Issues

ZF-3521: Allow roles to be entered in array format in isAllowed

Description

Inheritance is not always an optimal solution for ACL's. It would be beneficial if isAllowed could take an array as it's first argument for roles, for example:

$acl->isAllowed(array('role1','role2'), 'resource', array('view','edit'))

Comments

Could you give us a use case when this approach would be useful?

Should this statement return true, when the rule is allowed for both roles only or does only one of them need to match?

A workaround would be to either check both roles separately and then merge results to you need or to create a new dummy role that inherits both roles an then check if it is allowed.

I believe it would return true if one matched, as you only need to be allowed on one level. In our environment people are given several roles, which typically coincide with various titles they may have. Some of these roles may not have permission to enter the area, while others do. I was hoping for a way to hand an array of the users roles to the function, without having to loop through them (as your work around suggested (and now after the fact, what I ended up doing)).

Here's my particular case I have a user, who has the roles of SiteAdmin, Teacher, and Staff. Of those roles, only two are allowed access to the view.

While the social heirachy of these roles might imply the order of SiteAdmin > Teacher > Staff, we have cases where this order is changed, so that Teacher > SiteAdmin > Staff. There's also about a half dozen more roles on top of this.

It boils down to users having roles, that are mutually exclusive of each other, but may have access to an item through one more of those roles. I'm just trying to avoid unnecessary loops in my code where plausible.

Assigning to Ralph to get closure on this issues.

So the proposed API, would that mean that all resources must share the same privelidge or just one? In other words, given many roles, are you expecting it to be ANDed or ORed?

-ralph

Updating project management. Trivial, Nice To Have, Next Minor Release.

While this is a worthwhile feature, the ZF team will not develop this feature, but if a community member would like to pick up and develop it, they may make an assignment of it.

Moved public Zend_Acl::isAllowed method to protected Zend_Acl::_isAllowed and replaced it with a method allowing arrays as first parameters. Also updated related UnitTest. No BC break.

Did this patch make it into the ZF 1.11 release? I don't see the changes from the patch file in Zend\Acl.php

as far as I know this patch was not moved to trunk...