HooBlong Manual

Available Versions

  • Stable Release is V1.1.6
  • Customer Beta is V2.0

Both versions are downloadable by HooBlong customers.

Benefits

Version 2 is a major upgrade that instroduces the following new, powerrful features:

  • Multiple membership permissions and access control now function within the EE Control Panel, as well as the front end as before
  • Comments are now under multiple group access control via a new tag-pair and a complementary set of variables
  • Channel access control has been upgraded to provide much more flexibility, by the introduction of the “access” parameter, and the concept of “Viewable Channels”. Viewable Channels are a combination of assigned and accessible channels intersected with channel parameter(s) if any. The “access” parameter can have three values, or it can be omitted:

Viewable channels are determined as follows:

  • If no access_parameter OR access_parameter == “both”

    • viewable channels = unique combination of channel parameter(s) if any, assigned channels if any and channels with access levels >= user’s computed access level if any
    • If the access parameter is omitted, the effect is the same as if the parameter had been set to “both” - this maintains backward compatibility with earlier versions
  • If access_parameter == “assigned”

    • viewable channels = logical intersection of channel parameter(s) if any with assigned channels if any
  • If access_parameter == ‘access_level’

    • viewable channels = logical intersection of channel parameter(s) if any with channels with access levels >= user’s computed access level if any
  • If there are no channel parameters, HooBlong defaults to presenting a combination of accessible channels and channels with access levels >= the user’s computed access level, which follows EE native convention (if no channel parameters, all channels are presented) overlaid with HooBlong access controls

The following benefits are provided, all of which dramatically expand native EE access control capabilities:

  • The ability to assign multiple group memberships to individual users

  • HooBlong combines the settings and permissions of multiple groups in a logical way

    • If any constituent group grants a privilege, then the multiple group member has that privilege
    • If no constituent group grants a privilege, then the multiple group member does not have that privilege
    • If assigned to a single group, only that group’s privileges apply (duh)
  • As a result, privileges can be added incrementally by adding group memberships

  • HooBlong enables access control on a need-to-know basis, depending upon group memberships and based on pre-defined site, group and channel access levels

  • Unique to HooBlong, is the ability to control access by category, for single as well as multiple membership

  • Multi-membership access logic also controls access to individual templates, including embedded templates

  • The ability to control access to comments based upon multiple memberships (new with Version 2)

  • Perform Create, Update and Delete functions from the front end, depending on CP access and suitable permissions as determined by HooBlong’s Access Logic, using the channle form to make publish or edit entries


Installation Quick Start

  • Download and unzip the hooblong.zip file
  • Place the hooblong directory in your /system/third_party/ directory
  • Place the themes directory in your /themes/third_party directory
  • Log on to the EE control panel, select the Add-Ons menu and install the Hooblong module

Getting Started - Setting Up Multiple Member Group Management

HooBlong Display

Multiple Member Group Assigments Display

Once installed, HooBlong permits one-click addition/removal of available Member Group memberships, resulting in a combination of the access privileges, according to a scheme (Access-Logic) for combining privileges.

NOTE: HooBlong does not provide a direct facility for creating, editing and deleting member groups - this may only be done in the EE control panel. Access to any member groups’s control panel is available from the HooBlong CP via table heading tooltip links.

Multiple member group control panels can be accessed simultaneously by using HooBlong’s companion module, HooKan.

The Permanent Groups

The Superadmin, Banned, Pending and Guest groups are excluded from multiple group memberships, so do not appear in the HooBlong CP.

Superadmins and Multiple Group Membership

Multiple group membership for superadmins is tautological - superadmins are already all-powerful. There is therefore no reason for giving them multiple group memberships.

We are thankful for this, because the influence of superadmins is widely dispersed throughout the EE code body.

Detailed Multiple Membership CP Display

User Display

A Typical Multiple Membership Privileges Display

A separate CP display permits viewing of individual users’ multiple group memberships, and the resulting permissions per HooBlong’s Access-Logic. The above graphic shows this with the Channel Access/Permissions expanded. All memberships and access permissions for an individual user are available via the accordions.

The display is accessed via left hand column tooltip links in the HooBlong Member Group Management display.

This display is read-only.


HooBlong Usage

Becoming Acquainted - The Simplest Example

You have a single news channel, but you want different individual users to view content based on the following rules:

  • Subscribers to see paid content as well as free content
  • The public to see free content only

To set this up

  • Create one new member group - Subscriber. Leave the Guest group for public access
  • Go to the HooBlong Settings, and create one new Access Level Definition, Subscriber with access level 1
  • Leave the Channel Settings (on the same page) at the default level
  • Go to the Member Group settings and set Subscriber Group to Subscriber (duh) - the result should be 1
  • Go to the admin for the news channel and create/edit the channel field group, there add a custom field type “Hooblong” - name it what you will.
  • In your template, use the {exp:hooblong:entries} tag pair instead of {exp:channel:entries}, and set the channel parameter. Also set the entry_access_level parameter to “entry_access_level”. All regular EE parameters and variables still apply.

