Skip to content
  • Documentation >
  • Guide >
  • Permissions >
  • Limitation reference

Limitation reference

Blocking Limitation

A generic Limitation type to use when no other Limitation has been implemented. Without any Limitation assigned, a LimitationNotFoundException is thrown.

It is called "blocking" because it will always tell the permissions system that the User does not have access to any Policy the Limitation is assigned to, making the permissions system move on to the next Policy.
Identifier n/a (configured for ezjscore limitation FunctionList out of the box)
Value Class eZ\Publish\API\Repository\Values\User\Limitation\BlockingLimitation
Type Class eZ\Publish\Core\Limitation\BlockingLimitationType
Criterion used MatchNone
Role Limitation no

Possible values

Value UI value Description
<mixed> <mixed> This is a generic Limitation which does not validate the values provided to it. Make sure to validate the values passed to this Limitation in your own logic.

Configuration

As this is a generic Limitation, you can configure your custom Limitations to use it. Out of the box FunctionList uses it in the following way:

1
2
3
4
5
6
7
    # FunctionList is an ezjscore limitation, it only applies to ezjscore policies not used by
    # API/platform stack, so configure to use Blocking Limitation to avoid LimitationNotFoundException
    ezpublish.api.role.limitation_type.function_list:
        class: '%ezpublish.api.role.limitation_type.blocking.class%'
        arguments: ['FunctionList']
        tags:
            - {name: ezpublish.limitationType, alias: FunctionList}

Content Type Group Limitation

A Limitation to specify that only Users with at least one common direct User Group with the owner of content get the selected access right.
Identifier Group
Value Class eZ\Publish\API\Repository\Values\User\Limitation\UserGroupLimitation
Type Class eZ\Publish\Core\Limitation\UserGroupLimitationType
Criterion used eZ\Publish\API\Repository\Values\Content\Query\Criterion\UserMetadata( UserMetadata::GROUP )
Role Limitation no

Possible values

Value UI value Description
1 "self" Only a User who has at least one common direct User Group with the owner gets access

Content Type Group of Parent Limitation

A Limitation to specify that only Users with at least one common direct User Group with the owner of the parent Location of a Content item get a certain access right, used by content/create permission.
Identifier Content Type Group of Parent
Value Class eZ\Publish\API\Repository\Values\User\Limitation\ParentUserGroupLimitation
Type Class eZ\Publish\Core\Limitation\ParentUserGroupLimitationType
Criterion used n/a
Role Limitation no

Possible values

Value UI value Description
1 "self" Only a User who has at least one common direct User Group with owner of the parent Location gets access

Content Type Limitation

A Limitation to specify if the User has access to content with a specific Content Type.
Identifier Content Type
Value Class eZ\Publish\API\Repository\Values\User\Limitation\ContentTypeLimitation
Type Class eZ\Publish\Core\Limitation\ContentTypeLimitationType
Criterion used eZ\Publish\API\Repository\Values\Content\Query\Criterion\ContentTypeId
Role Limitation no

Possible values

Value UI value Description
<ContentType_id> <ContentType_name> All valid ContentType IDs can be set as value(s)

Content Type of Parent Limitation

A Limitation to specify if the User has access to content whose parent Location contains a specific Content Type, used by content/create.

This Limitation combined with ContentType Limitation allows you to define business rules like allowing Users to create "Blog Post" within a "Blog." If you also combine it with Owner of Parent Limitation, you effectively limit access to create Blog Posts in the Users' own Blogs.
Identifier Content Type of Parent
Value Class eZ\Publish\API\Repository\Values\User\Limitation\ParentContentTypeLimitation
Type Class eZ\Publish\Core\Limitation\ParentContentTypeLimitationType
Criterion used n/a
Role Limitation no

Possible values

Value UI value Description
<ContentType_id> <ContentType_name> All valid Content Type IDs can be set as value(s)

Language Limitation

A Limitation to specify if the User has access to work on the specified translation.

A user with this Limitation is allowed to:

  • Create new content with the given translation(s) only. This only applies to creating the first version of a Content item.
  • Edit content by adding a new translation or modifying an existing translation.
  • Publish content only when it results in adding or modifying an allowed translation.
  • Delete content only when it contains a translation into the specified language.
Identifier Language
Value Class eZ\Publish\API\Repository\Values\User\Limitation\LanguageLimitation
Type Class eZ\Publish\Core\Limitation\LanguageLimitationType
Criterion used eZ\Publish\API\Repository\Values\Content\Query\Criterion\LanguageCode
Role Limitation no

Possible values

Value UI value Description
<Language_code> <LanguageCode_name> All valid language codes can be set as value(s)

Location Limitation

A Limitation to specify if the User has access to content with a specific Location, in case of content/create the parent Location is evaluated.
Identifier Location
Value Class eZ\Publish\API\Repository\Values\User\Limitation\LocationLimitation
Type Class eZ\Publish\Core\Limitation\LocationLimitationType
Criterion used eZ\Publish\API\Repository\Values\Content\Query\Criterion\LocationId
Role Limitation no

Possible values

Value UI value Description
<Location_id> <Location_name> All valid Location IDs can be set as value(s)

New Section Limitation

A Limitation to specify if the User has access to (assigning) a given Section (to content).

