Workshop Zend Framework. Part three: Zend_Acl


Today we consider the example of creating the Acl for the system with a large number of roles and resources
the
    the
  • Part one
    the

      Authentication — users log on to the system

      ACL — distribution of access rights


  • Part two
    the

      Routing — customize URLs for various system components

      Registry — quick access to system constants

    Part three
    the

      Acl — an advanced example


Abrowser Anexroid has kindly provided a description of this project:
There are the following access rights: Admin, access to admin area. And in the admin area about 20-30 sections 5 admins. All access different. That is, someone 2-3 section, someone- all 20. All menu items are stored in the database.
User — zaregistrirovannyy on the website. Can create photo albums, comment on the news without entering captcha etc + everything that can be done by the guest.
The enterprise has a personal page in the catalog, depending on purchased package — various points in the personal account.
Well, the guest, which can all unlimited to view. Comments with captcha.
Still have the consultants answer the questions in the consultation.
Moreover, companies and consultants no registration, added by admin. +again, all tables in a DB separate — separate administrators, separate users, separate enterprises, separate consultants.

To start with roles and resources, draw up the inheritance hierarchy of resources and roles:
Hierarchy of roles

In our example, the upper part of the resource hierarchy will match the structure with the hierarchy of roles. In order to conveniently display the resource hierarchy, we add to our list of access rights abstract resources for each role, except Admin1-N, CompanyPackage1-N. This is because the resources for the Guest status, User, and shared resources for all admins and companies have a simple tree structure, which cannot be said about the lower nodes of the tree which will intersection. For example Admin1 and Admin2 can have access to a shared resource "Add news", and the trees Zend_Acl resources, unfortunately, does not support multiple inheritance. Therefore, the resources for role Admin1-N, CompanyPackage1-N will be distributed as exceptions, obviously naznachali the desired role.
resource Hierarchy

So, we dealt with the resource hierarchy, you will now create the Acl directly. This will extend Zend_Acl class:
the
<?php
class Acl extends Zend_Acl {
public function __construct() {
// Add role
$this->addRole('guest');
$this->addRole('user', 'guest');
$this->addRole('admin', 'user');
$this->addRole('company', 'user');
$this->addRole('company-package-1', 'company');
$this->addRole('company-package-2', 'company');
$this->addRole('company-package-3', 'company');
// ...
$this->addRole('admin-1', 'admin');
$this->addRole('admin-2', 'admin');
// ...
$this->addRole('admin-5', 'admin');

//Add resources
//
// RESOURCES GUEST !
$this->add(new Zend_Acl_Resource('guest_res'));
// list all the resources of the guest, as a child guest_res
$this->add(new Zend_Acl_Resource('add-comments-with-captcha'), 'guest_res');

// THE USER'S RESOURCES !
$this->add(new Zend_Acl_Resource('user_res'));
// list all resources the user like a child user_res
$this->add(new Zend_Acl_Resource('add-comments'), 'user_res');

// RESOURCES ADMIN !
$this->add(new Zend_Acl_Resource('admin_res'));
// enumerated the shared resources for all admins, as a child admin_res
$this->add(new Zend_Acl_Resource('admin-tools-list'), 'admin_res');

// RESOURCES OF THE COMPANY !
$this->add(new Zend_Acl_Resource('company_res'));
// enumerated the shared resources for packet companies, as a child company_res


// A specific resources for administrators and companies that don't inherit
$this->add(new Zend_Acl_Resource('advertise'));
$this->add(new Zend_Acl_Resource('add-company'));

//Put rights, default all is forbidden
$this- > deny(null, null, null);
$this->allow('guest', 'guest_res', 'show');
$this->allow('user', 'user_res', 'show');
$this->allow('admin','admin_res', 'show');
$this->allow('company','company_res', 'show');

// Expose the resources for packages of companies and admins
$this->allow('company-package-1','advertise', 'show');
$this->allow('admin-1','add-company', 'show');
}
}

And immediately check that everything works as we expect:
the
echo $acl- > allowed('guest', 'add-comments-with-captcha', 'show')?'yes':'no'; // yes
echo $acl- > allowed('guest', 'add-comments', 'show')?'yes':'no'; // no
echo $acl- > allowed('admin-1', 'add-company', 'show')?'yes':'no'; // yes
echo $acl- > allowed('company-package-2', 'advertise', 'show')?'yes':'no'; // no

In this example, I allowed myself to make a simplification and imposed a privilege show, which corresponds to the possibility of viewing a certain page. However, you can extend this example and add various benefits, if you need it.
Also, it is obvious that this code is not in conformity with the company's packages and administrators will be added, and the rights of other roles can change over time. So you will need to store data in a database, or construct the object on demand, extracting the necessary data or to store a serialized instance of the class Acl in any store (for example memcached). The choice is yours, I personally like the second option.
first post of this series, I examined how you can create an Acl using as a resource of type string "controller/action", which is very convenient in small projects.
Article based on information from habrahabr.ru

Комментарии

Популярные сообщения из этого блога

Fresh hay from the cow, or 3000 icons submitted!

Knowledge base. Part 2. Freebase: make requests to the Google Knowledge Graph

Group edit the resources (documents) using MIGXDB