Becoming Acquainted - Template Access Control

You have a single news channel, exactly as for the above example

To set this up

  • Create one new member group - Subscriber. Leave the Guest group for public access. Assign members accordingly.
  • Leave all HooBlong settings at their default values
  • Leave the Channel Settings (on the same page) at the default level
  • Go to the EE Design settings for your news template-group and template(s)
  • Create a template named “public” for public access
  • Create a template named “subscriber”
  • In your channel create custom fields for guests and subscribers
  • In the guest template, include ONLY the guest field
  • In the subscriber template, include both
  • Unset the access radio button for the Guest group in the “subscriber” template
  • Ensure that the radio buttons for Guest and Subscriber groups are both set in the public template
  • Ensure that both templates have a valid 404 or other template to which to redirect if access is denied
  • Preferably ensure that you assign a valid redirect template for invalid URLs in your template global settings page
  • In the HooBlong CP, give all subscribers membership of both the subscriber and the guest groups
  • Ensure that guest members are assigned to only the guest group.
  • In your template, you may use the usual {exp:channel:entries} tags - no need to use the {exp:hooblong:entries} tags in this example.

Creating Content

  • Create content as usual, placing free content in the guest field and subscriber content in the subscriber field

Viewing Content

  • When logged in as Subscriber, you should see both fields’ content
  • When logged in as Guest, you should see only free content

For more examples, visit https://www.debeer.com/index.php/blogs

Detailed Multi Membership Access Control (MMAC)

HooBlong ACCESS-LOGIC

HooBlong implements a very simple ACCESS-LOGIC when a user is given membership in more than one group.

  • IF ANY CONSTITUENT GROUP GRANTS A PRIVILEGE, THEN THE MULTIPLE GROUP MEMBER HAS THAT PRIVILEGE
  • IF NO CONSTITUENT GROUP GRANTS A PRIVILEGE, THEN THE MULTIPLE GROUP MEMBER DOES NOT HAVE THAT PRIVILEGE
  • If assigned to a single group, that group’s privileges apply (duh)
  • These factors come into play only in the front end, and then only when using the HooBlong tags (below)
  • Since HooBlong is all about providing content access security, it makes use of the main channel parameters that can influence access, specifically site, channel and status and template (native EE settings) as well as category, which is unique to HooBlong. Optionally, individual entries can also be filtered - see details below

First, Hooblong Determines if the Requested Page (Template) Is Accessible

If according to the ACCESS-LOGIC, the page is accessible, HooBlong moves on to the next check. If not, access is denied and the “bounce” page (template) is presented.

Then HooBlong Checks for the HooBlong Entries Tags {exp:hooblong:entries}

If present, the next check is done, otherwise control is returned to EE.

Now HooBlong Looks at The Channel Parameters

The minimal conditions for access to channel content are ALL of the following:

  • The current site must be accessible
  • At least one accessible channel
  • At least one accessible status (assuming at least one entry has that status)
  • At least one accessible category (this kind of category control is unique to HooBlong)

Invoking The Rules

HooBlong’s access logic applies fully to the EE CP and to to the CP login. In the front end, it is only applied to member/entry combinations when the HooBlongs’ {exp:hooblong:entries} tag pair is used.

The next section gives detailed explanations of HooBlong’s access control features. Unfortunately, it is inevitably verbose. An access control flow chart may be easier on the brain - available in PDF format at https://debeer.com under the documents menu.


Need-to-Know Access Control (NTK)

There are two parts to NTK

Channel Assignment NTK

Members have access to channel content if they are assigned to a channel as determined by MMAC.

Example of Channel Assignment NTK

Channel Assignment Group Memberships Access Status
Group 1 Group 2 Group 3
Channel A Yes No No Yes
Channel B No No No No
Channel C No No Yes Yes

Access Level NTK

The idea is to apply numeric access levels to content which can be compared to member group access levels. Access is granted if member’s computed access level is greater or equal to the content access level. Content access levels can be set at the individual entry level or at the channel level.

NTK Relies on Unique HooBlong Settings

  • Access level definition settings are separate for each site.

  • Definitions are completely flexible at the discretion of the site designer.

