The act of defining access policy for a peer.

Authorization is initialized for a request once it has been authenticated, by sending a #acl_logon{} notification. Should the session get logged out, loosing its authentication, the authorization is cleared as well by sending a #acl_logoff{} notification.

Once authorization has been initialized for a request context, operations against objects can be checked by the z_acl module from erlang code, and by the m_acl model from Templates.

The first point of contact for authorization is in the controller is_authorized/2 function. controller_page and controller_template checks for acl options in the dispatch rule that matched the current request.

Each controller is in charge of what checks to perform in the is_authorized/2 controller function. Both controller_page and controller_template support the acl option with a value of:

  • is_auth: request authorized to proceed processing if the session is authenticated.

  • logoff: request authorized to proceed, after removing any authentication from the session.

    Notice: this also clears any “remember me” cookie.

  • [{Action, Object}, ...]: request authorized to proceed if all operations are allowed.

Refer to the documentation of respective controller for a complete list of options available.

Requested operations are authorized by sending notifications to be checked by a ACL module.

This table lists the ACL notifications:

Notification Type Return Description
#acl_is_allowed{action, object} first boolean() Check if user is authorized to perform operation on object. Default is false.
#acl_is_allowed_prop{action, object, prop} first boolean() Check if user is authorized to perform operation on property of object. Default is true.
#acl_rsc_update_check{id}, Props foldl Props’ Filter properties about to be updated for a resource.
#acl_can_see{} first integer() Get max visible_for that the user can see.
#acl_logon{id} first Context Initialize context with the access policy for the context.
#acl_logoff{} first Context Clear the associated access policy for the context.
#acl_context_authenticated{} first Context Set the context to a typical user’s permissions, do not change the context if an user is logged on. Used by (for example) m.acl.authenticated.insert.article

Previous topic


Next topic

The notification system