Last Modified 2016-12-27 by Guest

Horde 3 Permissions Framework

This is strictly for Horde 3. For Horde 4 and 5, go to Doc/Dev/PermsPackage

There are three aspects to the permissions framework. The first is to tell Horde what permissions your application has. Horde uses a unified tree structure to track all permissions, with each application having a branch off the root. In your application, you must create a list of permissions that Horde will then merge with other applications.

Next, an administrator needs to be able to assign or revoke privileges. This part is completely abstracted and there isn't much to say for developers. Horde itself has a UI for administering permissions, but it's just a front-end to the permissions API. Therefore, your application can choose to manage permissions in its own UI or business logic, but it doesn't strictly need to (and probably shouldn't).

The most important part is to enforce them. As a developer, you need to add code into your business logic to check permissions before doing something protected. None of the framework is useful without this step.

Defining Available Permissions

To allow Horde to manage your permissions, it needs to know what they are. This is where the design stage comes in. Internally, Horde identifies permissions via a tree.

Each application defines its portion of the tree. Whenever the Horde API is invoked, it needs to resolve a permission name, so it calls a function called _app_perms() within each application (if it exists) and merges its results.
In this example we'll add the permission "arbitrary_permission" to application foo.

In foo/lib/api.php:

$_services['perms'] = array(
    'args' => array(),
    'type' => '{urn:horde}stringArray'

function _foo_perms()
    static $perms = array();
    if (!empty($perms)) {
        return $perms;

   $perms['tree']['foo']['arbitrary_permission'] = false;
   $perms['title']['foo:arbitrary_permission'] = _("Textual description");
   $perms['type']['foo:arbitrary_permission'] = 'boolean';
   /* example of a sub permission of arbitrary_permission, this time a number value */
   $perms['tree']['foo']['arbitrary_permission']['some_count_permission'] = false;
   $perms['title']['foo:arbitrary_permission:some_count_permission'] = _("Textual description");
   $perms['type']['foo:arbitrary_permission:some_count_permission'] = 'int';

   return $perms;

Now you can go to the Horde administration workflow and click on 'Permissions'. On this page, you will be able to see the permissions tree. Add a child node for your 'foo' application. Then when you add a child to the 'foo' application, you will see your new permission in the list of permissions (the only item in this list in this example).

This example is obviously very simplistic. The flexibility comes in when populating the above list dynamically from persistent storage. For example, if your application manages widgets, you can make a database call in _foo_perms() and loop over your result set.

while(($row = ($resultSet->next()) !== null) {
    $widgetId = $row['widgetId'];
    $widgetName = $row['widgetName'];

    $perms['tree']['foo'][$widgetId] = false;
    $perms['title']["foo:$widgetId"] = $widgetName 

Using this strategy, one can create ACL's that apply to a specific object, rather than static permissions, like "create widgets". Permissions can even be nested. One can create a static permission called "widgets" whose permission mappings represent what a given user can do to ALL widgets, then dynamically add children permissions for specific widgets.

Notice the use of $perms['type']. There are two types of permissions, which determine the levels of that permission a user may have. In the first example, type Boolean, the user either has the permission, or they don't. The second type (default if not specified) is 'matrix', which allows for various levels, specifically, SHOW, READ, EDIT, and DELETE. A user may have any of these levels assigned, or none.

Applying Permissions / Persistent Storage

This part of the process is completely abstracted and your application shouldn't deal with it. However, it is obviously important to understand. Horde exposes its API via two classes: Perms and Horde_Permission.
Perms contains the actions one performs, such as adding or removing permissions. Horde_Permission is an entity class that represents a permission. The PhpDocumentor documentation at http://dev.horde.org/api/framework/ (choose the Horde_Perms package) covers these classes fairly well.
Note that the Permissions class is a singleton. The instance is usually already defined in a global variable $GLOBALS['perms']. It's also possible to access the static singleton method like so:

$perms = &Perms::singleton();

To add a new permission (assuming it's already defined) into persistent storage, use Perms::newPermission(), which gives you back a Horde_Permission object that you can then populate with users and permission assignments. Calling Perms::addPermission() with that same object will push it into persistent storage so that the specified users will have the permission.

global $perms;
$p = $perms->newPermission('foo:arbitrary_permission');
$p->addUserPermission('someUser', PERMS_SHOW | PERMS_READ | PERMS_EDIT | PERMS_DELETE);

Using / Enforcing Permissions

None of this code matters if your application doesn't actually check these permissions. This is best done in your business logic and NOT at the user interface level. To check if a user has a given permission, simply call Perms::hasPermission() through the singleton object. For example:

public function myBusinessMethod($widgetId)
    if(!$GLOBALS['perms']->hasPermission("foo:$widgetId", Auth::getAuth(), PERMS_EDIT))
            throw new Exception(_("Access denied."));

    // your business codeĀ…