Skip to content

Module authentication overhaul

Sam Sehnert requested to merge custom/features/am_auth_overhaul into custom/art_money

Rewriting authentication checks to allow configuration of role-based access at a module level

What I did

All CMS authentication checks have been converted to module access calls. Use of the ZON_ROLE_ADMIN constant has been removed entirely from Zon core.

  • Added module_access and module_access_roles methods to allow role checks for module configs.
  • Added module_access controller loader for easier checks in the controller
  • Added module_access API auth for easier checks in APIs
  • Updated API documentation with module_access notes
  • Improved handling of unauthorised checks for logged in users
  • No longer redirects to auth/unverified controller, just displays the unverified view instead.
  • Updated authentication across all controllers to use module_access, which is configurable per-module, instead of using the ZON_ROLE_ADMIN constant, which is global.
  • Added module_access checks to the navigation views
  • Nav items will not show if the logged in user doesn't have access
  • published_role now defaults to 'editor' instead of the now removed ZON_ROLE_ADMIN constant.
  • Blog models also allow 'author' to see non-published content.
  • Make sure the right users get access to dashboard content

Implications

None of these affect ArtMoney, or have otherwise been taken care of in us_launch/features/region_groups branch.

  • May cause a problem if auth/unverified controller has been overwritten in order to load extra content for the view.
  • Required upgraders to add the module_access config to their site/application/config/access.php file.
  • Best practice would be to remove use of ZON_ROLE_ADMIN from all sites, and convert to use of module_access instead, though ZON_ROLE_ADMIN will still work for custom modules.
  • A fallback on 'editor' privileges if no config exists for a given module may be confusing.
  • All other behaviours should be functionally the same in default Zon installs.

Setup

You'll need to check out the us_launch/features/region_groups branch, and run Migration 26. May need to re-number the migrations in your DB.

How to test

For ArtMoney, test this functionality on the us_launch/features/region_groups branch. Don't test the general use cases, only the AM specific ones, as this will be issued as a Merge request directly to Zon Core.

  • Ensure modules are only visible & accessible by users in the correct group, as defined by module_access in config/access.php
  • Ensure unverified view gets displayed correctly when a user tries viewing something they shouldn't.
  • Make sure unauthorised users can view blog content (but no draft content).
  • Make sure editors can still content edit the site correctly via CMS and editable.

Task: https://preview.gotasman.com/task/detail/41811

Merge request reports