acl_is_allowed

Check if a user is authorized to perform an operation on a an object (some resource or module). Observe this notification to do complex or more fine-grained authorization checks than you can do through the ACL rules admin interface. Defaults to false.

Type:
first
Return:
true to allow the operation, false to deny it or undefined to let the next observer decide
#acl_is_allowed{} properties:
  • action: view|update|delete|insert|use|atom
  • object: term

Example

Deny anyone from viewing unpublished resource except those who have update rights on the resource (usually the creator and the administrator):

observe_acl_is_allowed(#acl_is_allowed{action = view, object = Id}, Context) ->
    case m_rsc:p_no_acl(Id, is_published_date, Context) of
        undefined ->
            %% Let next observer decide
            undefined;
        true ->
            %% Resource is published: let next observer decide
            undefined;
        false ->
            %% Resource is unpublished
            case z_acl:is_allowed(update, Id, Context) of
                true ->
                    %% User has update rights, so let next observer decide
                    undefined;
                false ->
                    %% Deny viewing rights on unpublished resource
                    false
            end
    end;
observe_acl_is_allowed(#acl_is_allowed{}, _Context) ->
    %% Fall through
    undefined.

In this observer, we return undefined in those cases where we do not want to deny access. We don’t grant the access right away but give the next observer the change to decide whether viewing is allowed (for instance, based on the resource’s category and content group and the user’s group).

Edit on GitHub

acl_logoff ACL notifications acl_is_allowed_prop

Referred by

mod_mqtt

MQTT is a machine-to-machine (M2M)/“Internet of Things” connectivity protocol. It was designed as an extremely…