access.pod - access control for administration of BSE
How to configure and enable access control for BSE administration.
As of release 0.12_13 of BSE, it provides a moderately powerful mechanism to control access to various administration functions, especially for maintaining content.
The aim is to provide flexible access control, without requiring micro-management from the administrators.
Internally BSE now provides for fairly fine-grained access to editing existing articles and creating new articles, hopefully without overloading the person who will manage the users and groups.
Make sure you create users with sufficient access control to maintain the system.
At the very least create a user and give them the User/Group management global permission.
Once you have at least created a user/groups administrator, set the access_control value to 1 in bse.cfg.
Once you've done that you will be prompted for a username and password whenever you try to access BSE's administration functions.
All permissions in BSE are positive - the permissions you give a user and their groups are combined together so that if the user has a right enabled for themselves, for any group they are a member of, or for the everyone group, they will have access to the function.
The permissions visible to the user administrator are split into two categories:
Global permissions - these apply in general, like access to the order list, or to user/group management. These can also include article permissions that have been applied to specific articles, or to subsets of the article tree.
Article permissions - these are applied to specific articles by the user administrator, and can control the article or all of the children of the article, depending on how the permission was setup.
BSE provides default sets of global and article permissions, but you can add extrs more specific to your business needs, see ADDING NEW PERMISSIONS.
The standard global permissions shipped with BSE are:
Shop admin - the user has complete access to modify the content in the shop
All but shop admin - the user has complete access to modify content, except in the shop
Subscriptions - the user can create, modify and send subcriptions from the subscriptions manager.
Shop Orders - the user can view the order list, order details and mark orders filled.
Users/Group management - the user can create new users and groups, manage group membership, and control the permissions that the users and groups have
The article permissions are:
Full access - the user can modify the article and any of it's children, and add new children.
Change body or title - the user can change the body and title of the indicated article. No other fields can be changed.
Besides the standard permissions described above, you can add permissions more specific to your organizaton by adding entries to a few sections in the bse.cfg file.
Each permission has a unique index associated with it. This must be a natural number (0 or a positive whole number).
Each permission has an identifier which is used to choose the configuration section that the permission is described in.
Article permissions are listed in the [Article permissions] section, and global permission in the [Global permissions] section, with the identifer being the key, and the index being the value. eg.
[Global permissions] shop_access = 1 all_but_shop = 3 subscriptions=4 orders=5 users_and_groups=6
[Article permissions] full_access = 0 change_body = 2
The identifier for each permission is used to find the description of the permission, for an identifier the section would be [permission identifier].
For article permissions you can define the following entries in the description:
brief - the brief description of the permission that is displayed in the administration user interface. Default: the permission identifier.
help - a longer description of the permission used as the title of the help images next to each permission. Default: empty string.
permissions - which low-level permissions are granted by this permission. See Describing low-level permissions. The permission will only be used if this is set.
descendants - if this is set to 1 then the permission also applies to the descendants of the article the permission is set on. Default: 0.
Group permission require only one extra entry:
articles - the articles this permission applies to. See Selecting articles for global permissions.
See the supplied bse.cfg for the definitions of the standard global and article permissions.
The permissions keyword is a comma separated list of permission
names, or patterns for permission names.
Typically you will either use explicit permission names, or a base name with a wildcard, but it's possible to use more complex matches.
Alternatively, the permission can be not(permission list)
where permission list is a comma separated list of permission names
or patterns.
Eg. if you want the permission to give the use access to all edit functions for the selected articles you could do:
permissions=edit_*
If you want to give the user access to edit and save all field of an article:
permissions=edit_field_edit_*,edit_save
Alternatively this could be:
permissions=edit_(field_edit_*|save)
but the first is probably clearer.
The patterns you can use, are effectively any perl regular expression, except that you're limited by the permissions field being split on commas, and the translation of '*' to '.*'. If you don't understand this, just use '*' to match anything.
See LOW-LEVEL ARTICLE PERMISSIONS and LOW-LEVEL GENERAL PERMISSIONS for descriptions of the permissions themselves.
The simplest form for the articles value is a list of article ids:
articles=3,9
You can also match articles that are children of a given article:
articles=childof(3)
or a given type of article:
articles=typeof(Product)
You can also to negate a set of articles:
articles=not(child(3),9)
These permissions are applied to specific articles, and depending on
whether the childof() operator or descendants flag is set, can apply
to the give article or it's children.
