Knowledge Base

Access Control Installation Guide

Last Modified:
10 Jun 2019
User Level:
Administrator +

This step by step guide will help you get up and running with the Access Control Module.

You can install the Access Control Module from here (authentication required).

Server Requirements

Access Control requires PHP 5.6+ to be installed on the web server that will host the site, and on the staging server (if this is a separate server). In addition, the following extensions should be enabled:

The Tomcat user should be able to generate .htaccess files in the publish directory in order to ensure that media access control works correctly.

Users should not be able to view or download the PHAR file via the browser. To prevent this, add the following lines to the httpd.conf file or wherever your server configuration is handled. 

<Files ~ "\.phar$">
Order allow,deny
Deny from all
</Files>

Files required for installation

The following source files are required to install PHP Access Control on a TERMINALFOUR instance correctly. They can be found in the latest php-access-control.zip file.

  • php-access-control.phar - the Access Control module
  • media-restriction.php - the code to check Media Category / Section restrictions
  • config.json - the configuration file for the PHP Access Control
  • access-control-content-types.xlsx - the Content Type creator spreadsheet used to build the required Content Types
  • various Content Layout descriptions - for the creation of Content Layouts
  • code.php - the code for the before and after fields of the TERMINALFOUR Access Control (at {context-url}/SiteManger?ctfn=access-control)

Required Assets

You must enable the following in your installation. Further details on each asset are provided if required.

File Extensions

This file extension must be allowed on the Channel you’re using Access Control with.

Extension DescriptionRequired for
PHP Required to include the Access Control scripts. Access Control Media Restriction File Element Restriction

Media Types

PHP and PHAR Media Types must be created if they do not already exist and must be set to always publish on the Channel you’re using Access Control with.

TypeDescriptionRequired for
PHP Required for PHP file  Access Control Media Restriction File Element Restriction
PHAR File Required for Access Control Module PHAR file Access Control Media Restriction File Element Restriction
JavaScript Required for Access Control Config Access Control Media Restriction File Element Restriction

Media Files

The required files can be downloaded from the TERMINALFOUR Community Site which requires authentication through the product.

TypeDescriptionRequired for
PHP Access Control PHAR PHP Access Control Library Access Control  Media Restriction  File Element Restriction
 PHP Access Control Configuration PHP Access Control Configuration File Access Controls  Media Restriction  File Element Restriction

Navigation Objects 

NameDescriptionRequired for
Generate .htaccess for File Section A Generate File Navigation Object used to generate the .htaccess file used to protect media brought in by File Elements within a section     File Element Restriction
Generate Media Library Access Control .htaccess A used to generate a .htaccess file for Media Library Access Control   Media Restriction   
Get All Media Restriction rules A Publish to One File Navigation Object used to get Media Restriction rules for media Access Control   Media Restriction  File Element Restriction 
 Get code for media access restriction A Related Content Navigation Object used to get the code that checks access for Media Categories   Media Restriction File Element Restriction
Get path to Media Restriction Section Details Navigation Object used to get the path to the media restriction Section   Media Restriction  File Element Restriction
Get path to Logout Section A Section Details Navigation Object used to get the path to the media restriction Section Access Controls 
(optional)
Media Restriction
(optional)
File Element Restriction
(optional)
Get path to Login Section A Section Details Navigation Object used to get the path to the login Section for logging into Access Control

Access Controls
(for TERMINALFOUR type)

Media Restriction

(for TERMINALFOUR type)

File Element Restriction
(for TERMINALFOUR type)
Get path to Current Section Section Details Navigation Object used to get the path to the current Section   Media Restriction File Element Restriction
Get Path to Access Denied Section A Section Details Navigation Object used to get the path to the access denied Section Access Controls Media Restriction File Element Restriction

Content Types

NameDescriptionRequired for
Access Control Allows the use of restricted Sections in your Site Structure Access Controls Media Restriction  File Element Restriction 
 Media Restriction Allow Restriction of Media Categories, generate media restriction code   Media Restriction File Element Restriction
Restrict Media Item Add a new Media Category restriction rule for files in a section   Media Restriction  
Restrict File Section Add a new Media Category restriction rule     File Element Restriction

Sections and Media Categories

NameDescriptionRequired for
Media Restriction The Section to hold Media Restriction Content and Restrict Media Content   Media Restriction File Element Restriction 
Access Denied Section The Section that users are redirected to if their Group is denied access Access Controls Media Restriction  File Element Restriction 
Protected Media Category The Category to hold Media Items under media protection   Media Restriction File Element Restriction
PHP Access Control Config Category The Category to hold PHP Access Control config files Access Controls Media Restriction File Element Restriction

Page Layout

TypeDescriptionRequired for
Blank Layout Blank page layout used for media access control code   Media Restriction  File Element Restriction

Create Required Assets

File Extensions: PHP

If you haven't already, set up PHP as a file extension and enable the extension on your Channel.

