Filter files in items


I would like to filter attached files to an item. How can this be done (via Acl) ?


This might be trickier than I'd hoped, at least from a first glance and not testing different approaches.

One locus of trickiness is that it looks like the browse_sql hook might not apply to Files the way you used it with Items. Thus, the list of files for an item might not be filterable the same way. Not sure if that'll be a concern in your case.

Using the ACL, something analogous to what you did for the Items might do the trick. You'd create another assertion class that does the logic for Files in a similar way. (You might be able to put it in the same assertion class, too, and just branch around the class of the $resource passed in). I suspect that the approach that'd work would be, for a File passed in to the assertion class, you could get its Item with $file->getItem(), and use is_allowed to check permissions for the Item and return that.

This is all kind of guesswork so far, as I haven't tried it out directly. But that's at least what I'd start with.


I can't find the good way to find the right acl parameters. Even this one fail to give me something interresting :

array('Items', 'Collections', 'ElementSets', 'Files', 'Plugins',
	'Settings', 'Security', 'Upgrade', 'Tags', 'Themes',
	'SystemInfo', 'ItemTypes', 'Users', 'Search', 'Appearance',
array('add', 'batch-edit', 'batch-edit-save', 'edit', 'editSelf', 'editAll',
	'delete', 'deleteSelf', 'deleteAll', 'tag', 'showNotPublic', 'showSelfNotPublic',
	'untagOthers', 'makePublic', 'makeFeatured', 'modifyPerPage', 'browse',
	'show', 'showSelfNotPublic'),
new EmbargoAclAssertion);

Any idea ?

One thing to check is whether you are testing as a super user in the site. Most, if not all, ACL checks are skipped for them.

I dug around a bit more deeply, and the results are ... mixed, depending on the details of what you need.

On filtering the files on an Item page, an alternate approach to the browse_sql filter is file_markup. With that, you could check for permissions to view the Item or File, and simply return no HTML for displaying the file as needed.

The file/show.php page looks like it can be hidden via the ACL. Here's a gist of a skeleton that seems to work. It allows access to the items, but not the file for admin. So not the details you need, but might be a start down a helpful path. If building off of that works as expected, you could use is_allowed in the filter described above to do the checking.

That won't 100% hide the File, though. The direct link to the file would still be open due to our .htaccess file, but if the markup is not displayed anywhere it's doubtful that they'd be able to guess the direct URL to the file, since it is a big hash of a filename.

I'll investigate, thank you !

It doesn't work. It ask for a login acces when viewing items (ie: /items/show/5).

What is the purpose of "$acl->addResource('viewEmbargoedItems');" ?

Just to double-check with all the possible variations, here's some details about expected behavior in different situations.

When not logged in:
The redirect to login is what should happen. The $role won't be an object, so the Assertion returns true (that is, deny)

When logged in as super:
$role is the user object, so it still gives access to everything

When logged in as admin:
Permission is given to view Items, but not to view Files. That's really only true on show pages for Files -- not the list of Files on an Item show page

When logged in as anyone else:
Permission to Items and Files is denied.

Is that about what's happening, or is there a discrepancy someplace?

On the viewEmbargoedItems question -- yep, right now in the example code, it serves no purpose. It a built-up version, it's the sort of thing that you could use in your check for permissions if the logic for figuring out access needs to be more complicated.