|
| 1 | +================= |
| 2 | +Permission system |
| 3 | +================= |
| 4 | + |
| 5 | +Introduction |
| 6 | +============ |
| 7 | +The permission system is the system that allows board administrator decide what users are allowed do on the board. |
| 8 | +Information on how to you use permission system can be found on :doc:`Tutorial: Permissions <tutorial_permissions>`. |
| 9 | + |
| 10 | +An administrator with the correct permissions has access to the administration control panel (ACP) which contains the |
| 11 | +administrative side of the permissions system. The administrator then setups the permissions to allow users to have the |
| 12 | +rights to do certain things, tasks or see certain features. At the end of the day each permission is what is called |
| 13 | +a permission option and users obtain the rights to these options either directly, from a group or from a role that is |
| 14 | +assigned to them or a group they are in. |
| 15 | + |
| 16 | +Permission options |
| 17 | +================== |
| 18 | +Permission options are the individual options that allow or deny you access to features. Examples are ``f_post``, ``m_delete``, |
| 19 | +``a_ban`` and ``u_sendpm``. Permission options are group into permissions of the same type. |
| 20 | + |
| 21 | +Examples of that are the ``f_``, ``m_``, ``a_`` and ``u_`` prefixes: |
| 22 | + |
| 23 | +- ``f_`` - Forum permissions |
| 24 | +- ``m_`` - Moderator permissions |
| 25 | +- ``a_`` - Administrator permissions |
| 26 | +- ``u_`` - User permissions |
| 27 | + |
| 28 | +User permissions |
| 29 | +================ |
| 30 | +Individual user permissions are stored in the phpbb_users table in the ``user_permissions`` column. |
| 31 | +In addition to that, users that have the ``a_switchperm`` permission may assume the permissions of another user. |
| 32 | +When this is done, the user id of the user one is assuming the permissions of are stored in the column ``user_perm_form``. |
| 33 | + |
| 34 | +Permission options |
| 35 | +================== |
| 36 | +Permission options are stored in the table phpbb_acl_options. The fields of this table are defined as follows: |
| 37 | + |
| 38 | +- ``auth_option_id`` - Unique ID of option ``auth_option`` |
| 39 | +- ``auth_option`` - Name of permission option |
| 40 | +- ``is_global`` - Set to 1 if a global option else set to 0 |
| 41 | +- ``is_local`` - Set to 1 if a local option else set to 0 |
| 42 | +- ``founder_only`` - Set to 1 if a founder only option else set to 0 |
| 43 | + |
| 44 | +A local permission option is a option that can be granted to a user on a forum by forum basis. |
| 45 | +This allows one to grant users options to perform a task in one forum but not another. They are also called |
| 46 | +forum based permissions. In contrast to that, a global permission option is an option that is valid board wide. |
| 47 | + |
| 48 | +Permission options can also be both global and local. An example is 'm_edit', the moderator permission to edit a topic. |
| 49 | +Some users can be granted this permission on a single forum while other users might be granted this permission board wide. |
| 50 | +In order to support this, the option is set to both local and global. |
| 51 | + |
| 52 | +Founders |
| 53 | +======== |
| 54 | +A founder is a special type of user. It should only be granted to the most trusted of administrators. |
| 55 | +Founders can access the permission system to correct their permissions even if another administrator has removed their permissions. |
| 56 | +Only a founder can remove the founder status of another founder. Therefore, a founder only permission is a type of |
| 57 | +permission that is limited to this special type of user. By default, no permission is set to founder only. |
| 58 | + |
| 59 | +Roles |
| 60 | +===== |
| 61 | +Roles are a predefined setup of permission options that can be applied to users or groups. |
| 62 | +If the permission options of a role are changed, the users or groups assigned that role get updated automatically. |
