ACL (Access Control List)

Community Auth has an Access Control List (ACL) to help give you finer control over permissions on your website. This feature is not for direct authentication, and only available after authenticating your user. To use this feature, you must design an interface or otherwise create ACL categories, actions, and records for your users.

ACL categories have their own table in the database, and as an example I will create one called “general”:

$this->db->insert('acl_categories', array(
  'category_code' => 'general',
  'category_desc' => 'General Permissions'
));
// Insert ID #1

We also need to create actions for the “general” category. I’ll create one with an asterisk as the name, which if applied to a user means they have permission to do anything in that ACL category. The other action is specific to viewing documents:

$this->db->insert('acl_actions', array(
  'action_code' => '*',
  'action_desc' => 'All Actions',
  'category_id' => 1
));
// Insert ID #1

$this->db->insert('acl_actions', array(
  'action_code' => 'view_documents',
  'action_desc' => 'View Documents',
  'category_id' => 1
));
// Insert ID #2

Then we can apply an ACL permission to a user like this:

$this->db->insert('acl', array(
  'action_id' => 1,
  'user_id' => 123546
));
// Gives user with user ID 123456 permission for all actions in the general category

$this->db->insert('acl', array(
  'action_id' => 2,
  'user_id' => 654321
));
// Gives user with user ID 654321 permission to view documents:

In your controller or model, you might want to check if the user can view documents:

if( $this->acl_permits('general.view_documents') )
   // Let them view the document ...

You also have access to the ACL permissions in authentication variables, as long as you set the config option “add_acl_query_to_auth_functions” to TRUE, or call acl_permits at least once.

Notice: The ACL permissions array stored in the authentication variables has array elements where the ACL category and action codes are joined with a period. This is why in the example above you see that I am checking if ACL permits “general.view_documents”. It is important that when you create category and action codes that they do not contain any periods.

ACL Rather Than Roles

An interesting approach to your authentication needs may be to only use a single role for all of your users (except for admin of course), and control the things they can do by applying ACL permissions rather than determining what they can do based on their role. This idea is a little extreme for larger websites, but larger websites could benefit from this concept by reducing the amount of roles.

For instance, using roles you may need different levels of employees, such as customer service people, managers, technicians, instructors, etc. If instead of using roles to determine what they can do you implemented ACL for a single employee role, you’d be able to achieve the same thing. This flexibility is a great addition for Community Auth.