Composr Tutorial: Advanced access control
Written by Chris Graham (ocProducts)There are more ways that you could wish to control access than we have direct options within Composr.
Some software tries to make options for everything, but the result tends to be too many assumptions and too much configuration complexity. Our approach is to give you some additional general-purpose tools for defining your own permissions, giving you increased flexibility overall, while keeping the core permission system relatively intuitive.
If it is not enough to specify whether a member can access a specific page based on the available view permissions and overridden privileges, you can also set things up to deny access to pages based on the URL parameters they are opened with. This could be used, for example, to allow members to browse through download categories but not actually view any download entry.
The match-key permission system is not intended to be used unless really needed - it is there to provide additional control when page and privileges won't meet your unique needs.
To add a new match-key permission, go to the "Match-key page restriction" icon in the Security section of the Admin Zone.
An example match-key that would deny access for viewing download entries would be: _WILD:downloads:entry. Usergroups could be checked to deny members in those usergroups access to the website screen that actually views a download (type=entry is that interface).
At the bottom of the same screen you can choose what error message to display if someone is denied access. This is very useful if you have a specific reason for closing down access to something that you wish to explain.
Configure Match-key permissions from:
Admin Zone > Security > Match-keys
An example: controlling member-directory access
You may wish to prevent members viewing the member directory, but let them view their own profile
This cannot be done directly using page permissions because both actions go through the same module. Match-key permissions can be used effectively here though.
- Make sure the match_key_permissions addon is installed.
- If the "Single public zone" option is on then:
- Set to block all groups on :members:browse
- Set to block all groups on site:members:browse
Match-key error messagesYou can define custom error messages that show when an access-denied screen is shown on a particular match-key. You can also put in URLs and page-links instead of messages, and these will work to trigger a redirect (useful if you want to design an elaborate page, e.g. a signup page).
If you put in a URL instead of a match-key, it will automatically convert to a match-key.
If you put in some text between quote marks, matching will be done on the basis of matching this to success/notice/warning/error messages (which is broader than match-keys, as Composr is programmed to mostly only consider whether these match when showing access-denied screens). You can even combine quoted strings and match-keys, for a double condition, e.g.: site:downloads "There are no entries at this time" could be given a message of Nobody has added a download yet. As you can see, this has nothing really to do with permissions: we can use this system much more broadly, to do some quite detailed specification of how Composr should message the user.
A good example of match-key error messages is in the How to disable joining tutorial.
Controlling page display in detailYou may wish to only show certain parts of screens to particular usergroups. For example, you may want to 'tease' content to non-paying users.
To implement this, you need to switch to a template editing mind-set, rather than a permissions mind-set. Use normal Tempcode techniques to fence off or change the output of templates, either:
- by using the IS_IN_GROUP symbol
- working off the back of a standard permission's setting using something like the HAS_PRIVILEGE symbol)
Only groups 3, 4, 5, 6, 7, and 10, see this.
These techniques also work within Comcode pages.
Please rate this tutorial:
Have a suggestion? Report an issue on the tracker.