Access control¶
Access control list¶
The ACL defined in the app applies to records, not to blocks.
Blocks are always accessible, if we do not want a block to render some
information, we have to implement this in its Python file or use the
view_permission
setting.
Moreover, access control only impacts direct HTTP access to records (like opening a record URL, deleting a record via the JSON API, etc.), and it does not impact what happens in block Python files.
For instance in the Tutorial, if an anonymous visitor clicks on the
“Like” button on a page nobody had voted for yet, the like
function
will create a record.
But an anonymous visitor would not be able to modify this record or to delete it using the JSON API.
The expected format is:
acl:
rights:
reader: [<list of users or groups>]
author: [<list of users or groups>]
editor: [<list of users or groups>]
roles: {<role_id>: [<list of users or groups>]}
In the list of users or groups, '*'
means everyone.
Access levels¶
The access levels are:
reader
: can read all the records,author
: can read all the records, can create records, can modify/delete his own records,editor
: can read/modify/delete any record, can create records.
The access control settings are managed in the settings.yaml
file in the app
root folder.
Roles¶
Roles do not grant any specific rights on records, they can be defined freely. They are used in our Python functions to change the app behavior depending on the user.
For instance, we might have a role named ‘PurchaseManager’, and in our block we would display a “Validate purchase” button if the current user has the ‘PurchaseManager’ role.
Permissions on blocks¶
By default, blocks are accessible by anyone (including anonymous visitors).
By setting the view_permission
attribute in a block’s YAML file, we can control access to this block.
Its value is a list of users or groups.
Example:
elements:
whatever: BASIC
view_permission:
PurchaseDepartment
eric
This block will be accessible only by the ‘PurchaseDepartment’ group members and Eric.
This restriction applies to direct block rendering and element calls, including REST calls.