Example of access permissions integration

Suppose you have your own custom module named Example and you need to integrate access permissions for it.

First step defines list of available actions:

<?php
namespace Bitrix\Example\Access;

class ActionDictionary
{
  public const
    ACTION_CREATE = 'create',
    ACTION_EDIT = 'edit';
}

Create a permissions dictionary:

<?php
namespace Bitrix\Example\Access\Permission;

class PermissionDictionary 
  extends \Bitrix\Main\Access\Permission\PermissionDictionary
{
  public const
    EXAMPLE_CREATE = 1, // permission to create records
    EXAMPLE_EDIT_OWN = 2, // permission to edit your records
    EXAMPLE_EDIT_ALL = 3; // permission to edit all records
}

and its language file:

<?php
$MESS["EXAMPLE_CREATE"] = "Create records";
$MESS["EXAMPLE_EDIT_OWN"] = "Edit your records";
$MESS["EXAMPLE_EDIT_ALL"] = "Edit all records";

// block below is optional, but if some strings are indicated, they will be shown as hints in access permissions settings table
$MESS["HINT_EXAMPLE_EDIT_ALL"] = "This permission allows user to edit absolutely all records.";

Create ORM classes:

<?php
namespace Bitrix\Example\Access\Permission;

use Bitrix\Main\Access\Permission\AccessPermissionTable;

class ExamplePermissionTable extends AccessPermissionTable
{
   public static function getTableName()
   {
      return 'b_example_permission';
   }
}

<?php
namespace Bitrix\Example\Access\Role;

use Bitrix\Main\Access\Role\AccessRoleTable;

class ExampleRoleTable extends AccessRoleTable
{

   public static function getTableName()
   {
      return 'b_example_role';
   }
}

<?php
namespace Bitrix\Example\Access\Role;

use Bitrix\Main\Access\Role\AccessRoleRelationTable;

class ExampleRoleRelationTable extends AccessRoleRelationTable
{
   public static function getTableName()
   {
      return 'b_example_role_relation';
   }
}

Create controller:

<?php
namespace Bitrix\Example\Access;

use Bitrix\Main\Access\User\AccessibleUser;
use Bitrix\Main\Access\BaseAccessController;
use Bitrix\Main\Access\Model\UserModel;
use Bitrix\Main\Access\AccessibleItem;

class ExampleAccessController extends BaseAccessController
{
   protected function loadItem(int $itemId = null): AccessibleItem
   {
      return ExampleModel::createFromId($itemId); // no comment on model creation process, all models are individual
   }

   protected function loadUser(int $userId): AccessibleUser
   {
      return UserModel::createFromId($userId);
   }
}

Let's proceed to creating necessary rules. Our example defines two actions (two operations), it means that two rules are required. As an example, we'll implement the rule for record editing.

<?php

namespace Bitrix\Example\Access\Rule;

use Bitrix\Main\Access\AccessibleItem;
use Bitrix\Example\Access\Permission\PermissionDictionary;

class ExampleEditRule extends \Bitrix\Main\Access\Rule\AbstractRule
{
   public function execute(AccessibleItem $item = null, $params = null): bool
   {
      // admin can do everything
      if ($this->user->isAdmin())
      {
         return true;
      }

      // users with permission to edit all records
      if ($this->user->getPermission(PermissionDictionary::EXAMPLE_EDIT_ALL))
      {
        return true;
      }

      // users with permissions to edit their own records
      if (
        $item->getOwnerId() === $this->user->getUserId()
        && $this->user->getPermission(PermissionDictionary::EXAMPLE_EDIT_OWN)
      )
      {
        return true;
      }

      return false;
   }
}

Last step: edit the check in necessary code locations (usually, in components that process user actions):
```
if (!ExampleAccessController::can($userId, ActionDictionary::ACTION_CREATE))
{
  // 403 error
}
```

You need to create a component based on BX.UI.AccessRights to configure settings. You can also view the example in tasks/install/components/bitrix/tasks.config.permissions.