| 63 | + |
| 64 | +Roles are stored in the ``phpbb_acl_roles`` table which is comprised of the following columns: |
| 65 | + |
| 66 | +- ``role_id`` - Unique ID of role |
| 67 | +- ``role_name`` - Role name normally as a lang key |
| 68 | +- ``role_description`` - Role description normally as a lang key |
| 69 | +- ``role_type`` - ``a_``, ``u_``, ``m_`` or ``f_`` depending on what type of role it is |
| 70 | +- ``role_order`` - Number indicating display order in the ACP |
| 71 | + |
| 72 | +The permission options for a role are stored in the ``phpbb_acl_roles_data`` table which is comprised of the |
| 73 | +following columns: |
| 74 | + |
| 75 | +- ``role_id`` - Role id from phpbb_acl_roles |
| 76 | +- ``auth_option_id`` - Option id from ``phpbb_acl_options`` |
| 77 | +- ``auth_setting`` - Stores either ``ACL_YES`` (1), ``ACL_NO`` (-1) or ``ACL_NEVER`` (0) |
| 78 | + |
| 79 | +Your effective permission for any option is built up from a combination of details such as which groups you are |
| 80 | +a member of, which role you have assigned and whether you have been assigned directly that permission. |
| 81 | +As such you might have opposing permissions. |
| 82 | + |
| 83 | +The ``YES``, ``NO`` and ``NEVER`` system works to allow phpBB to combine these different "answers" for an option and |
| 84 | +give you the effective permission. |
| 85 | +If at any point one gets a ``NEVER``, that will be the effective permission for that option since a ``NEVER`` can not be |
| 86 | +overridden by a ``YES``. It will force the permission to be ``NO`` in the end, no matter what other roles, groups permissions, |
| 87 | +etc. might say ``YES``. A ``NO`` will however be overridden by a ``YES``. |
| 88 | + |
| 89 | +When checking permissions, it's also important to keep in mind whether the global or local permissions should be checked. |
| 90 | +If ``acl_get`` is called without a forum id, the global permissions will be used. Instead, passing a forum id will also |
| 91 | +check the local permissions which can then potentially override a ``NO`` with a ``YES``. |
| 92 | +After checking all user, group, forum, and global permissions, the return permission is always either ``YES`` or ``NO``, |
| 93 | +``NEVER`` is only used to enforce a ``NO``. |
| 94 | + |
| 95 | +Roles specific to users are stored in the ``phpbb_acl_users`` table: |
| 96 | + |
| 97 | +- ``user_id`` - User id from ``phpbb_users`` |
| 98 | +- ``forum_id`` - Forum id from ``phpbb_forums`` if a local option, else 0 |
| 99 | +- ``auth_option_id`` - Option id from ``phpbb_acl_options`` |
| 100 | +- ``auth_role_id`` - Role id from ``phpbb_acl_roles`` if obtained from a role, else 0 |
| 101 | +- ``auth_setting`` - Stores either ``ACL_YES`` (1), ``ACL_NO`` (-1) or ``ACL_NEVER`` (0) |
| 102 | + |
| 103 | +Roles specific to groups are stored in the ``phpbb_acl_groups`` table: |
| 104 | + |
| 105 | +- ``group_id`` - Group id from ``phpbb_groups`` |
| 106 | +- ``forum_id`` - Forum id from ``phpbb_forums`` if a local option, else 0 |
| 107 | +- ``auth_option_id`` - Option id from ``phpbb_acl_options`` |
| 108 | +- ``auth_role_id`` - Role id from ``phpbb_acl_roles`` if obtained from a role, else 0 |
| 109 | +- ``auth_setting`` - Stores either ``ACL_YES`` (1), ``ACL_NO`` (-1) or ``ACL_NEVER`` (0) |
| 110 | + |
| 111 | +Checking permissions |
| 112 | +==================== |
| 113 | + |
| 114 | +A user's permission can be checked by calling ``$auth->acl_get('u_garage_browse');``. The argument is the option |
| 115 | +you want to check for. If it is specific to a forum (i.e local) then you call it as ``$auth->acl_get('u_garage_browse', 3);`` |
| 116 | +where ``3`` is the forum id. |
| 117 | + |
| 118 | +For forums one can use the forum specific call ``$auth->acl_getf('f_your_permission');``. |
| 119 | + |
| 120 | +It is also possible to check for more than one option: |
| 121 | + |
| 122 | +.. code-block:: php |
| 123 | +
|
| 124 | + $auth->acl_gets(option1[, option2, ..., optionN, $forumId]); |
0 commit comments