Controlling Access

From EIRMA Wiki

Quick Links
Overview and Tutorial Introduction Quick Tutorial
Pre-Installation Site Configuration Installation Installing LDM Upgrading Removing Post-Installation Speed, Security and Server Load Uploads, Downloads and Media Filetypes
Administration Introduction Control Settings Permissions Controlling Access Monitoring and Controlling Usage Database Imports and Exports Content Overview/Mass Editing Entry Attributes Where are Files Stored?
Moderation Introduction Design Layout and Design Advanced vbAdvanced Subscriptions Add-on Extras Media Players Mirrors Synchronising Categories and Directories Hacking LDM Search Engine Optimisation
Other Known Bugs Common Problems Wish List Version History Acknowledgements

Contents 1 Usergroup-based Permissions 2 Forum-based Access Control 2.1 Explanation 3 Requiring Users to Accept Standard Access Conditions 4 Examples

LDM provides two mechanisms for controlling access to the categories and entries in your database:

• a usergroup-based permissions system which is always active and
• a forum-based access control system which can be turned on and off.

Usergroup permissions are easier to set up and control. The forum-based system offers finer degree of control and easier synchronisation of access rights between LDM and the rest of your VBulletin board.

By default:

• the usergroup permission system makes all categories and entries visible to, and accessible by, all users, including those who are not logged on, but only allows administrators to create categories and entries
• the forums-based system is switched off.

The two mechanisms work in sequence. Each can deny access regardless of the permissions available using the other mechanism. This means that access to a category/entry is only granted:

• When forum-based access control is switched off and the usergroup permissions system authorises access, or
• When both forum-based access control and the usergroup permissions system authorise access

Administrators can view an entry's access rights by selecting the information icon that appears near the entry's hit count in the main displays.

Usergroup-based Permissions

The LDM Permissions can_view_category and can_access_link are used to grant and deny access on a per-usergroup basis. These permissions apply to the entire database or to individual categories. All entries in a category share the category's access rights, so it is not possible using this mechanism to places enties with different access rights in the same category.

Forum-based Access Control

Forum-based access control works by 'associating' individual categories and entries with board forums and then using the forum permissions to determine whether or not to allow access. This offers a finer level of access control than the Permissions-based system. Forum-based access control enables you to:

• Assign different permissions to individual entries within categories.
• Use the forum-based password protection mechanism to require a password in order to gain access.

Forum association is also used for other purposes:

• Users with can_set_permissions privilege can automagically create (and subsequently remove) links that take users between the category and its parent forum so that users can jump easily between the category and the forum.
• Users who have permission to moderate the specified forum in VB can also moderate categories associated with that forum and all links in these categories.
• The autothread_create feature is used to automagically create threads announcing new entries, either in the associated forum or in the forum identified using the autothread_forum parameter.

Explanation

Each entry and each category has an optional 'associated forum', which can point to any forum on your board, including linked forums. The main purpose of this linkage is to make use of the forum's access permissions. Users can only see and access an entry or category if:

• they are a member of a usergroup that has (vBulletin) can_view_forum and can_view_others_threads rights to this associated forum, or
• the category/entry has no associated forum.

By default, each category/entry is associated with the LDM->Administer->Settings default_forumid. This can be set to None or can point to one of your forums. Initially, default_forumid has the value None, so all categories and entries are by default visible to all users.

• When categories are created, their associated forum is taken from the current value of default_forumid, unless the user has authority to establish another choice and explicitly does so.
• When new entries are added to the category, they are automatically associated with the category's forum, unless the user has the right to establish another choice and explicitly does so.

A user must have can_set_permissions privilege in order to establish or change the forum association from its default value.

• Users with can_set_permissions permission see a drop-down forum selection menu on the Add and Edit Category and Entry forms. This menu includes a list of forums (but see next bullet point) to which the current user has access. In other words, she can only associate an entry with a forum to which he is allowed access.

• The selection menu omits any forums for which the VB administrator has unset "Show this Forum and Child Forums on the Forum Jump Menu", regardless of the user's rights to access that forum.

Since you can create "linked" vBulletin forums, you can use this approach to create a forum which points at an LDM category and is also used to set the category's viewing permissions. This will work correctly, even though it may seem a strangely circular process.

Category and entry permissions can be reviewed and changed *en masse* using LDM->Administer->Categories. This provides an easy-to-read summary of which usergroups have access to what, and of any broken forum associations (e.g. when a forum has been used to establish access permissions,and then deleted).

When you change default_forumid, you can instruct LDM to reassociate any entries/categories that are currently associated with the existing default_forumid.

Requiring Users to Accept Standard Access Conditions

See LDM Permissions

Examples

1) Setting up the database so that only members of the "Registered Users" and "Administrators" groups can see and access its contents.

Using the LDM Permission System

• On the LDM->admin->permissions page, give only these usergroups can_view_category and can_access_link permission

Using Forum-Based Access Control

• On the LDM->admin->permissions page, give all usergroups can_view_category and can_access_link permission on the LDM->admin->permissions page
• On the LDM->admin->settings page, set default_forumid to a forum that is only visible to Registered Users and check the box instructing LDM to modify existing permissions.

2) Setting up the database so that everyone can access all categories and entries except the contents of the Private category

Using the LDM Permission System

• On the LDM->admin->permissions page, give all usergroups can_view_category and can_access_link permission
• Go to the Private category, select Edit Category, go to the Permissions tab and give only these usergroups can_view_category and can_access_link permission

Using Forum-Based Access Control

• On the LDM->admin->permissions page, give all usergroups can_view_category and can_access_link permission
• On the LDM->admin->settings page, leave default_forumid set to None.
• Go to the Private category, select Edit Category. Associate the Private category with a forum that is only visible to Registered Users.