About:Access control
From ZenMagick Wiki
Authentication
ZenMagick comes with its own code implementing access control. Users are classified into three different levels of authentication:
- Anonymous
- This is the lowest level and the default for each new session.
- Guest
- The middle ground. A user becomes guest when she opts to checkout without registering (aka guest checkout). Since some information are provided by the user, the user is not considered anonymous any more.
- Registered
- The highest level of authentication. The user has authenticated itself by providing a email/password for an existing account or created a new account.
Ensuring Authorization
The code handling authentication and authorization in ZenMagick is called SACS - Simple Access Control System. So, what does it do? Basically it enforced the use of SSL (if configured) and ensures that controller are accessibly only with the correct credentials.
The new class ZMSacsMapper looks and works similar to ZMUrlMapper. An initial setup is loaded from core/settings/sacs_mapping.php and themes, plugins and other code are free to build on that.
The two main functions are implemented in two corresponding class methods:
ensureAuthorization($controller)- This method is called in
ZMController::process(), so all controller inherit this feature. The method validates the current account type (anonymous, guest, registered) against the configured required authentication level. If nothing is configured, the default access level (generally the lowest level [anonymous]) is assumed. If the current account has no sufficient level of authentication, a redirect to the login page is returned. The original URL is saved and the user is redirected back to the original URL after a successful login. ensureAccessMethod($controller)- This method will, if configured via the setting isEnforceSSL, ensure that resources (ie. pages) that are marked as secure will only be accessed using SSL. If a page marked as secure is accessed using plain HTTP, a redirect to the same URL using HTTPS will be returned. (Note: This also requires isEnableSSL to be set to true).
- In contrast to
ensureAuthorization($controller), this method is already called during the init procedure, so cached pages are affected as well.
Note: The default access level can be configured via the setting defaultAccessLevel. This means that, for example, changing the setting to Registered, all pages would automatically require a login.