In the section/assign Policy you can combine this with Section Limitation to limit both from and to values.
Identifier NewSection
Value Class eZ\Publish\API\Repository\Values\User\Limitation\NewSectionLimitation
Type Class eZ\Publish\Core\Limitation\NewSectionLimitationType
Criterion used n/a
Role Limitation no

Possible values

Value UI value Description
<Session_id> <Session_name> All valid session IDs can be set as value(s)

New State Limitation

A Limitation to specify if the User has access to (assigning) a given Object state to content.

In the state/assign Policy you can combine this with State Limitation to limit both from and to values.
Identifier NewState
Value Class eZ\Publish\API\Repository\Values\User\Limitation\NewObjectStateLimitation
Type Class eZ\Publish\Core\Limitation\NewObjectStateLimitationType
Criterion used n/a
Role Limitation no

Possible values

Value UI value Description
<State_id> <State_name> All valid state IDs can be set as value(s)

State Limitation

A Limitation to specify if the User has access to content with a specific Object state.
Identifier State
Value Class eZ\Publish\API\Repository\Values\User\Limitation\ObjectStateLimitation
Type Class eZ\Publish\Core\Limitation\ObjectStateLimitationType
Criterion used eZ\Publish\API\Repository\Values\Content\Query\Criterion\ObjectStateId
Role Limitation no

Possible values

Value UI value Description
<ObjectState_id> <ObjectState_name> All valid Object state IDs can be set as value(s)

Owner Limitation

A Limitation to specify that only the owner of the Content item gets the selected access right.
Identifier Owner
Value Class eZ\Publish\API\Repository\Values\User\Limitation\OwnerLimitation
Type Class eZ\Publish\Core\Limitation\OwnerLimitationType
Criterion used eZ\Publish\API\Repository\Values\Content\Query\Criterion\UserMetadata( UserMetadata::OWNER )
Role Limitation no

Possible values

Value UI value Description
1 "self" Only the User who is the owner gets access
2 "session" Deprecated and works exactly like "self" in public PHP API since it has no knowledge of user Sessions

Owner of Parent Limitation

A Limitation to specify that only the Users who own all parent Locations of a Content item get a certain access right, used for content/create permission.
Identifier Owner of Parent
Value Class eZ\Publish\API\Repository\Values\User\Limitation\ParentOwnerLimitation
Type Class eZ\Publish\Core\Limitation\ParentOwnerLimitationType
Criterion used n/a
Role Limitation no

Possible values

Value UI value Description
1 "self" Only the User who is the owner of all parent Locations gets access
2 "session" Deprecated and works exactly like "self" in public PHP API since it has no knowledge of user Sessions

Parent Depth Limitation

A Limitation to specify if the User has access to creating content under a parent Location within a specific depth of the tree, used for content/create permission.
Identifier Parent Depth
Value Class eZ\Publish\API\Repository\Values\User\Limitation\ParentDepthLimitation
Type Class eZ\Publish\Core\Limitation\ParentDepthLimitationType
Criterion used n/a
Role Limitation no

Possible values

Value UI value Description
<int> <int> All valid integers can be set as value(s)

Section Limitation

A Limitation to specify if the User has access to content within a specific Section.
Identifier Section
Value Class eZ\Publish\API\Repository\Values\User\Limitation\SectionLimitation
Type Class eZ\Publish\Core\Limitation\SectionLimitationType
Criterion used eZ\Publish\API\Repository\Values\Content\Query\Criterion\SectionId
Role Limitation yes

Possible values

Value UI value Description
<Session_id> <Session_name> All valid session IDs can be set as value(s)

SiteAccess Limitation

A Limitation to specify to which SiteAccesses a certain permission applies, used by user/login.
Identifier SiteAccess
Value Class eZ\Publish\API\Repository\Values\User\Limitation\SiteAccessLimitation
Type Class eZ\Publish\Core\Limitation\SiteAccessLimitationType
Criterion used n/a
Role Limitation no

Possible values

Value UI value Description
<siteaccess_hash> <siteaccess_name> Hash is calculated in the following way in legacy in default 64bit mode: sprintf( '%u', crc32( $siteAccessName ) )

Legacy compatibility notes

SiteAccess LimitationĀ is deprecated and is not used actively in public PHP API, but is allowed for being able to read / create Limitations for legacy.

Subtree of Location Limitation

A Limitation to specify if the User has access to content within a specific Subtree of Location, in case of content/create the parent Subtree of LocationĀ is evaluated.
Identifier Subtree of Location
Value Class eZ\Publish\API\Repository\Values\User\Limitation\SubtreeLimitation
Type Class eZ\Publish\Core\Limitation\SubtreeLimitationType
Criterion used eZ\Publish\API\Repository\Values\Content\Query\Criterion\Subtree
Role Limitation yes

Possible values

Value UI value Description
<Location_pathString> <Location_name> All valid location pathStrings can be set as value(s)

Usage notes

For more information on how to restrict User's access to part of the Subtree follow the example in the Admin management section.

Workflow Stage Limitation

A Limitation to specify if the User can edit content in a specific workflow stage.
Identifier WorkflowStage
Value Class API\Repository\Value\Limitation\WorkflowStageLimitation.php
Type Class Core\Security\Limitation\WorkflowStageLimitationType.php
Role Limitation no

Possible values

The Limitation takes as values stages configured for the workflow.

Workflow Transition Limitation

A Limitation to specify if the User can move the content in a workflow through a specific transition.
Identifier WorkflowTransition
Value Class API\Repository\Value\Limitation\WorkflowTransitionLimitation.php
Type Class Core\Security\Limitation\WorkflowTransitionLimitationType.php
Role Limitation no

Possible values

The Limitation takes as values transitions between stages configured for the workflow.