  • On installation, default settings are created with access level zero for all available:

    • Sites
    • Channels
    • Member Groups
  • After installation, access level settings can be edited in the CP

NTK Modes - Main Modes

There are 2 main modes in which HooBlong’s NTK can be employed

  1. At the channel level by matching the user’s computed access level to each channel’s access level.
  2. At the individual entry level, by making use of the HooBlong fieldtype for setting an entry’s access level. In this mode, a channel will separate content by matching the entry access level to the logged-in user’s computed access level. To use this mode, you have to make use of the entry_access_levels parameter, which must be set to “yes”. This mode is only applied after all other modes have been resolved. Since HooBlong V 0.9.5, access levels can be negative as well as positive numbers.

Both of the two main modes require that the {exp:hooblong:entries}... tag pair be substituted for the {exp:channel:entries}... tag pair.

NTK Modes - Sub-Modes

There are 6 NTK sub-modes, all of which apply at the channel level depending on whether the tag has:

  1. At least one channel parameter - Access depends on MMAC with possible override by NTK

  2. No channel parameter - Access depends on whether

    • There are assigned channels, then access is as per MMAC
    • There are no assigned channels, then access is denied
  3. At least one status parameter - Status is only considered after channel access is resolved. If channel access is permitted, then the MMAC status applies and final access works according to EE status rules.

  4. No status parameter - access depends on whether

    • There are assigned statuses, then access is per MMAC. Status assignment is determined as determined by the “Restrict status to members of specific groups” settings in the EE CP
    • There are no assigned statuses, then access is denied
  5. At least one category parameter - Category is only considered after channel access is resolved. If channel access is permitted, then the MMAC categories apply and final access works according to EE category rules for those categories.

  6. No category parameter - access depends on whether

    • There are assigned categories, then access is per MMAC. Category assignment is uniquely determined in the HooBlong CP settings display - there is no corresponding facility in native EE. If both the HooBlong and HooKan modules are installed, then the Category assignment settings are also avaailable in the HooKan CP
    • There are no assigned categories, then access is denied
  7. The entry_access_levels parameter set to “yes” - Access depends on the individual entry access level according to the second main mode.

  8. No entry_access_levels parameter or set to anything except “yes” - Entry access levels are ignored.

A Note About Status and Category Names - How To Avoid Access Confusion

It is common practice to use the same names for statuses and categories for different groups and/or channels. HooBlong ensures that the correct statuses and categories are tracked with respect to their group and channel assignments. Nevertheless, if the same names are in use for different channels, diagnosing HooBlong-based access problems due to status/category mismatches can become a chore. This can be avoided by prefixing status and category names with some indication of the associated channel. Alternatively, our HooKan module displays the Channel name with the status/category name by default - another reason why you will find that combining HooKan with HooBlong just makes life easier.

What Is The User’s Computed Access Level?

  • If the member belongs to only one group, the computed access level is equal to the group access level
  • If the member belongs to more than one group, the computed access level is the level of the group with the highest access level

HooBlong Tags, Parameters and Variables

The {exp:hooblong:entries}...{/exp:hooblong:entries} Tag Pair

Wherever the HooBlong front-end features are required, this tag pair must be substituted for the EE channel entries tag.

PLEASE NOTE - THE HOOBLONG FEATURES ARE DESIGNED FOR CONTROLLING CONTENT ACCESS FOR MEMBERS WHO CAN IN PRICIPLE BE ASSIGNED MEMBERSHIP IN MULTIPLE GROUPS, EVEN IF ASSIGNED TO ONLY ONE GROUP. IN PRACTICE, THIS MEANS MEMBER GROUP IDs MUST BE > 4 - SUPERADMINS ARE NOT AFFECTED. IF MEMBER GROUP IDs ARE < 4 (NOT INCLUDING GROUP 1) HOOBLONG WILL NOT PRESENT ANY CONTENT VIA THESE TAGS.

All native EE channel entries tag parameters and variables are also available

HooBlong Variables

Member Groups: {hb_member_groups} ... {/hb_member_groups} returns the member groups to which this user belongs - used with {group_id} and (group_title} tags, like this for example:

Member Groups:

<ul>

{hb_member_groups}

<li>Group ID: {group_id_id} {group_title}</li>

{/hb_member_groups}

</ul>

Assigned Channel Count: {hb_channel_count} returns the number of channels assigned to the user

Assigned Channels: {hb_assigned_channels} ... {/hb_assigned_channels} returns the channels to which this user are assigned - used with {channel_id}, (channel_title} tags. For eaxample:

Channel Count: {hb_channel_count}

Assigned Channels:

<ul>

{hb_assigned_channels}

<li>Channel ID: {hb_channel_id} {hb_channel_title}</li>

{/hb_assigned_channels}

</ul>

Accessible Channel Count: {hb_accessible_channel_count} returns the number of channels with access levels <= the user’s computed access level.

