Documentation

Example of access permissions integration

Suppose you have your own custom module named Example and you need to integrate access permissions for it.

  1. First step defines list of available actions:
    <?php
    namespace Bitrix\Example\Access;
    
    class ActionDictionary
    {
      public const
        ACTION_CREATE = 'create',
        ACTION_EDIT = 'edit';
    }
    
  2. Create a permissions dictionary:
    <?php
    namespace Bitrix\Example\Access\Permission;
    
    class PermissionDictionary 
      extends \Bitrix\Main\Access\Permission\PermissionDictionary
    {
      public const
        EXAMPLE_CREATE = 1, // permission to create records
        EXAMPLE_EDIT_OWN = 2, // permission to edit your records
        EXAMPLE_EDIT_ALL = 3; // permission to edit all records
    }
    
  3. and its language file:
    <?php
    $MESS["EXAMPLE_CREATE"] = "Create records";
    $MESS["EXAMPLE_EDIT_OWN"] = "Edit your records";
    $MESS["EXAMPLE_EDIT_ALL"] = "Edit all records";
    
    // block below is optional, but if some strings are indicated, they will be shown as hints in access permissions settings table
    $MESS["HINT_EXAMPLE_EDIT_ALL"] = "This permission allows user to edit absolutely all records.";
    
  4. Create ORM classes:
    • <?php
      namespace Bitrix\Example\Access\Permission;
      
      use Bitrix\Main\Access\Permission\AccessPermissionTable;
      
      class ExamplePermissionTable extends AccessPermissionTable
      {
         public static function getTableName()
         {
            return 'b_example_permission';
         }
      }
      

    • <?php
      namespace Bitrix\Example\Access\Role;
      
      use Bitrix\Main\Access\Role\AccessRoleTable;
      
      class ExampleRoleTable extends AccessRoleTable
      {
      
         public static function getTableName()
         {
            return 'b_example_role';
         }
      }
      

    • <?php
      namespace Bitrix\Example\Access\Role;
      
      use Bitrix\Main\Access\Role\AccessRoleRelationTable;
      
      class ExampleRoleRelationTable extends AccessRoleRelationTable
      {
         public static function getTableName()
         {
            return 'b_example_role_relation';
         }
      }
      
  5. Create controller:
    <?php
    namespace Bitrix\Example\Access;
    
    use Bitrix\Main\Access\User\AccessibleUser;
    use Bitrix\Main\Access\BaseAccessController;
    use Bitrix\Main\Access\Model\UserModel;
    use Bitrix\Main\Access\AccessibleItem;
    
    class ExampleAccessController extends BaseAccessController
    {
       protected function loadItem(int $itemId = null): AccessibleItem
       {
          return ExampleModel::createFromId($itemId); // no comment on model creation process, all models are individual
       }
    
       protected function loadUser(int $userId): AccessibleUser
       {
          return UserModel::createFromId($userId);
       }
    }
    
  6. Let's proceed to creating necessary rules. Our example defines two actions (two operations), it means that two rules are required. As an example, we'll implement the rule for record editing.
    <?php
    
    namespace Bitrix\Example\Access\Rule;
    
    use Bitrix\Main\Access\AccessibleItem;
    use Bitrix\Example\Access\Permission\PermissionDictionary;
    
    class ExampleEditRule extends \Bitrix\Main\Access\Rule\AbstractRule
    {
       public function execute(AccessibleItem $item = null, $params = null): bool
       {
          // admin can do everything
          if ($this->user->isAdmin())
          {
             return true;
          }
    
          // users with permission to edit all records
          if ($this->user->getPermission(PermissionDictionary::EXAMPLE_EDIT_ALL))
          {
            return true;
          }
    
          // users with permissions to edit their own records
          if (
            $item->getOwnerId() === $this->user->getUserId()
            && $this->user->getPermission(PermissionDictionary::EXAMPLE_EDIT_OWN)
          )
          {
            return true;
          }
    
          return false;
       }
    }
    
  7. Last step: edit the check in necessary code locations (usually, in components that process user actions):
    if (!ExampleAccessController::can($userId, ActionDictionary::ACTION_CREATE))
    {
      // 403 error
    }
    

You need to create a component based on BX.UI.AccessRights to configure settings. You can also view the example in tasks/install/components/bitrix/tasks.config.permissions.



© «Bitrix24», 2001-2024