http://phptechsolutions.wordpress.com/2012/07/06/building-a-simple-zend-framework-acl/
Zend_Acl consists of resources, privileges and roles. Resources can be anything ranging from controllers to files. Privileges are different levels of access on the resource. Roles determine who can access a resource, and with what privileges. Roles can be users, user groups or anything you wish to associate. In Zend_Acl, Role can be inherited form one or more roles.
To create resources and roles, you will need to first create Zend_Acl instance as
And then add role and resources to it as follows
1
2
3
|
$acl ->add( new Zend_Acl_Resource(‘view’));
$acl ->add( new Zend_Acl_Resource(‘edit’));
$acl ->add( new Zend_Acl_Resource(‘ delete ’));
|
Once we create roles and resources we can assign different privileges to different roles on different resources as
1
2
3
|
$acl ->allow(‘guest’,null,’view’);
$acl ->allow(‘editor’, array (‘view’,’edit’));
$acl ->allow(‘admin’);
|
Similarly we can use deny() method of Zend_Acl for access denials as
1
|
$acl ->deny(‘guest’,null, array (’edit’,’ delete ’));
|
Later in our code we can check privileges as
1
|
$acl ->isAllowed(‘guest’,null,’view’);
|
isAllowed() method return boolean value either true or false based on the privileges.
To see how can we use Zend_Acl component in our applications lets take a simple example.
Let we have different controllers, e.g news, latestnews, announcements with each having the view, edit and delete actions
Now in Library/My/Controller/Plugin/, create Acl.php and place the following code.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
<?php
class My_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
{
private $_acl ;
public function preDispatch(Zend_Controller_Request_Abstract $request )
{
$acl = $this ->_getAcl();
$role = $this ->_getRole();
$resource = $request ->getControllerName();
$privilege = $request ->getActionName();
$allowed = $acl ->isAllowed( $role , $resource , $privilege );
if (! $allowed ) {
$controller = 'error' ;
$action = 'index' ;
$redirector = new Zend_Controller_Action_Helper_Redirector();
$redirector ->gotoSimpleAndExit( $action , $controller );
}
}
protected function _getAcl()
{
if (null === $this ->_acl) {
$acl = new Zend_Acl();
// Roles
$acl ->addRole( 'guest' );
$acl ->addRole( 'user' , 'guest' );
$acl ->addRole( 'admin' , 'user' );
// Resources
$acl ->add( new Zend_Acl_Resource(‘view’));
$acl ->add( new Zend_Acl_Resource(‘edit’));
$acl ->add( new Zend_Acl_Resource(‘ delete ’));
// Rules
$this ->acl->allow(‘guest’,null,’view’);
$this ->acl->allow(‘editor’, array (‘view’,’edit’));
$this ->acl->allow(‘admin’);
$this ->_acl = $acl ;
}
return $this ->_acl;
}
protected function _getRole()
{
$auth = Zend_Auth::getInstance();
if ( $auth ->hasIdentity()) {
$identity = $auth ->getIdentity();
$role = empty ( $identity ->role) ? 'user' : $identity ->role;
} else {
$role = 'guest' ;
}
return $role ;
}
}
|
Explanation:
In the code above we are creating plugin by extending it form Zend_Controller_Plugin_Abstract and override preDispatch() method.
If this is first attempt to access our application we give user a role “guest”. We can set this type at our authentication and give user a specific type when he login.
Next we get Action name by using $request->getActionName() and assign it to $privilageName.
The next line are very crucial. We check the privileges
1
|
$allowed = $acl ->isAllowed( $role , $resource , $privilege );
|
If the above condition is true. It means that the user hasn’t had the privileges to access the requested Action.
So we redirect user to ErrorController’s Index action.
If the condition is false then he access the particular controller action.
We have now nearly done. However you will need to register the plugin.
1
2
3
|
// application/configs/application.ini
autoloaderNamespaces[] = "My_"
resources.frontController.plugins.Acl = "My_Controller_Plugin_Acl"
|
That it your simple role management application.
Now if you first request
http://yourhost/news/view
it will give you access to the specified view Action of the news or any other controller.
However if you request
http://yourhost/news/edit/
you will be redirected to the Error Controller’s index action. I haven’t mention Error Controller, so you better create your own.