Accessible Channels: {hb_accessible_channels} ... {/hb_accessible_channels} returns the channels to which this user has access when the channels’ access levels are <= the user’s computed access level. Use with {hb_accessible_channel_id}, (hb_accessible_channel_title} and (hb_accessible_channel_name} tags - for eaxample:

<ul>

{hb_accessible_channels}

<li>Channel ID: {hb_accessible_channel_id} Channel Title: {hb_accessible_channel_title} Channle (Short) Name: {hb_accessible_channel_name}</li>

{/hb_accessible_channels}

</ul>

<ul>

{hb_viewable_channels}

<li>Channel ID: {hb_viewable_channel_id} Channel Title: {hb_viewable_channel_title} Channel (Short) Name: {hb_viewable_channel_name}</li>

{/hb_viewable_channels}

</ul>

Computed Access Level: {hb_computed_access_level} returns the member’s computed access level.

Member Can Access the CP: {hb_can_access_cp} returns “y” or “n”.

Member Can Publish: {hb_can_publish} returnes “y” or “n”. This variable is an inclusive combination of the native EE permissions Can Access CP, Can Access Content and Can Access Publish.

Member Can Edit Own Entries: {hb_can_edit_own_entries} returns “y” or “n”.

Member Can Edit Others’ Entries: {hb_can_edit_other_entries} returns “y” or “n”.

Member Can Delete Own Entries: {hb_can_delete_own_entries} returns “y” or “n”.

Member Can Delete All Entries: {hb_can_delete_all_entries} returns “y” or “n”. NOTE: The EE CP setting label is “Can delete channel entries authored by others, but the userdata array uses “Can delete all entries” for the same thing - don’t be confused.

Site URL: {hb_site_url} returns the current site URL.

Delete Action ID: {hb_delete_action_id} returns the Action ID of the delete routine - see usage in Example Template Snippet below.

Delete Entry All-in-One Link: {hb_delete_entry_id_link} provides a convenient all-in-one link to the delete routine for your site - see usage in Example Template Snippet below.

Status Count: {hb_status_count} returns the number of statuses assigned

Assigned Statuses: {hb_assigned_statuses}...{/hb_assigned_statuses} returns the user’s assigned status IDs and status names when used with {hb_statuse_id} and {hb_status}. Use like this for example:

Status Count: {hb_status_count}

Assigned Statuses:

<ul>

{hb_assigned_statuses}

<li>Status ID: {hb_status_id} {hb_status}</li>

{/hb_assigned_statuses}

</ul>

Category Count: {hb_category_count}

Assigned Categories:

<ul>

{hb_assigned_categories}

<li>Status ID: {hb_category_id} {hb_category}</li>

{/hb_assigned_categories}

</ul>

Remember to use the {if no_results} ... {/if} tags for the cases where the user is locked out.

The {exp:hooblong:variables}...{/exp:hooblong:variables} Tag Pair

Wrap any or all of the above variables in this tag pair when you do not want to use the entries tags, but want access to the variables in your template.

The {exp:hooblong:comments}...{/exp:hooblong:comments} Tag Pair

This tag pair will present comments to which the user has access as determined by the HooBlong Access Control rules. It uses the same parameters as the entries tag pair, including the “access” parameter, and all native EE parameters for the EE comments tag pair apply. The following variables are available:

Member can view comments in channel entries authored by others: {hb_can_view_other_comments} return “y” or “n”

Can edit comments in their own channel entries: {hb_can_edit_own_comments} returns “y” or “n”

Can delete comments in their own channel entries: {hb_can_delete_own_comments} returns “y” or “n”

Can edit comments in ANY channel entries: {hb_can_edit_all_comments} returns “y” or “n”

Can delete comments in ANY channel entries: {hb_can_delete_all_comments} returns “y” or “n”

Can Moderate Comments: {hb_can_moderate_comments} returns “y” or “n”

Can Submit Comments: {hb_can_post_comments} returns “y” or “n”

Exclude member from comment moderation: {hb_exclude_from_moderation} returns “y” or “n”

Example Template Snippet Using HooBlong Variables

This template is helpful in assessing the final content permissions granted to a logged-in member via the {exp:hooblong:variables} and/or the {exp:hooblong:entries} tags. In the former, they could be used for constructing menus that are dynamic and member-specific. In the latter they could be used for providing feedback regarding a member’s accessible content.

{exp:hooblong:variables}

<p>Member’s Computed Access Level: {hb_computed_access_level}</p>

<p>Can Member Access CP?

{if hb_can_access_cp == ‘y’}

&nbsp;Yes

{if:else}

&nbsp;No

{/if}

</p>

<p>Can Member Publish? <!– This variable is an inclusive combination of “Can Access CP, Can Access Content and Can Access Publish” –>

{if hb_can_publish == ‘y’}

&nbsp;Yes

{if:else}

&nbsp;No

{/if}

</p>

<p>Can Member Edit Own Entries?

