $canView = $user->authorise('core.view', 'com_yourcomponent.document') || 
        $user->authorise('core.view.own', 'com_yourcomponent.document.'.$id);
}