Access rights to modules

The rights are declared in the file app/Config/Rights.php. The rights of the modules managed directly in Ppci are declared in vendor/equinton/ppci/src/Config/Rights.php.

For any module (route) that needs to be protected, an entry must be added to the rights array, like this:

protected array $rights = [
"storageConditionList" => ["consult"],
"storageConditionChange" => ["param", "collection"],
"storageConditionWrite" => ["param", "collection"],
"storageConditionDelete" => ["param", "collection"],

The default rights managed by Ppci are as follows:

  • admin: access to administration modules
  • consult: consultation of information
  • manage: daily management
  • param: access to software parameters (role of the business administrator)

Other rights can be added to the application, as is the case in the example above with the collection right. They are described with the acl* tables of the gacl schema.

When accessing a protected module, the user’s rights are calculated by the RightsFilter filter (cf. principes.html), and access is only granted if the user has one of the rights declared in the rights table.

Organization of rights in the database

Rights are managed in tables present in the gacl schema.

  • acllogin: list of user logins. If an account is created in the local identification database (logingestion table), a record is also created in this table.
  • aclappli: list of managed applications. It is possible to manage, from the same database, several sets of rights, which use the same logins. In practice, only one entry appears in this table. The value of aclappli must be identical to the configuration variable app.GACL_aco.
  • aclaco: list of rights declared in the application;
  • aclgroup: list of groups containing the logins, and which hold the rights. A group can inherit from another group. The rights associated with the parent group are also assigned to the inherited group;
  • acllogingroup: table used to declare the logins associated with a group;
  • aclacl: table describing the rights held by a group.

In some cases (LDAP or CAS identification), and if automatic group recognition is enabled in the configuration, it is not necessary to declare the logins in the acllogin table. It is membership in a directory group, declared elsewhere in the aclgroup table, which will allow the rights to be assigned.

The rights allocation algorithm will work as follows:

  • search for the groups to which the login belongs, either formally (declaration in the acllogingroup table), or inferentially (directory group declared in the aclgroup table), or by retrieving the groups inherited by the current group where the login is declared
  • for each of the membership groups, search in the aclacl table for the rights assigned to the groups.