SPIP restricted access

Monde en
#1

Dear community,

I would like to implement more restricted access to modification at the article level.

I have an extra field « allowed_authors » with each article, which lists the allowed authors.

I would like now to prevent any author that is not in this list any modifications to the article.

How is this best done?

Quick praise to SPIP: SPIP has impressed me in terms of rock solid stability and security. I recently upgraded an old SPIP 2 version to 3, and was impressed that the old squelette still worked after the upgrade. When I was using Drupal or Wordpress, useless work was created with each upgrade of porting the templates.

Cheers,
Urs

#2

Hello Urs,

try this plugin
https://contrib.spip.net/Acces-Restreint-3-0

to manage users accesses inside private area.

Best regards,

Serge

#3

Hi,

with the plugin « Accès restreint » you can create a group of users and restrict the access of some sections to this group.
However, this does not match with your needs, because these areas become invisible, not only on modification.

But the authorisation mecanism enables to prevent some members from modifying your articles.
You need to change the authorisation #AUTORISER{modifier,article,#ID_ARTICLE}

check https://programmer.spip.net/-Authorisation-management-
This chapter explains how to overload an existing authorisation (or create a new one)

In your case you only have to create a new function
autoriser_article_modifier($faire, $type, $id, $qui, $opt) { … }
in your plugin, and adapt it from the original function autoriser_article_modifier_dist() defined in ecrire/inc/authoriser.php

ty for your love and support of SPIP

.Gilles

#4

Good Evening everyone,

Just FYI, I have successfully implemented custom restricted access / access control based on your feedback.

Instead of overwriting the authoriser_*_dist functions through a new plugin, I directly declared the new functions in the mes_options.php file.

For example, to explicitly only allow a user to modify their own profile, place in mes_options.php:

function autoriser_auteur_modifier($faire, $type, $id, $qui, $opt){
//default deny access with false:
$auth = false;
//if logged in user is 1, then allow (set this to your webmaster account ID)
if($qui[id_auteur] == « 1 ») {$auth = true ;}
//if logged in user is same as requested for edit, allow
if($id == $GLOBALS[auteur_session][id_auteur]) {$auth = true ;}
//return
return $auth;
}

The same logic can be applied to the autoriser_article_modifier, autoriser_rubrique_modifier,autoriser_article_voir, etc, functions to create a custom restricted environment.

Best regards,

Urs

#5

Le 12/11/2017 à 20:01, Urs Riggenbach a écrit :
> I have successfully implemented custom restricted access / access control based on your feedback.

//if logged in user is 1, then allow (set this to your webmaster account ID)
if($qui[id_auteur] == "1") {$auth = true ;}

FYI, instead of tweaking the id(s) to fit your settings, just use :
    if (autoriser('webmestre')) {$auth=true;}

JL