Definition
Automne distinguishes between sites with client-side verification rights and those which do not have this utility.
More simply you can distinguish two aspects:
- Visitors to your site can see all the published content (the case of a classic Internet site).
- Visitors to your site cannot see all the published content (in the case of an Intranet or Extranet, for example) and you would like to give people access only to certain information according to their rights.
This distinction is realized in Automne thanks to the "Activating client-side verification rights" parameter. This parameter can be configured via the Automne Parameters interface; the link can be found in the sidebar of Automne administration under the Administration tab.
We advise determining from the very beginning of your project if it will be necessary to distinguish users according to their rights, thus having an authentification form on your site. If this is the case the parameter "Activating client-side verification rights" must be activated.
Activating the parameter "Activating client-side verification rights" can significantly change the way you develop and administer your site.
It is therefore a decision which must be well-thought out and which developers must take into account.
The "Technical aspects" heading (below) details more precisely how Automne puts rights verification in place.
Sites without client-side verification rights
The parameter "Activating client-side verification rights" does not need to be activated.
On your public site every potential visitor to your site cannot be identified because the site does not have the means of authentification (an authentification form, for example).
Because of this Automne cannot distinguish users and thus rights are not verified. By default, each user thus has access to all the resources published on the site.
Sites with client-side verification rights
The parameter "Activating client-side verification rights" is activated.
On your site each visitor is now identified by default as the visitor "Public user" (Login "anonymous, ID 3).
As long as the visitor is not authenticated with their user account, they have the rights defined for "Public user".
Attention must be paid when defining "Public user" rights so that too large or too limited rights are not given to non-authenticated users.
If you encounter probems accessing certain data on your site when you are not identified, you must verify the access rights for the user "Public user".
If a visitor is authenticated using an authentification form created with the help of the form module, the visitors will then have the rights assigned to the user's account.
Technical aspects
The parameter "Activating client-side verification rights" corresponds to the constant APPLICATION_ENFORCES_ACCESS_CONTROL.
When this constant returns true, the parameter is activated..
Activating or disactivating this parameter requires one to regenerate the entire site so that cached pages are recreated with the code necessary to verify visitor rights.
While this parameter is active, every display linked to this page and every display of a module element entails verifying the rights corresponding to the current user.
This parameter thus has an impact on the general performance of your site; activating it is thus recommended only if there is a real need.
As for PHP, a user object (CMS_profile_user) is automatcally created via the variable $cms_user.
With the "system debugging" parameter activated, you can display the information for the current user and a webpage with this code:
<?php
pr($cms_user);
?>
To find out more:
For more information on this subject, don't hesitate to consult the forum.