{if hb_can_edit_own_entries == ‘y’}

&nbsp;Yes

{if:else}

&nbsp;No

{/if}

</p>

<p>Can Member Edit Others’ Entries?

{if hb_can_edit_other_entries == ‘y’}

&nbsp;Yes

{if:else}

&nbsp;No

{/if}

</p>

<p>Can Member Delete Own Entries? <!– Must be combined with author_id==logged_in_member_id for each entry –>

{if hb_can_delete_own_entries == ‘y’}

&nbsp;Yes

{if:else}

&nbsp;No

{/if}

</p>

<p>Can Member Delete All Entries? <!– Can delete both own and others’ entries –>

{if hb_can_delete_all_entries == ‘y’} <!– CP setting label is “Can delete channel entries authored by others” - WTF? –>

&nbsp;Yes

{if:else}

&nbsp;No

{/if} <br />

(Note: CP setting label is “Can delete channel entries authored by others” but userdata array says “Can delete all entries” for the same thing - WTF?)

</p>

<p>Site URL:&nbsp;{hb_site_url}</p>

<p>Delete Action ID:&nbsp;{hb_delete_action_id}</p>

<p>Delete Entry All-in-One Link:&nbsp;{hb_delete_entry_id_link}</p>

<p>Member Group Count: {hb_member_group_count}</p>

<p>Member Groups:

<ul>

{hb_member_groups}

<li>Group ID: {hb_group_id} {hb_group_title}</li>

{/hb_member_groups}

</ul>

</p>

<p>Assigned Site Count: {hb_site_count}</p>

{if hb_site_count > 0}

<p>Assigned Sites:

<ul>

{hb_assigned_sites}

<li>Site ID: {hb_site_id}

<ul>

<li>Site Label: {hb_site_label}</li>

<li>Site (Short) Name: {hb_site_name}</li>

</ul>

</li>

{/hb_assigned_sites}

</ul>

</p>

{/if}

<p>Assigned Channel Count: {hb_channel_count}</p>

{if hb_channel_count > 0}

<p>Assigned Channels:

<ul>

{hb_assigned_channels}

<li>Channel ID: {hb_channel_id} {if hb_can_publish == ‘y’}<a class=’blog’ href=’{path=”debeer_news/entry/{hb_channel_name}”}’>Add an Entry</a>

{/if}

<ul>

<li>Channel Title: {hb_channel_title}</li>

<li>Channel Short Name: {hb_channel_name}</li>

</ul>

</li>

{/hb_assigned_channels}

</ul>

</p>

{/if}

<p>Accessible Channel Count: {hb_accessible_channel_count}</p>

{if hb_accessible_channel_count > 0}

<p>Accessible Channels:

<ul>

{hb_accessible_channels}

<li>Channel ID: {hb_accessible_channel_id} - Channel Title: {hb_accessible_channel_title} - Channel Short Name: {hb_accessible_channel_name} - Channel Access Level: {hb_channel_access_level}</li>

{/hb_accessible_channels}

</ul>

</p>

{/if}

<p>Assigned Status Count: {hb_status_count}</p>

{if hb_status_count > 0}

<p>Assigned statuses:

<ul>

{hb_assigned_statuses}

<li>Status ID: {hb_status_id} - Status: {hb_status} - Channels Using: {hb_status_channels}</li>

{/hb_assigned_statuses}

</ul>

</p>

{/if}

<p>Assigned Category Count: {hb_category_count}</p>

{if hb_category_count > 0}

<p>Assigned Categories:

<ul>

{hb_assigned_categories}

<li>Category ID: {hb_category_id} - Category: {hb_category} - Channels Using: {hb_category_channels}</li>

{/hb_assigned_categories}

</ul>

</p>

{/if}

{/exp:hooblong:variables}

<!– NOTE: All variables also available between exp:hooblong:entries tags –>

{exp:hooblong:entries channel=’your_channel(s)’ status=’your_status(es)’ category_id=’cat_id_1|cat_id_2|cat_id_3’} <!– If channel parameters are set, Hooblong will filter out any that have access levels greater than the user’s computed access level –> <!– If channel parameters are not set, Hooblong will fill in parameters according to assignments merged with channels having access levels less than or equal to the user’s compted access level –>

{if no_results}

<h3 class=”white”>Not Authorized</h3>

{/if}

<br />

<h5>Entry ID: {entry_id} Title: {title} Channel: {channel} Channel ID: {channel_id} Entry {if news_access_level}Access Level: {news_access_level}{/if}<br />

{if (hb_can_edit_own_entries == ‘y’ && author_id == logged_in_member_id) || logged_in_member_id == 1} <!– The superadmin conditional in this example serves to override the bracketed conditional –>