Name PHP
Description This is a PHP file extension
Extension php

 

Remember to enable the Channel to Publish this file extension and rebuild the cache.

Configure the Media Publish on the Channel

Ensure that Media Type extensions will publish in the Channel by going to System administration > Setup sites & channels > Channels,  edit the Channel settings and go to Publish Options: 

Screenshot of Enable Publish Outputs in Channels setings

Media Layouts

Path Content Layout

Go to Assets > Content Types and search for the Media System Content Type. If it does not already exist, add a Content Layout named "path/*". In the Content Layout code input field add the following:

<t4 type="content" name="Media" output="file" />

Screenshot of the Content Layout Code for Media System Content Type

JavaScript Content Layout

If it does not already exist, add another Content Layout to the Media System Content Type named "javascript/*". In the Content Layout code input field add the following:

<script type="text/javascript" src="<t4 type="content" name="Media" output="file" />"></script>

Media Types

When the Content Layout has been created, go to System Administration > System Settings > Media Library and, in the Media Types tab, add the following Media Types:

PHP File

Create a PHP Media Type and associate the "path/*" Content Layout with it:

Screenshot of the PHP Media File with associated Content Layout

Name PHP File
Permitted file extensions php
Maximum file size 0
Media type options Parse for T4 tags
Media Content Layout path/* (default)

PHAR File

Create a PHAR Media Type and associate the "path/*" Content Layout with it:

Screenshot of a PHAR Media File with an associated Content Layout

Name PHAR File
Permitted file extensions phar
Maximum file size 0
Media type options Binary file
Media Content Layout path/* (default)

JavaScript

If it does not already exist, create a JavaScript Media Type and associate the "javascript/*" Content Layout with it: 

Navigation Objects

Generate htaccess for File Section

This is a Generate File Navigation Object.
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values)

Name Generate htaccess for File Section
Description Generate the htaccess file used to protect media brought in by File Elements within a Section
File name Leave blank
File extension htaccess
Output Directory Use the current directory
Content Layout text/htaccess


Generate Media Library Access Control htaccess

This is a Generate File Navigation Object.
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values)

Name Generate htaccess for File Section
Description Generate an htaccess file for Media Library Access Control
File name Leave blank
File extension htaccess
Output Directory Use alternate directory
Base directory

Use the full absolute server path to the media directory to protect - the "protected" Section mentioned above.

e.g. "/web/staging/htdocs/media/protected/"

Content Layout text/htaccess

Get All Media Restriction rules

This is a Publish to One File Navigation Object.
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values) 

Name Get All Media Restriction rules
Description Get Media Restriction rules for media access control
Start Section Use a specific Section -> Choose the Channel Root or a Section that has all access controlled sections within its set of descendants
Show Hidden Sections? Yes
Use Alternate Content Layout? Yes
Alternate Content Layout text/restrictMedia

Get code for media access restriction

This is a Related Content Navigation Object.
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values)

Name Get code for media access restriction
Description Get the code used to check access for media categories
Fetch method Use current
Content layouts Use alternate content layout
Alternate Content Layout text/mediaRestriction

Get path to Media Restriction

This is a Section Details Navigation Object.
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values)

Name Get Path to media restriction
Description Get the path to the media restriction section
Detail method Choose "Use section" -> select the media restriction Section
Output detail Section path

Get path to Logout Section

This is a Section Details Navigation Object.
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values)

Name Get path to logout section
Description Gets the path to the logout section for logging out of access control
Detail method Choose "Use section" -> select the logout Section
Output detail Section path

Get path to Login Section

This is a Section Details Navigation Object
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values)

Name Get path to logout section
Description Gets the path to the logout section for logging out of access control
Detail method Choose "Use section" -> select the logout section
Output detail Section path

Get path to Current Section

This is a Section Details Navigation Object. 
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values)

Name Get path to Current Section
Description Gets the path to the current Section
Detail method Current section
Output detail Section path

Get path to Access Denied Section

This is a Section Details Navigation Object. 
Set it up using the options in the table below. Unlisted options should be left at their default values. (" should be omitted, they are used to denote literal text values)

Name Get path to Access Denied Section
Description Gets the path to the Access Denied section
Detail method Choose "Use section" -> select No Access Section
Output detail Section path 


Content Types

The following Content Types should be created. Associated Content Layouts are also listed.

