Access rights


Access rights can be set up both for individual users and for whole user groups. Each user's currently effective access rights result from a combination of his/her individual rights and the access settings of all groups of which that user is a member.

Basic access rights

By default the following access rights setup options are available for each application:

  • full access granted
  • access denied

Basic access rights are controlled at the system level and their implementation in an application does not require extra efforts from a developer.

Detailed access rights

For most business-oriented applications basic access right setup options are not sufficient. For example, you may need to allow deleting blog messages only to moderators or to allow editing product descriptions in a specific catalog category only to the employees of a certain department in a company.

To add the support for detailed access rights setup to an application, you need to declare access rights objects for it—the list of interface sections or application functions to which access can be granted or denied for selected users or user groups. Follow the instructions below to achieve that:

  1. Add the following line to application configuration file wa-apps/{APP_ID}/lib/config/app.php:

    'rights' => 1

    This record means that the detailed access rights setup option (described in a separate configuration file) is available for the application.

  2. Create detailed access rights configuration file wa-apps/{APP_ID}/lib/config/{APP_ID}RightsConfig.class.php and specify the desired access rights objects and access rights options for each object in it.

An application access rights configuration file contains a PHP class extending abstract system class waRightConfig. Method init in the extending class should be overridden. In this method each access rights object is added to the common access rights verification system. The calling signature of the main access rights object adding method is shown below:

addItem($key, $title, $type, $params = [])
  • $key is the string-type key of an access rights object
  • $title is the object name
  • $type contains the type of the access rights control element (e.g., checkbox, list, etc.)
  • $params contains various auxiliary parameters (they are individual for each $type value)

An example of an application access rights configuration file:


class testRightConfig extends waRightConfig
    public function init() {
        // Two simple access rights options
        $this->addItem('add', 'Can add', 'checkbox');
        $this->addItem('edit', 'Can edit', 'checkbox');
        // Suppose we have a list of categories
        // to which access rights should be set up:
        $categories = [
            1 => 'Category 1',
            2 => 'Category 2',
            // ...

        $this->addItem('category', 'Categories', 'list', ['items' => $categories]);
        // The key in this case is "category.$category_id"

As a test, try to set up access rights to your application for any Webasyst user.

Using access rights in your application

Detailed access rights described in configuration files allow an application to store or modify information about the permissions of each user or user group. However, the actual implementation of access restrictions is part of the application business logic and must be explicitly programmed by the application developer.

The following structure in the PHP code of a controller returns true, if the current user has the requested access right, and false otherwise:


An example of using access right to the deleting function (e.g., for blog messages/comments) within an application's business logic:

  if ($this->getRights('delete')) {
      // retrieve the id of the message to be deleted
      $id = waRequest::get('id', 0, waRequest::TYPE_INT);

      if ($id) {
          // delete a record from the table
          $model = new guestbookModel();