<a class=’blog’ href=’{path=”{channel_short_name}/entry/{channel_short_name}/{entry_id}”}’>Edit (Own)</a>&nbsp;

{/if}

{if hb_can_edit_other_entries == ‘y’ && author_id != 1 && author_id != logged_in_member_id} <!– The superadmin conditional in this example serves to not delude users into thinking that they can edit just because they have “can edit others” permission. If author is superadmin, they still can’t - so there! –>

<a class=’blog’ href=’{path=”{channel_short_name}/entry/{channel_short_name}”}/{entry_id}’>Edit (Others’)</a>&nbsp;

{/if}

{if hb_can_delete_all_entries == ‘y’ || logged_in_group_id == 1}

<a class=’blog’ href=’{hb_site_url}/index.php/{entry_id}?ACT={hb_delete_action_id}’ onclick=”return confirm(‘REALLY delete entry id {entry_id}?’)” >Delete(All)</a>&nbsp; <!– Built-up link –>

{/if}

{if hb_can_delete_own_entries == ‘y’ && author_id == logged_in_member_id}

<a class=’blog’ href=’{hb_delete_entry_id_link}’ onclick=”return confirm(‘REALLY delete entry id {entry_id}?’)”>Delete(Own)</a>&nbsp; <!– All-in-one link –>

{/if}

</h5>

{/exp:hooblong:entries}


Settings

All settings are ajax-controlled.

HooBlong Control Settings

Dispose Option:

This setting controls whether the HooBlong tables retained or deleted when HooBlong is uninstalled.

  • Options: Retain, Delete
  • Default: Retain

Members CP Access Override Settings

These settings, one for each member, controls whether EE’s member’s CP access status is overidden or not.

  • Options: EE, Yes, No

    • EE means use EE setting
    • Yes means allways allow CP access
    • No means never allow CP access
  • Default: EE

Access Level Definitions

Use these settings to design a set of access level definitions for each site. Upon installation, a single default access definition is created for each site, labelled “Default” with a value of zero (0).

It is advisable to complete the access level definitions to your satisfaction before proceeding to set channel and group access levels, since the definitions are used to create the options for those settings. The access level label is an enterable text field.

The following control buttons are provided:

  • Add Access Level
  • Delete Selected Access Levels

Channel Access Levels

Once the access level definitions have been entered, the channel access levels can be set from dropdowns, based upon the appropriate site access level definitions

Group Access Levels

Once the access level definitions have been entered, the group access levels can be set from dropdowns, one for each group/site combination.

Category Assignments

If you wish to deny access based upon categories, unset the permissions for the appropriate group(s).


Detailed Permissions Reference

Even if you have no interest in Create, Update or Delete (CUD) Multi Level Membership, please note carefully the next item, because native EE CP settings deternine whether HooBlong’s front end CUD functions are active.

Control Panel Access Security - A Special Case

Because of potentially disastrous consequences of accidental CP access, HooBlong provides a member-specific access control for CP access, which can override EE’s CP access settings. The feature is provided for those individual cases where this may not be desirable. HooBlong will assign final CP access for the logged in member according to the following Access Logic:

  • Control Panel Access may be set to “Yes/No/EE” - Default is “EE” meaning that:

    • If Set to “Yes”, then the user has CP access, no matter what the EE setting may be
    • If set to “No”, then the user does NOT have CP access, no matter what the EE setting may be
    • If set to “EE”, then the EE setting prevails

CAUTION

Because of how MMAC resolves permissions, it is possible to give a member access to the control panel, when normally they would not have it! If it is your intention that a member who does not have CP access according to the home group (our word for the native EE assigned group,) should ALWAYS not have CP access, then you need to EITHER ensure that all groups to which the member may belong also do not have CP access OR make use of the Control Panel Override setting in the Members’ Settings Control Panel. The latter is the most logical way of exerting final control over CP access, because it overrides HooBlong’s access-logic for CP access

Permissions Controlled By The Userdata Arrays and the Member Group Table Entries for Each Constituent Member Group

  • Yes/No permissions - these are all the permissions for which access is set either on or off using “y” or “n” in the userdata object. These are normally set in the EE CP Edit Member Group page (or by our HooKan module if you use it)
  • Module Access permissions - are set by placing qualifying Module IDs in an array in the userdata object - unlike Yes/No permissions, non-qualifiers are simply not recorded in the userdata array - that’s exacly how EE does it.
  • Channel Access Permissions - as for Module Access, are set by placing only qualifying Channel IDs in an array in the userdata array
  • Template Group Access Permissions - as for Module Access, are set by placing only qualifying Template Group IDs in an array
  • Site Access Permissions - as for Module Access, are set by placing only qualifying Site Labels in an array

