ZF-1175: Support adding parent(s) to existing Role


For performance reasons, I can't load all the acls when a user sign in my website. I load my access rights from my database when I need it and my Zend_Acl instance is filled according to these new informations. (note my Zend_Acl instance is saved in session).

If a new role is loaded, and my current user (which is a role) should be a child of this new role, I can't add a parent to my current user.

In this case, I need a new method in Zend_Acl like

 * @param  Zend_Acl_Role_Interface|string       $role
 * @param  Zend_Acl_Role_Interface|string|array $newParents
 * @return Zend_Acl Provides a fluent interface
public function addParentToRole(Zend_Acl_Role_Interface $role, $newParents = null)

Regards, Philippe


Updated summary and example method signature, changed type to "new feature"

More generally, it should be possible to add parent/child references after roles were set. Otherwise it´s almost impossible to setup an ACL from DB when you have a "roles" table and a "role_subrole" table. The addRole() method would always throw "role already exists" when called more than once on a role or "parent role doesn´t exist" exceptions when the parent role hasn´nt been added yet. So the multiple inheritence can not be designed dynamically with the existing methods.

// Zend_Acl_Role_Registry:
    public function inherit($child, $parent)
        $child = $this->get($child);
        $child_id = $child->getRoleId();

        $parent = $this->get($parent);
        $parent_id = $parent->getRoleId();

        $this->_roles[$child_id]['parents'][$parent_id] = $parent;
        $this->_roles[$parent_id]['children'][$child_id] = $child;

        return $this;

// Zend_Acl:
    public function inheritRole($childRole, $parentRole)
        $this->_getRoleRegistry()->inherit($childRole, $parentRole);

        return $this;

Regards, Marc Jakubowski

Darby, can you evaluate and see if this makes sense for 1.6. Please also assign a release priority to it according to your judgement. If you want to keep it assigned to you, that's OK. If not, that's OK too. :)

Resetting 'fix version priority' and 'fix version' to be re-evaluated for next release.

If this issue should be accepted, the same issue could/should be applied to Resources.

Implementation notes: - Implementation for resources should be the same as for roles, except that resources only support single inheritance and should throw an exception when there is already a parent defined. - For both, an exception should also be thrown when the parent role/resource already inherits from the child role/resource to prevent circular inheritance, that isn't allowed for DAGs.

Regards, Marc Jakubowski

Assigning to Ralph as he is the new Zend_Acl component lead.

Given the recent improvements in assertions: (http://ralphschindler.com/2009/08/…), can you re-think this and let me know if its still something you'd like to see?

If so, can you give me a script that would demonstrate the api you are talking about?

Yes, the use case still exists and has effectively nothing to do with your assertion improvements. The use case is pretty simple: Loading ACL from DB

  • given tables "roles" and "role_subroles"
  • load all roles and add them to acl (without parents)
  • load role subrole definitions and add those parent assignments by calling $acl->inheritRole($child, $parent);

I implemented it when this ticket was created for my own ACL-DB-Factory and it works like a charm, so I'm curious why this was not resolved within the past 2 years.

Marked as trivial as a code snippet was attached. Marked as "nice to have" for this "new feature" for the next mini release.

While this is a worthwhile feature, the ZF team will not develop this feature, but if a community member would like to pick up and develop it, they may make an assignment of it.

Reassigned to component maintainer