# Access Control List¶

## Overview¶

The current ACL system is targeted at delivering backwards compatibility for legacy code and being able to extend this a little to add new features without having to reimplement the whole system.

In the legacy system the access control is using the following steps to determine if a page can be accessed by a user:

1. The user, stored in the config.xml file at system/user (one item per user)
2. One or more groups for that user, stored in system/group which contains priv sections.
3. A PHP file binding the priv section content to a page mask (including wildcards)

Our temporary solution is to keep the user and the group in place and replace the PHP file with a simple config in the model which uses the same mask construction there was in the old codebase. To bind priv to pages, edit models/OPNsense/Core/ACL_Legacy_Page_Map.txt

## Usage from PHP¶

Using the system from PHP is rather simple:

$acl = new OPNsense\Core\ACL(); if ($acl->isPageAccessible("user", "/firewall_rules.php") ) {
print ( "/firewall_rules.php is accessible" ) ;
}


## Usage in Volt templates¶

The ACL scheme is bound to the default UI controller, and can be used by using the acl keyword:

{% if acl.isPageAccessible(session.get('Username'),subMenuItem.Url)  %}