Permissions Controlled Elsewhere

The following permissions are not controlled by EE in the userdata array, nor by the member group entry. They are nevertheless used for access control by EE on an as-required basis by looking up their permission(s) or lack thereof in dedicated tables in the database:

  • Template Access Permissions - non-access is recorded in the “Template No Access” EE table
  • “Can Edit Categories” permissions - recorded in the “Category Groups” EE table
  • “Can Delete Categories” permissions - also recorded in the “Category Groups” EE table
  • “Can Upload” permissions - non_access recorded in the “Upload No Access” EE table
  • Forum Boards and Forums access - access recorded separately in the Forum Boards and Forums

EE-HooBlong Member and Member Group Synchronization

With additions and deletions, the HooBlong group membership status could come to bear no relationship to the current status of the native EE group membership. To prevent this from happening, HooBlong synchronizes all changes originating in the EE CP as follows:

  • New members are placed in the HBMT as they are created, under control of an extension
  • Deleted members are removed from the HBMT table as they are deleted, also under control of an extension

A Bit More About Usage

Multiple Group Memberships the HooBlong Way - Best Practices for HooBlong Usage

HooBlong With Existing Sites

Haphazard assignment of members to multiple preexisting groups in existing sites is almost certain to result in a mess, because prior to HooBlong, no thought needed to be given to the consequences of multiple group memberships.

Manage All Group Memberships for New Sites With HooBlong - It’s Simpler

Permanent member group management via HooBlong is the best option because HooBlong provides the best of both worlds - you may assign EITHER single OR multiple group memberships to members under HooBlong.

CRASS COMMERCIALISM ALERT - Buy HooKan

HooKan makes it much easier to visualize your various member group permissions, compared to wading through individual member group CP edit pages.

Rethink Your Approach to Group Assignments

Design a Multiple-Groups-Focused Access Strategy for Your Site Content. The main feature of your strategy should be to decide the minimum number of unique member groups that can be combined to cover all or most of your access-control needs. The reason for this is that the number of possible combinations of member groups can become very large and difficult to visualise. For example:

  • 3 Groups can be combined in 8 unique ways including “none”
  • 4 Groups can be combined in 16 unique ways including “none”
  • 5 Groups can be combined in 32 unique ways including “none”
  • 6 Groups can be combined in 64 unique ways including “none”
  • and if you really want to push the boat out, 15 Groups can be combined in 32,768 unique ways, including “none”

Unique Member Groups? What? How?

Let’s use an example. Assume you are selling content and you have three content channels, A, B and C. When you first start out you have no idea in what combinations your members will buy/subscribe. So you could set up three member groups, 1, 2 and 3, each with access to a single channel - Group 1 can access Channel A, Group 2 -> Channel B etc.

Now, using HooBlong, whatever happens, you can give individual members access to any combination of the three channels as required without worrying about unforeseen access conflicts, overlaps, gaps and/or potential security problems.

To do the equivalent job using native EE methods would require setting up a minimum of 7 member groups, 3 for one-to-one permission for each member/group combination, 3 for combining 2 sets of permissions in all the different ways, and another 1 for combining all three sets into one group. In addition, you would have to change a member’s group each time they upgraded/downgraded. With HooBlong you just add/remove constituent groups as needed for each member.

In this example, “Unique” means that the difference between Groups is the difference in assigned channels. In this example you want members belonging to any one of these groups to access ONLY that one associated channel, so that you can combine “single access permissions” via multiple groups in such a way that the accesses become additive.

CAVEAT: Make certain that all other permissions for particular group are not simply neglected - they might still have an unintended effect if you don’t pay attention!

Minimum Effort - How To

We suggest that all new members be assigned to a default group ID that is > 4 when registering. HooBlong can then be used to sort them into their final group configurations. You could do the latter the normal EE way - OR better still, use HooKan, the companion product to HooBlong, because Hookan makes it much easier to visualise and compare the permissions of different member groups.

A Note On The Essential Differences Between Template Access Control and Content Access Control

  • Template access control, by controlling access at the template level, means that access is either on or off, regardless of content. To work both securely and seamlessly with the rest of EE, careful management of your template access settings is required. Specifically:

    • Remember that the EE CP template settings only apply to the home group, so focus on what you want to happen when the member belongs to only that one group
    • It is wise to make use of a suitable “bounce” template, (404 or other) - likewise you should set a default for invalid URLs, in the template global settings
    • Be careful how you set and unset the group radio buttons. As a rule, start by unsetting them all and then set the ones for which you actually want access
    • Embedded templates are also subject to access control. For example, if you have an embed for your header and you unset the access for a group, the header will not show if the template is blocked. In most cases you will want to keep those accessible for the sake of not breaking the page heading/navigation/whatever. Alternatively, set the bounce template to point to the template itself to be sure it will show.
    • On the other hand, embeds present an interesting way to present different embed data for different user groups and combinations of groups
  • An important difference between template and content access control, lies in where your users end up if access is denied:

    • In the case of template access control, they should be redirected to a suitable but different page from the one requested - such as a 404
    • For content control, since they must land on whichever page is requested in any case, you should use the EE no-results tags if access is denied
  • Finally, access control of complex interactions between channel, template, multiple-group-membership and all the other possible controls such as status and whether or not they have permissions for the CUD parts of CRUD, is very difficult unless a clear and simple access strategy features prominently in you site design. Retrofitting HooBlong to an existing site is likely to be frustrating and insecure.

