===================
Access Control List
===================

.. sidebar:: Access Control List

    .. image:: images/acl-finger-print.jpg

--------
Overview
--------

The current ACL system is targeted at delivering backwards compatibility
for legacy code and being able to extend this a little to add new
features without having to reimplement the whole system.

In the legacy system the access control is using the following steps to
determine if a page can be accessed by a user:

#. The user, stored in the config.xml file at system/user (one item per
   user)
#. One or more groups for that user, stored in system/group which
   contains priv sections.
#. A php file binding the priv section content to a page mask (including
   wildcards)

Our temporary solution is to keep the user and the group in place and replace the
php file with a simple config in the model which uses the same mask construction
there was in the old codebase. To bind priv to pages, edit models/OPNsense/Core/ACL\_Legacy\_Page\_Map.txt

--------------
Usage from php
--------------

Using the system from php is rather simple:

.. code-block:: php

    $acl = new OPNsense\Core\ACL();
    if ( $acl->isPageAccessible("user", "/firewall_rules.php") ) {
      print ( "/firewall_rules.php is accessible" ) ;
    }

-----------------------
Usage in Volt templates
-----------------------

The acl scheme is bound to the default UI controller, and can be used by
using the acl keyword:

.. code-block:: jinja

    {% if acl.isPageAccessible(session.get('Username'),subMenuItem.Url)  %}
      this page is accessible
    {% endif %}