Workshop Zend Framework. Part three: Zend_Acl


Today we consider the example of creating the Acl for the system with a large number of roles and resources
the
    the
  • Part one
    the

      Authentication — users log on to the system

      ACL — distribution of access rights


    • Part two
    the

      Routing — customize URLs for various system components

      Registry — quick access to system constants

    Part three
    the

      Acl — an advanced example


Abrowser Anexroid has kindly provided a description of this project:
There are the following access rights: Admin, access to admin area. And in the admin area about 20-30 sections 5 admins. All access different. That is, someone 2-3 section, someone- all 20. All menu items are stored in the database.
User — zaregistrirovannyy on the website. Can create photo albums, comment on the news without entering captcha etc + everything that can be done by the guest.
The enterprise has a personal page in the catalog, depending on purchased package — various points in the personal account.
Well, the guest, which can all unlimited to view. Comments with captcha.
Still have the consultants answer the questions in the consultation.
Moreover, companies and consultants no registration, added by admin. +again, all tables in a DB separate — separate administrators, separate users, separate enterprises, separate consultants.

To start with roles and resources, draw up the inheritance hierarchy of resources and roles:
Hierarchy of roles

In our example, the upper part of the resource hierarchy will match the structure with the hierarchy of roles. In order to conveniently display the resource hierarchy, we add to our list of access rights abstract resources for each role, except Admin1-N, CompanyPackage1-N. This is because the resources for the Guest status, User, and shared resources for all admins and companies have a simple tree structure, which cannot be said about the lower nodes of the tree which will intersection. For example Admin1 and Admin2 can have access to a shared resource "Add news", and the trees Zend_Acl resources, unfortunately, does not support multiple inheritance. Therefore, the resources for role Admin1-N, CompanyPackage1-N will be distributed as exceptions, obviously naznachali the desired role.
resource Hierarchy

So, we dealt with the resource hierarchy, you will now create the Acl directly. This will extend Zend_Acl class:
the 
<?php
class Acl extends Zend_Acl {
public function __construct() {
// Add role
$this->addRole('guest');
$this->addRole('user', 'guest');
$this->addRole('admin', 'user');
$this->addRole('company', 'user');
$this->addRole('company-package-1', 'company');
$this->addRole('company-package-2', 'company');
$this->addRole('company-package-3', 'company');
// ...
$this->addRole('admin-1', 'admin');
$this->addRole('admin-2', 'admin');
// ...
$this->addRole('admin-5', 'admin');

//Add resources
//
// RESOURCES GUEST !
$this->add(new Zend_Acl_Resource('guest_res'));
// list all the resources of the guest, as a child guest_res
$this->add(new Zend_Acl_Resource('add-comments-with-captcha'), 'guest_res');

// THE USER'S RESOURCES !
$this->add(new Zend_Acl_Resource('user_res'));
// list all resources the user like a child user_res
$this->add(new Zend_Acl_Resource('add-comments'), 'user_res');

// RESOURCES ADMIN !
$this->add(new Zend_Acl_Resource('admin_res'));
// enumerated the shared resources for all admins, as a child admin_res
$this->add(new Zend_Acl_Resource('admin-tools-list'), 'admin_res');

// RESOURCES OF THE COMPANY !
$this->add(new Zend_Acl_Resource('company_res'));
// enumerated the shared resources for packet companies, as a child company_res


// A specific resources for administrators and companies that don't inherit
$this->add(new Zend_Acl_Resource('advertise'));
$this->add(new Zend_Acl_Resource('add-company'));

//Put rights, default all is forbidden
$this- > deny(null, null, null);
$this->allow('guest', 'guest_res', 'show');
$this->allow('user', 'user_res', 'show');
$this->allow('admin','admin_res', 'show');
$this->allow('company','company_res', 'show');

// Expose the resources for packages of companies and admins
$this->allow('company-package-1','advertise', 'show');
$this->allow('admin-1','add-company', 'show');
}
}

And immediately check that everything works as we expect:
the 
echo $acl- > allowed('guest', 'add-comments-with-captcha', 'show')?'yes':'no'; // yes
echo $acl- > allowed('guest', 'add-comments', 'show')?'yes':'no'; // no
echo $acl- > allowed('admin-1', 'add-company', 'show')?'yes':'no'; // yes
echo $acl- > allowed('company-package-2', 'advertise', 'show')?'yes':'no'; // no

In this example, I allowed myself to make a simplification and imposed a privilege show, which corresponds to the possibility of viewing a certain page. However, you can extend this example and add various benefits, if you need it.
Also, it is obvious that this code is not in conformity with the company's packages and administrators will be added, and the rights of other roles can change over time. So you will need to store data in a database, or construct the object on demand, extracting the necessary data or to store a serialized instance of the class Acl in any store (for example memcached). The choice is yours, I personally like the second option.
first post of this series, I examined how you can create an Acl using as a resource of type string "controller/action", which is very convenient in small projects.
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Fresh hay from the cow, or 3000 icons submitted!

Изображение
After the release of the 2000 icons FatCow more than a year . In her fourth year of drawing. the Page called for 560,096 (288,511+235,221+36,364) visitors . To reach 3500 icons, the works will last until February 2013. If you add the size of 64x64, then to mid-2015. While invested $76778 and 2000 hours. Then put 3000 icons , a week before the release on the official website, because the owners of the cows (Bluehost) busy buying crocodile ( HostGator ). / > To understand which icons are the most unique in the world, had to sort 7422 icons. The result did not disappoint... and it turned out that the percentage of unique icons 85,53% cows , 55,90% James and 68,59% from Yusuke. 17.15% — so % unique icons more Fatcow than Fugue . Our designer worked 3.5 hours a day, 5 days per week, for 4 consecutive years. As at the manufactory. Using specially crafted for our set generator Corvo from Berezin Artyom, woven two carpet, put through photoshop and get lep
Далее...

Knowledge base. Part 2. Freebase: make requests to the Google Knowledge Graph

Изображение
More than a year ago, Google announced that from now on in their search is the mysterious Knowledge Network (an official translation of the Knowledge Graph). Perhaps not everyone knows that a significant part of the data Network available for anyone to use and available via well described APIs. This part is the knowledge base Freebase, supported by Google and enthusiasts. In this article, we first a little nuts, and then try to do a few simple queries in MQL. This article is the second of the knowledge Base. Stay tuned. the the Part 1 — Introduction the Part 2 — Freebase: we make requests to the Google Knowledge Graph the Part 3 — Dbpedia — a kernel of the world of Linked Data the Part 4 — Wikidata — semantic Wikipedia Google Knowledge Graph from the point of view of an ordinary user One of the visible manifestations of the Google Knowledge Graph is the information panel that briefly describes the object that you are looking for. They often arise from the se
Далее...

Group edit the resources (documents) using MIGXDB

Изображение
I wonder the opportunities offered by component MIGX from Bruno17 for MODX Revolution . While he looks clumsy and there are mistakes, but the critical problem. All that is written in this article important for MIGX version 2.5.8-pl (the latter at the moment). / > Many people use MIGX for creating photo galleries , but its functionality is not limited. A real designer to manage data of any database tables. You can even display a list of child resources (documents of MODX) in any container. This will be discussed in this article. Something I learned from documentation MIGDB but, as I understand, it is already rather outdated and much of what is described there simply doesn't work. I will tell you how to make a table with nested resources: 1. Open "Components" -> "MIGX". Go to the tab "MIGX". Click "Add item". 2. On the "Settings" tab to enter a name (Name) of the configuration, for example "ch
Далее...