A Word About Using THE EE CP To Manipulate Home Group Assignments

REMINDER - The home group is the group assigned to each member by the EE CP.

Since HooBlong does not allow for the creation, deletion or changing of the home group, it must be done in the EE CP. While HooBlong tracks these changes in a logical way, the consequences can be unexpected and insecure if done carelessly. Here are the rules:

  • HooBlong only controls access for member groups with IDs greater than 4 (5 and higher).

  • If a member that is tracked by HooBlong is changed to a superadmin, it and all its constituent memberships are removed from HooBlong control for all sites

  • If a tracked member’s home group is changed, the change is recorded by HooBlong, and in addition:

    • If the new group was previously another (non-home) constituent group, it is removed and the new group inherits only the rest of the other constituents, for all sites for the member
    • Note that the other constituent groups may be different for different sites
  • If the new group is not tracked, it is recorded for all sites for that member, and it’s assumed that the member belongs to only the home group

  • If a superadmin is changed to a group with ID > 4, the group is tracked by HooBlong for all sites and initiated without other constituents - those, if any, will have to be set in the HooBlong CP


What Happens on Installation

On installation, all existing group memberships are entered in a HooBlong membership table (HBMT,) with the first-assigned member group for each member treated as the member’s “Home Group.” The home group is not special in any way - we keep track of it to know how to restore the orginal membership setup if HooBlong is uninstalled for any reason. After installation, HooBlong ignores the EE group membership status for as long as HooBlong remains installed, with the following important exceptions:

  • Newly registered members are added to the HBMT
  • Deleted members are removed from the HBMT
  • The HBMT is updated when a new group is assigned by the EE Control Panel

What Happens on Uninstallation

Due to the potential inconvenience of having to recreate the entire body of multiple membership setups if the module is uninstalled for temporary reasons, we provide 2 options under control of a setting:

  • Delete the HooBlong tables - all HooBlong tables will be deleted
  • OR
  • The default, do not delete the tables so HooBlong can resume where it left off on reinstallation

While installed, HooBlong relies on the following tables:

  • exp_hooblong_access_levels - Holds access level definitions for all installed sites
  • exp_hooblong_category_no_access - Holds IDs of member groups/category pairs for which category access is forbidden
  • exp_hooblong_channel_access_levels - Holds channel access levels
  • exp_hooblong_group_access_levels - Holds member group access levels
  • exp_hooblong_membership - Holds multiple membership information for each registered user with native EE group IDs > 4

Permanent Uninstallation

If you want/have to uninstall HooBlong permanently, meaning also delete the tables, it is extremely important to first ensure that the state of member access control to which you revert in EE is the one you really want, and that the native EE memebr groups are correct.


Support

Help is available as follows:

Bug Reports, Problems

Use the contact form at www.debeer.com

or

Hangout at GooglePlus where you can interact with other HooBlong users. Apply for invitations if you want to participate in the discussions.

How To, Feature Requests etc.

EE StackExchange is the best place for all kinds of interaction that is EE-related, including familiarization with the HooBlong add-on.


Disclaimer

de Beer, the maker of HooBlong, is independent from and not affiliated with or sponsored by EllisLab.


Definitions

  • EEMG: ExpressionEngine © Member Group
  • SG: Supergroup, a theoretical member group that combines the privileges of two or more EEMGs according to a set of rules referred to as an Access-Logic.
  • EEMT: The ExpressionEngine © Members Table: The database table containing the EE membership data of individual members (exp_members)
  • EEMGT: The ExpressionEngine © Member Groups Table: The database table containing the EE member group data of individual member groups (exp_member_groups)
  • HBMT: HooBlong Membership Table: HooBlong’s database table containing data about each member’s multiple group memberships (exp_hooblong_membership)
  • HG: Home Group: The group to which a member belongs according to the EEMT. This group is tracked in the HBMT
  • Blongs: The collection of one or more groups to which an individual member belongs, as recorded in the HBMT. A list of active blongs always includes the home group unless it has been inactivated in the HooBlong CP.
  • Constituent Groups: Constituent Groups denote groups to which the member belongs.

Table Of Contents

This Page