Checking Permissions Against Other Users or Groups

Until now, every example of Permissions checking we've detailed involves checking permissions against the currently-logged-in user. Certainly, this is the most common use case for permissions – but what if you need to check permissions against a different user or group than the one you're in?

Check Current Page Against Guest Group

For example, what if you're writing pages to a custom cache, for static output? You only want to include those pages that can be viewed by the Guest group. You can't rely on simply checking whether the current user can view the page, because the current user might be an admin, who can view every page!

First, retrieve a permission key for the View Page permission:

$key = Key::getByHandle('view_page');

Next, set the permission object that you want to check against:

$key->setPermissionObject($page);

Now, we retrieve an access object for this particular key/object combination:

$access = $key->getPermissionAccessObject();
if (!$access) {
    return false;
}

If there is no access object, that means no one has been assigned to this particular key/object. But assuming someone has, we next retrieve an access entity for the Guest Group. Why an access entity? Because users or groups themselves aren't assigned to Permissions. Instead, everything goes through Access Entities; that way more complex permission assignments can occur.

$guestGroup = \Concrete\Core\User\Group\Group::getByID(GUEST_GROUP_ID); // Built-in constant, evaluates to the value of the Guest group, which is 1.
$entity = \Concrete\Core\Permission\Access\Entity\GroupEntity::getOrCreate($guestGroup);

Finally, we validate our access object against an array of access entities:

return $access->validateAccessEntities(array($entity));

And that's it! We've successfully checked whether the Guest group has access to the permission in question.

Check whether a Particular User can Download a Particular File

Here's another example. We have a particular user, and we want to see if they have access to download a particular file. But we're not necessarily logged in as that user.

First, retrieve a permission key for the View File permission:

$key = Key::getByHandle('view_file');

Next, set the permission object that you want to check against:

$file = \File::getByID(10);
$key->setPermissionObject($file);

Now, we retrieve an access object for this particular key/object combination:

$access = $key->getPermissionAccessObject();
if (!$access) {
    return false;
}

Now, get a User object for the particular user in question.

$info = \User::getByName('andrew');

Now that we have the user object in question, we need to retrieve all the access entities bound to that user:

$entities = \Concrete\Core\Permission\Access\Entity\Entity::getForUser($info);

$entities is now an array containing all relevant access entities for the user. Simply pass this to the access object as in the previous example, and you're done!

return $access->validateAccessEntities($entities);