acl
The m_acl model gives access the id of the currently logged in user, and provides a mechanism to do basic access control checks.
The following m_acl model properties are available in templates:
| Property | Description |
|---|---|
| user | Returns the current user id. If not logged in, this returns undefined. |
| is_admin | Check if the current user is alllowed to access the admin. Internally, this checks the use, mod_admin_config ACL. |
| use, admin, view, delete, update, insert, link | These properties are shortcuts to check if the current user is allowed to do some action. |
| is_allowed | Perform custom ACL checks which are different from the ones mentioned. |
| authenticated | Used before the other ACL checks to check if a typical user is allowed to perform some actions. Example: m.acl.authenticated.insert.article If a user is logged on the that user's permissions are used. |
This example prints a greeting to the currently logged in user, if logged in:
{% if m.acl.user %}
Hello, {{ m.rsc[m.acl.user].title }}!
{% else %}
Not logged in yet
{% endif %}This example checks if the user can access the admin pages:
{% if m.acl.is_admin %} You are an admin {% endif %}This example performs a custom check:
{% if m.acl.is_allowed.use.mod_admin_config %}
User has rights to edit the admin config
{% endif %}And to check if a resource is editable:
{% if m.acl.is_allowed.update[id] %}
User can edit the resource with id {{ id }}
{% endif %}A short hand for the above is (assuming id is an integer):
{% if id.is_editable %}
User can edit the resource with id {{ id }}
{% endif %}Available Model API Paths
| Method | Path pattern | Description |
|---|---|---|
get | /user/... | Return the current ACL user id from the request context. |
get | /sudo_user/... | Return the current sudo user id from the request context. |
get | /is_admin/... | Return whether the current user has admin rights. |
get | /is_admin_editable/... | Return whether admin users are editable in the current ACL setup. |
get | /is_read_only/... | Return whether the current ACL mode is read-only. |
get | /is_allowed/link/+subject/+predicate/+object/... | Check ACL permission for creating/using a link triple (+subject, +predicate, +object). |
get | /is_allowed/+action/+object/... | Check ACL permission for action +action on object +object. |
get | /authenticated/+action/+object/... | Check permission as an authenticated user under default ACL assumptions. |
get | /authenticated/is_allowed/+action/+object/... | Alias of the authenticated permission check for action +action on +object. |
get | /anonymous/+action/+object/... | Check permission as an anonymous user under default ACL assumptions. |
get | /anonymous/is_allowed/+action/+object/... | Alias of the anonymous permission check for action +action on +object. |
get | /link/+subject/+predicate/+object/... | Legacy shortcut for link permission check (same as /is_allowed/link/...). |
get | /+action/+object/... | Shorthand permission check for action +action on +object (same logic as /is_allowed/...). |
/+name marks a variable path segment. A trailing /... means extra path segments are accepted for further lookups.