Granular access controls are one of the fundamental design principles in Elgg, and a feature that has been at the centre of the system throughout its development. The idea is simple: a user should have full control over who sees an item of data he or she creates.
Contents |
In order to achieve this, every entity, annotation and piece of metadata contains an access_id property, which in turn corresponds to one of the pre-defined access controls or an entry in the access_collections database table.
You may define additional access groups and assign them to an entity, annotation or metadata. A number of functions have been defined to assist you; see the access library reference for more information.
All data retrieval functions above the database layer - for example get_entities and its cousins - will only return items that the current user has access to see. It is not possible to retrieve items that the current user does not have access to. This makes it very hard to create a security hole for retrieval.
The following rules govern write access:
You can override this behaviour using a plugin hook called permissions_check, which passes the entity in question to any function that has announced it wants to be referenced. Returning true will allow write access; returning false will deny it. See the plugin hook reference for permissions_check for more details.