Understand User Permissions in OpenCart

As an administrator of any system, you would always want a feature which allows you to delegate certain responsibilities to a group of trusted users. It also allows you to set up the workflows that help you maintain a site smoothly and keep unnecessary stress away.

Today, we’ll see what resources are available in OpenCart and how you could grant certain kinds of permissions on those resources to a group of users. We’ll go through the back-end to explore said features, and the user groups will be the topic of our discussion in the later part of this article.

I assume that you’re using the latest version of OpenCart. We’ll start with a basic introduction to resources and permissions.

Understand Resources and Permissions

In any Access Control List (ACL) system, there are two important entities—permissions and resources. The resources are exposed with certain permissions to the group of users, so that they can perform different actions on the resources. Of course, each system has its own way of organizing the resources and permissions.

In this section, we’ll examine that in the context of OpenCart.

Resources

You’ll be surprised to know that all controller files in the admin side are treated as resources. So, the resource “catalog/attribute” maps to the file located at admin/controller/catalog/attribute.php. Hence, whenever you assign that particular resource to any user group, they will be able to execute all the actions defined in the corresponding controller file.

Head over to the back-end and navigate to System > Users > User Groups. Edit one of the user groups—let’s edit an Administrator group, for example.

Resources

Now, as you can see, all the resources are listed in the drop-down box. Of course, if you make a new controller file for your custom module, it’ll be picked up too.

So that’s a basic introduction to resources. In the next section, we’ll see how resources are associated with permissions.

Permissions

In OpenCart, permissions are divided into two major categories—access and modify. Users with access permission will only be able to view resources, while the modify permission allows users to add/edit resource information.

Permissions

So this was a nutshell introduction to resources and permissions. In the upcoming sections, we’ll see how they should be used in combination with user groups.

Create a New User Group and Assign Permissions

As now you’re familiar with permissions and resources, we’ll go ahead and create a new user group to demonstrate how it all works together. Head over to the back-end and navigate to System > Users > User Groups. It’ll list the default user groups available in OpenCart.

User Groups

Click on the + icon to add a new user group.

Add Custom User Group

Enter the name of the user group, select resources for each permission—access and modify—and you’re good to go. Save the group once you’re done! For demonstration purposes, I’ve selected only the catalog/category resource for my Custom Group.

Test Custom User Group

Now, let’s quickly create a new user from the back-end and assign our newly created user group to that user. Navigate to System > Users > Users and click on the + icon to create a new user.

Add New User

Fill in the required details—the important one to note here is the User Group, for which I’ve selected Custom Group. Save the user, log out and log in with this new user. Now, try to access any section which is not allowed for the Custom Group user group. You’ll get a permission denied error!

Permission Denied

How to Check if a User Is Allowed to Access/Modify Resources

In this section, we’ll see how you could check if a user is allowed to access or modify a certain resource. You’ll see the following snippet in most of the controller files in the back-end, as it’s obvious that we’ll need to authenticate users before allowing them to perform any privileged actions.

Go ahead and open the upload/admin/controller/catalog/product.php file.

There are multiple places where you’ll find the above snippet. Basically, it checks whether the logged-in user has modify permission on the “catalog/product” resource.

Internally, it’ll check the user group of the logged-in user, and further if that particular group has modify permission on the said resource.

In this way, you could check if the user is allowed to execute any specific actions on certain resources. The ideal scenario would be to set up different user groups and assign a different set of permissions to each group as per your requirements.

Conclusion

Today, we’ve discussed resources and permissions in OpenCart. We started with a basic introduction and later on we saw how you could benefit from user groups when used effectively in combination with resources and permissions.

We concluded the article with a code snippet demonstrating how to check if a user is allowed to access/modify a certain resource.

So that’s it for today, and don’t forget to share your reviews and queries using the comment feed below!

Categories: