-
Notifications
You must be signed in to change notification settings - Fork 1
ACL vs. (and) System pages
This Boilerplate contains two different kinds of access control.
System pages (login, profile, administration) using their own access control.
The roles needed to access the administration are defined within the main config.
The main principle of ACL is provided by the Auth library and the user groups defined within it. (Some of them my be disabled by config).
Each user is assigned to one or several groups. The value (Bitmask, 1^n-1) is than sumerized and a final number created.
The access to each page can be defined based on user groups.
As long as the page is not marked as sys page and ACL is not deactivated, each access will be matched again the ACL rules.
Each ajax call contains a token which makes the backend able to identify the requester and the user group mask.
The access control need to be added to each backend manually, by checking the allowed mask against the user group.
if ( USERMASK & ACCESSMASK ) --> everything is OK