Zend acl

From EKiniWiki

Jump to: navigation, search

Contents

[edit] Recommended Reads

[edit] Storing Zend_Acl in a database. (DRAFT)

Image:Zend_Acl.jpg

Refer to Zend_Acl documentation in Zend Framework Manual.

[edit] SportSec's code

Code by SpotSec_: 

<?php
$acl = new Zend_Acl();
$roles = new Roles();
$resources = new Resources();
$permissions = new Permissions();

foreach ($roles->fetchAll() as $role) {
    if ($role->parent_id) {
        $acl->addRole(new Zend_Acl_Role($role->name));
    } else {
        $acl->addRole(new Zend_Acl_Role($role->name), $role->parent_id);
    }
}

foreach ($resources->fetchAll() as $resource) {
	$acl->add(new Zend_Acl_Resource($resource->name));
}

foreach ($permissions as $permission) {
	if ($permission->access == 'allow') {
	    $acl->allow($permission->role_id, $permission->resource_id);
	} else {
	    $acl->deny($permission->role_id, $permission->resource_id);
	}
}

Everything with $xxx->xxx_id should be translated to their name field

[edit] Table Structure

Quick table structure: 

roles {id, name, parent_id} resources {id, name} permissions {role_id, resource_id, access(enum 'allow', 'deny')}



[edit] The Basics of Zend_acl

Resource: the protected object Roles: granted access to the Resource 


<?php
require_once 'Zend/Acl.php';
$acl = new Zend_Acl();

require_once 'Zend/Acl/Role.php';
$acl->addRole(new Zend_Acl_Role('guest'))
    ->addRole(new Zend_Acl_Role('member'))
    ->addRole(new Zend_Acl_Role('admin'));

$parents = array('guest', 'member', 'admin');
$acl->addRole(new Zend_Acl_Role('someUser'), $parents);

require_once 'Zend/Acl/Resource.php';
$acl->add(new Zend_Acl_Resource('someResource'));

$acl->deny('guest', 'someResource');
$acl->allow('member', 'someResource');

echo $acl->isAllowed('someUser', 'someResource') ? 'allowed' : 'denied';

[edit] more examples


<?php
require_once 'Zend/Acl.php';

$acl = new Zend_Acl();

require_once 'Zend/Acl/Role.php';

$roleGuest = new Zend_Acl_Role('guest');
$acl->addRole($roleGuest);
$acl->addRole(new Zend_Acl_Role('staff'), $roleGuest);
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
$acl->addRole(new Zend_Acl_Role('administrator'));

// Guest may only view content
$acl->allow($roleGuest, null, 'view');

/* alternatively, the above could be written:
$acl->allow('guest', null, 'view');
//*/

// Staff inherits view privilege from guest, but also needs additional privileges
$acl->allow('staff', null, array('edit', 'submit', 'revise'));

// Editor inherits view, edit, submit, and revise privileges from staff,
// but also needs additional privileges
$acl->allow('editor', null, array('publish', 'archive', 'delete'));

// Administrator inherits nothing, but is allowed all privileges
$acl->allow('administrator');

[edit] querying the ACL


<?php
echo $acl->isAllowed('guest', null, 'view') ?
     "allowed" : "denied"; // allowed

echo $acl->isAllowed('staff', null, 'publish') ?
     "allowed" : "denied"; // denied

echo $acl->isAllowed('staff', null, 'revise') ?
     "allowed" : "denied"; // allowed

echo $acl->isAllowed('editor', null, 'view') ?
     "allowed" : "denied"; // allowed because of inheritance from guest

echo $acl->isAllowed('editor', null, 'update') ?
     "allowed" : "denied"; // denied because no allow rule for 'update'

echo $acl->isAllowed('administrator', null, 'view') ?
     "allowed" : "denied"; // allowed because administrator is allowed all privileges

echo $acl->isAllowed('administrator') ?
     "allowed" : "denied"; // allowed because administrator is allowed all privileges

echo $acl->isAllowed('administrator', null, 'update') ?
     "allowed" : "denied"; // allowed because administrator is allowed all privileges

[edit] Refining ACL


<?php
// The new marketing group inherits permissions from staff
$acl->addRole(new Zend_Acl_Role('marketing'), 'staff');



<?php
// Create Resources for the rules
require_once 'Zend/Acl/Resource.php';
$acl->add(new Zend_Acl_Resource('newsletter'));           // newsletter
$acl->add(new Zend_Acl_Resource('news'));                 // news
$acl->add(new Zend_Acl_Resource('latest'), 'news');       // latest news
$acl->add(new Zend_Acl_Resource('announcement'), 'news'); // announcement news



<?php
// Marketing must be able to publish and archive newsletters and the latest news
$acl->allow('marketing', array('newsletter', 'latest'), array('publish', 'archive'));

// Staff (and marketing, by inheritance), are denied permission to revise the latest news
$acl->deny('staff', 'latest', 'revise');

// Everyone (including administrators) are denied permission to archive news announcements
$acl->deny(null, 'announcement', 'archive');



<?php
echo $acl->isAllowed('staff', 'newsletter', 'publish') ?
     "allowed" : "denied"; // denied

echo $acl->isAllowed('marketing', 'newsletter', 'publish') ?
     "allowed" : "denied"; // allowed

echo $acl->isAllowed('staff', 'latest', 'publish') ?
     "allowed" : "denied"; // denied

echo $acl->isAllowed('marketing', 'latest', 'publish') ?
     "allowed" : "denied"; // allowed

echo $acl->isAllowed('marketing', 'latest', 'archive') ?
     "allowed" : "denied"; // allowed

echo $acl->isAllowed('marketing', 'latest', 'revise') ?
     "allowed" : "denied"; // denied

echo $acl->isAllowed('editor', 'announcement', 'archive') ?
     "allowed" : "denied"; // denied

echo $acl->isAllowed('administrator', 'announcement', 'archive') ?
     "allowed" : "denied"; // denied

Now, how do we apply these using a database????

Retrieved from "http://wiki.ekini.net/main/Zend_acl"
Personal tools
Bookmarks