These control adding new articles and modifying the content of existing articles.
If you want a "macro" to allow all of the following, add 'edit_*' to the permissions keyword.
edit_save
The user can save changes to the given article. The user will also need appropriate permissions to modify the fields (edit_field_edit_fieldname).
edit_field_edit_fieldname
The user can edit the given field in an existing article. Note that the system may prevent editing of some fields even if you give them permission, like the title and summary fields of a product that have been used in an order.
To give permission to edit any field add 'edit_field_edit_*' to the permission description.
edit_add_child
The user can add a child to this article, or reparent an article to have this article as a parent.
edit_field_add_fieldname
The user can edit the give field when creating a new article. These permissions are applied to the parent where articles might be added.
For fields that the user doesn't have permission for, either the value from the [children of parentid] section, the [level level] section, or some default value will be used.
edit_reorder_children
The user can change the order of the children or stepchildren of the article.
edit_reorder_stepparents
The user can change the order of the stepparents of the article.
You can control whether a user can add, remove, reorder or change the details of the images attached to an article.
There is no control over individual images.
If you want to give users full image control, add 'edit_images_*' to the permissions entry.
edit_images_add
The user can add a new image.
edit_images_reorder
The order of the images can be changed.
edit_images_save
The fields for each image (url, alt text) can be changed.
edit_images_delete
Images can be deleted.
edit_files_reorder
The user can change the order of the files for the article(s).
edit_files_add
The user can add new files to the article(s).
edit_files_delete
The user can delete files from the article(s).
edit_files_save
The user can change the details for files from the article(s).
regen_article
The user can manually regenerate the article. This has no effect on auto-regeneration.
These are unusual in that you will need permission to modify both the parent and child in the given relationship. ie. if article A is a stepparent of article B, then you need both edit_stepkid_delete permission on A and edit_stepparent_delete permission on B.
edit_stepkid_add
The user can add stepchildren to this article.
edit_stepparent_add
The user can add stepparents to this article.
edit_stepkid_delete
The user can remove stepchildren from the article.
edit_stepparent_delete
The user can remove stepparents from the article.
edit_stepkid_save
The user can save the release and expiry date information for the stepchild links. The user must also have edit_stepparent_save rights on each stepparent.
edit_stepparent_save
The user can save the release and expire date information for the stepparent links. The user must also have edit_stepkid_save rights on each stepchild.
edit_reorder_stepparents
The user can reorder the stepparents of the article. Reordering of stepchildren is controlled by the edit_reorder_children permission.
These permissions don't apply to specific articles and control operations outside of the article tree. For the permissions to be applied they should be applied to article "-1" (the site)
subs_add
The user can create new subscriptions.
subs_edit
The user can edit existing subscriptions.
subs_delete
The user can delete existing subscriptions.
subs_send
The user can send subscriptions
These permissions provide no control over the content of the shop, since that can be controlled through article permissions.
To create a "macro" with access to all order management functions, use 'shop_order_*'.
shop_order_list
The user can view the list of orders.
shop_order_detail
The user can view the details of an order.
shop_order_filled
The user can mark orders as filled.
This controls whether a the user can manage users and groups.
Typically you will just want to add 'admin_*' to the permissions key for the macro.
These permissions assume a bit of foresight on the user - ie. that they won't delete the permissions they need to do their job.
admin_user_add
The user can create new users.
admin_user_save
The user can save changes to existing users.
admin_group_save_gperms
The user can set global permissions for users.
admin_user_save_groups
The user can save changes to the group membership of users.
admin_user_save_artrights
The user can save article rights for users.
admin_user_del
The user can delete users.
admin_group_add
The user can create groups.
admin_group_save
The user can save changes to groups.
admin_group_save_gperms
The user can save global permissions for groups.
admin_group_save_users
The user can save the membership for groups.
admin_group_save_artrights
The user can save article rights for groups.
admin_group_del
The user can delete groups.
regen_extras
The user can regenerate the extras and base pages.
regen_all
The user can regenerate the whole site.
bse_siteuser_export
The user can use the userlist.pl script (Download member list)
Tony Cook <tony@develop-help.com>
$Revision$