Summary: Adding an auth level and page attribute
Version: 2011-12-23
Maintainer: HansB
Categories: Security Fox
Users: (view? / edit)

Questions answered by this recipe

How can I restrict posting of comments or other content via a Fox form to logged in users, without giving these users full page edit permission?


Adding an auth level or page attribute to control posting permissions.

Sometimes it may be desirable to only permit logged in users to post comments via a comment form like FoxCommentBox or FoxAuthUserCommentBox, but at the same time prohibit same users from editing the page. For such users we need an additional authorisation level, because these users need more than 'read' authorisation, and less than 'edit' authorisation.


Add a new auth level 'post' to config.php underneath where other site-wide passwords are set, and tying it into $AuthCascade:

$PageAttributes['passwdpost'] = '$[Set new post password:]'; //addition to attribute edit page
$DefaultPasswords['post'] = pmcrypt('guest'); //set site-wide password for 'post' 
$AuthCascade['edit'] = 'post'; //edit permission includes post permission
$AuthCascade['post'] = 'read'; //post permission includes read permission

This creates a new 'post' attribute (authorisation level), and sets a site wide admin password for that attribute, which prevents it to be 'clear' (not set) by default.
The other Page Attributes are 'read' 'edit', 'attr' and 'upload' if enabled.
A different word than 'post' could be used. We just replace the letters 'post' in the above with some others, in 'passwdpost', 'Set new post password:', $DefaultPasswords['post'].

The new 'post' attribute will appear on the Attribute form of a page or the GroupAttributes page when using ?action=attr. So now we can set a password, or user ids or @groups in the 'post' field for pages or on a GroupAttribute page, or we just use the one we defined site-wide in config.php. Having no passwords set via ?action=attr may speed up the page load.

Change Fox's default auth level to the new level 'post':

$FoxAuth = 'post';

Now users with 'post' authorisation are able to change page content via Fox forms.

Instead of setting $FoxAuth for site-wide use, we could narrow it to a specific group in which we want to have comments posted, for instance a 'UserForum' group:

$group = PageVar($pagename,'$Group');
if ($group=='UserForum') $FoxAuth = 'post';


Use the new 'post' (or whatever you named it) auth level by setting a page or group attribute via ?action=attr, i.e. setting a password, or when using AuthUser, a user id (id:username) or user @group in the attribute field.

Or set a sitewide general password for 'post' in config, for example 'mypostpassword', with

$DefaultPasswords['post'] = pmcrypt('mypostpassword');

The latter seems to result in faster page load times.


Change log / Release notes

If the recipe has multiple releases, then release notes can be placed here. Note that it's often easier for people to work with "release dates" instead of "version numbers".

See also



See discussion at AddingAuthLevels-Talk

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.