Custom Policies¶
The content Repository uses Roles and Policies to give Users access to different functions of the system.
Any bundle can expose available Policies via a PolicyProvider
which can be added to IbexaCoreBundle's service container extension.
PolicyProvider¶
A PolicyProvider
object provides a hash containing declared modules, functions and Limitations.
- Each Policy provider provides a collection of permission modules.
- Each module can provide functions (e.g. in
content/read
"content" is the module, "read" is the function) - Each function can provide a collection of Limitations.
First level key is the module name which is limited to characters within the set A-Za-z0-9_
, value is a hash of
available functions, with function name as key. Function value is an array of available Limitations, identified
by the alias declared in LimitationType
service tag. If no Limitation is provided, value can be null
or an empty array.
1 2 3 4 5 6 7 8 9 10 |
|
Limitations need to be implemented as Limitation types and declared as services identified with ibexa.permissions.limitation_type
tag.
Name provided in the hash for each Limitation is the same value set in the alias
attribute in the service tag.
For example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
YamlPolicyProvider¶
An abstract class based on YAML is provided: Ibexa\Bundle\Core\DependencyInjection\Security\PolicyProvider\YamlPolicyProvider
.
It defines an abstract getFiles()
method.
Extend YamlPolicyProvider
and implement getFiles()
to return absolute paths to your YAML files.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
In config/packages/policies.yaml
:
1 2 3 |
|
Extending existing Policies¶
A PolicyProvider
may provide new functions to a module, and additional Limitations to an existing function.
It is however strongly encouraged to add functions to your own Policy modules.
It is not possible to remove an existing module, function or limitation from a Policy.
Integrating the PolicyProvider
into IbexaCoreBundle¶
For a PolicyProvider
to be active, you have to register it in the class src/Kernel.php
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
Integrating custom Limitation types with the UI¶
To provide support for editing custom policies in the Back Office, you need to implement Ibexa\AdminUi\Limitation\LimitationFormMapperInterface
.
Next, register the service with the ibexa.admin_ui.limitation.mapper.form
tag and set the limitationType
attribute to the Limitation type's identifier:
1 2 3 4 5 |
|
If you want to provide human-readable names of the custom Limitation values, you need to implement Ibexa\AdminUi\Limitation\LimitationValueMapperInterface
.
Then register the service with the ibexa.admin_ui.limitation.mapper.form
tag and set the limitationType
attribute to Limitation type's identifier:
1 2 3 4 5 |
|
If you want to completely override the way of rendering custom Limitation values in the role view,
create a Twig template containing block definition which follows the naming convention:
ez_limitation_<LIMITATION TYPE>_value
. For example:
1 2 3 |
|
Add it to the configuration under ibexa.system.<SCOPE>.limitation_value_templates
:
1 2 3 4 5 |
|
Note
If you skip this part, Limitation values will be rendered using an ez_limitation_value_fallback
block as comma-separated list.
You can also provide translation of the Limitation type identifier by adding an entry to the translation file under the ezrepoforms_policies
domain.
The key must follow the naming convention: policy.limitation.identifier.<LIMITATION TYPE>
.
For example:
1 2 3 4 5 |
|