Access Control

Create an "Access Control" Content Type using the following General options (anything not mentioned may be left at default):

Name: Access Control

Description: Allows the use of Restricted Sections in your Site Structure

NameDescriptionTypeMax SizeRequired

Name

The Name element

Plain Text

80 Yes

Groups

Select a Group or Groups

Group Select

N/A No

Media Restriction

Create a "Media Description" Content Type using the following General options (anything not mentioned may be left at default):

Name: Media Restriction

Description: Allows the use of Restricted Media Categories / Sections

NameDescriptionTypeMax SizeRequired

Name

The Name Element

Plain Text

80 Yes

Content Layouts

Navigation tags

The following Navigation tags are used in the Content Layouts below. You should replace with the correct tags from TERMINALFOUR:

text/htaccess
# Turn on the rewriting engine
RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !\.(html|php)$ RewriteRule ^(.*))$ <t4 type="navigation" name="Get Path to media restriction" id="xxx" /> [NC,L]
text/html
<t4 type="navigation" name="Get code for media access restriction" id="xxx" />
<t4 type="navigation" name="Generate Media Library Access Control htaccess" id="xxx" />
text/mediaRestriction
<?php
if (!isset($accessControl) || !$accessControl instanceof AccessControl\Types\Absracts\Type) {
throw new \Exception("Error when processing media", 500);
}
AccessControl\Core\Config::set("mediaList", "<t4 type="navigation" name="Get All Media Access Rules" id="xxx" />");
$accessControl->isRestrictedMedia($t4_config['restrict']);
?>

Restrict Media Category

Create a "Restrict Media Category" Content Type using the following General options (anything not mentioned may be left at default):

Name: Restrict Media Category

Description: Add a new media category restriction rule

NameDescriptionTypeMax SizeRequired

Name

The Name Element

Plain Text

80 Yes

Media Category

Media Item from category to restrict

Media

N/A Yes

Groups

Select a Group or Groups

Group Select

N/A Yes

Content Layout

text/restrictMedia
try {
importClass(com.terminalfour.publish.utils.BrokerUtils);

function processTags(tag) {
return String(BrokerUtils.processT4Tags(dbStatement, publishCache, section, content, language, isPreview, tag,''));
}

var mediaPath = processTags('<t4 type="content" name="Media Category" output="normal" formatter="path/*" />');
var groups = processTags('<t4 type="content" name="Groups" output="normal" />');

document.write(mediaPath);
document.write("=");
document.write(groups);
document.write("|");

} catch (err) {
document.write(err);
}

Restrict File Section

Create a "Restrict Media Category" Content Type using the following General options (anything not mentioned may be left at default):

Name: Restrict File Section

Description: Add a new media Section restriction rule for files

NameDescriptionTypeMax SizeRequired

Name

The Name Element

Plain Text

80 Yes

Groups

Select a Group or Groups

Group Select

N/A Yes

Content Layout

Navigation tags

Navigation tags should be replaced with correct tags from TERMINALFOUR

text/htaccess
# Turn on the rewriting engine
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !\.(html|php)$
RewriteRule ^(.*))$ <t4 type="navigation" name="Get Path to media restriction" id="xxx" /> [NC,L]
text/html
<t4 type="navigation" name="Generate File Section Access Control htaccess" id="xxx" />
text/restrictMedia
try {
importClass(com.terminalfour.publish.utils.BrokerUtils);

function processTags(tag) {
return String(BrokerUtils.processT4Tags(dbStatement, publishCache, section, content, language, isPreview, tag,''));
}

var sectionPath = processTags('<t4 type="navigation" name="Path to current section" id="xxx" />');
var groups = processTags('<t4 type="content" name="Groups" output="normal" />');

document.write(sectionPath);
document.write("=");
document.write(groups);
document.write("|");

} catch (err) {
document.write(err);
}

Sections and Media Categories

The following Sections / Categories need to be created in TERMINALFOUR.

Media Restriction Section

Name Media Restriction
Type Section
Display
Hide from Navigation

Content Types

No Access Section

Name Access Denied
Type Section
Display
Hide from Navigation

Content Types

Any

Protected Media Category

Name Protected
Type Media Category

PHP Access Control Config Category

Name PHP Access Control
Type Media Category

Page Layout

The following page layout needs to be created in TERMINALFOUR:

Blank Layout

Name Blank Layout
Header Code Leave blank
Footer Code Leave blank 


 

Back to top