The Complete Guide to Social Engine 4 Module Development Part 4: Permissions and Privacy

After a long hiatus it’s back. Next up: permissions and privacy

The permissions/privacy mechanism of SE4 is provided by the core module Authorization. The stuff that makes it all go are two tables, engine4_authorization_permissions and engine4_authorization_allow. The permissions table has information on which/who can do so and so in a general context. The allow table has information on which can do so and so on a particular resource/SE4 item. The admin permission settings that you set on admin the admin page generally goes to the permissions table and the privacy settings that end users set on various items they create or own on the site goes to the allow table.

Permissions are set typically when the module is installed. They are in the permissions section of /application/modules/<Modulename>/settings/my.sql. I wont be discussing how the whole mechanism works since it will take a whole other post. Lets tackle it with an example. On the Video_IndexController is this snippet:

This just checks if the current viewer (2nd parameter, null means the current viewer) can view (3rd parameter) videos (video items, 1st parameter). If not the request is forwarded to the “not permitted” page. Whether the isValid method returns a true or false is based on the content of the engine4_authorization_permissions table. You may refer the my.sql file of each module to see how it works.

The defaults on my.sql are straight forward. Most of the time you can just copy/paste and search/replace the parameters for it to fit your needs.

The permissions section of my.sql sets the default permissions. To enable a administrator to edit these settings. An admin page for it must be created. In the case of the video module this is handled by the level action of the Video_AdminSettingsController.

Allows are set during item creation and can be changed when the item settings are edited. These are the “privacy settings” on the creation form. In the video module these are in the Video_IndexController, in createAction and marked “AUTH STUFF”.

Allows determines who can do something on an item. These must be set on the created item otherwise the only one who will be able to do something (view, edit, comment, share, delete, etc.) on the item will be the owner of the item or super admins.

Much the same way as permissions. You may copy/paste and search/replace the “AUTH STUFF” snippets of most modules so you can use them on the modules you are creating.

There is a quick shortcut that can be used when dealing privacy/allows. Let say for example in our Car module we want the car’s privacy setting to be the same as the owner’s privacy setting. The owner of cars are users. Users’ privacy settings are under members/settings/privacy. For that to be the case. We can define the getAuthorizationItem method in our car model. Like so:

With this in place we can remove the privacy fields in our creation form. Authorization can be utilized to determine when/how and to whom menus and menu items are displayed. This is the subject of the next part.

Originally published in https://social-engine-tutorials.blogsplot.com.