Not a developer? Go to MovableType.com

Documentation

Permission API

Permission Management on Movable Type 4

In versions prior to MT4, users were approved for certain operations according to whether or not they had specific permissions. This was written in syntax for each operation like this:

$app->permissions->can_manage_pages();
  or
$app->permissions->has('manage_pages');

The problem with this way of writing is that the relationship between the action and the permission names is only defined in the source code, and is dispersed in source code.

In order to find out if specific permissions (manage_pages) permitted an operation (such as deleting all trackbacks on a given webpage), you had to refer directly to the source code. As a result, when you introduced new permissions, it was very difficult to confirm whether or not they were consistent with other permissions.

Permission Management on Movable Type 5

In order to solve this problem in Movable Type 5, we’ve separated permission names and actions, and they are now managed together in the Registry.

Source code

Write a code to confirm the permitted actions.

$app->can_do('remove_all_trackbacks_on_webpages')
     or return $app->errtrans('Permission Denied');

Registry

Specify the action that correspond to the permission.

manage_pages:
    permitted_actions:
        remove_all_trackbacks_on_webpages: 1

By doing this, as long as you create a clear action name, you need not return to code you’ve already written. If there is an inconsistency between the behavior of individual permissions, you can edit the Registry definition (MT::Core, config.yaml, etc) to identify whether or not there is an inconsistency with permissions.

All the relationships between permissions and actions are defined in the registry except one - super_user. Super_user is a specific property of users, and permits users to conduct any and all operations on the MT system.

Inheritance

Previous permission systems did not support inheritance in the code. With Movable Type 5 permission management, you can define inheritance in the registry.

Registry inheritance relationships are implemented by expanding each entry that was found below ‘permissions’ in the MT4 registory. The two entries below define support for each permission’s action. For specific definition examples, please see lib/MT/Core.pm.

permitted_actions

Hash to define a list of actions permitted for the user who have this permission.

inherit_from

A list of inheritance origins for this permission. Defined by references to the list.

Methods

MT::Permission::can_do

$perms->can_do($action)

The MT::Permission class can_do method determines whether users strung to this permission can run “$action.” If they can, 1 is returned, if not 0, and if it’s unclear, “undef” is returned.

$perms->can_do('login_to_cms')
  or return $app->errtrans('Access Denied');

MT::Author::can_do

$author->can_do($action, at_least_one => 1)
   or return $app->errtrans('Access Denied');

The MT::Author class can_do method determines whether “$author” is allowed to run “$action.” If allowed, it returns 1, if not, it returns 0, and if it’s unclear, it retunrs “undef.” By default, it determines run permissions on the system level (blog_id==0).

When the option “at_least_one” is true, it returns the result when at least one blog allows operations (including system level permissions).

MT::App::can_do

$perms->can_do($action)

The MT::App class can_do method determines whether currently logged in users can run “$action.” If yes, 1, if no, 0, and if unclear, “undef” is returned.

MT::App::can_do makes its determination according to currently logged in users and the current context’s blog_id. It also considers system level permissions (blog_id=0 permissions).

$app->can_do('login_to_cms')
    or return $app->errtrans('Access Denied');

Register a new permission from a plugin

This example registers a new permission from a plugin. The registered permissions will be displayed on “Edit Role” screen.

permissions:
   blog.your_permission:
       group: blog_admin
       label: Your New Permission
       order: 350
       permitted_action:
           your_action: 1
           your_other_action: 1

group

Specify the role group.

  • blog_admin
  • auth_pub
  • blog_upload
  • blog_comment
  • blog_design
  • sys_admin (only system level)

label

The display name of the permission.

order

Ordering the permission in its role group.

Binding a custom permission to a menu

This example restricts access to “my_menu” by the specified permission.

applications:
   cms:
       menus:
           tools:my_menu:
               label: Your Menu Label
               mode: your_mode
               order: 150
               view: blog
               permit_action: your_permissions
Back

1 Comment

geoff on August 31, 2012, 6:45 a.m. Reply

If I have understand it correctly I need to write several permissions for every user. Isn’t it too much coding?