Programmer's Reference Guide

Refining Access Controls

Advanced Usage

Storing ACL Data for Persistence

Zend_Acl was designed in such a way that it does not require any particular backend technology such as a database or cache server for storage of the ACL data. Its complete PHP implementation enables customized administration tools to be built upon Zend_Acl with relative ease and flexibility. Many situations require some form of interactive maintenance of the ACL, and Zend_Acl provides methods for setting up, and querying against, the access controls of an application.

Storage of ACL data is therefore left as a task for the developer, since use cases are expected to vary widely for various situations. Because Zend_Acl is serializable, ACL objects may be serialized with PHP's » serialize() function, and the results may be stored anywhere the developer should desire, such as a file, database, or caching mechanism.

Writing Conditional ACL Rules with Assertions

Sometimes a rule for allowing or denying a role access to a resource should not be absolute but dependent upon various criteria. For example, suppose that certain access should be allowed, but only between the hours of 8:00am and 5:00pm. Another example would be denying access because a request comes from an IP address that has been flagged as a source of abuse. Zend_Acl has built-in support for implementing rules based on whatever conditions the developer needs.

Zend_Acl provides support for conditional rules with Zend_Acl_Assert_Interface. In order to use the rule assertion interface, a developer writes a class that implements the assert() method of the interface:

class CleanIPAssertion implements Zend_Acl_Assert_Interface
{
    public function assert(Zend_Acl $acl,
                           Zend_Acl_Role_Interface $role = null,
                           Zend_Acl_Resource_Interface $resource = null,
                           $privilege = null)
    {
        return $this->_isCleanIP($_SERVER['REMOTE_ADDR']);
    }
 
    protected function _isCleanIP($ip)
    {
        // ...
    }
}

Once an assertion class is available, the developer must supply an instance of the assertion class when assigning conditional rules. A rule that is created with an assertion only applies when the assertion method returns TRUE.

$acl = new Zend_Acl();
$acl->allow(null, null, null, new CleanIPAssertion());

The above code creates a conditional allow rule that allows access to all privileges on everything by everyone, except when the requesting IP is "blacklisted." If a request comes in from an IP that is not considered "clean," then the allow rule does not apply. Since the rule applies to all roles, all resources, and all privileges, an "unclean" IP would result in a denial of access. This is a special case, however, and it should be understood that in all other cases (i.e., where a specific role, resource, or privilege is specified for the rule), a failed assertion results in the rule not applying, and other rules would be used to determine whether access is allowed or denied.

The assert() method of an assertion object is passed the ACL, role, resource, and privilege to which the authorization query (i.e., isAllowed()) applies, in order to provide a context for the assertion class to determine its conditions where needed.

Refining Access Controls

Zend_Acl
Programmer's Reference Guide

Zend_Amf

Comments

Posted by: sunon on: 2011-08-06 18:19:30 ⁋

Yeah, Zend should try to create example to go with the documentation

Posted by: lienlook on: 2011-02-16 09:00:30 ⁋

So there is no example on how to create auth/acl with roles and permissions stored in a mysql database, which is what probably 90% of php applications do; neither here nor in the Learning Zend Framework section; rather disappointing

Posted by: a developer on: 2011-05-05 07:16:58 ⁋

lienlook is correct. absolutely disappointing.

Posted by: Nick on: 2011-05-10 14:25:43 ⁋

There is plenty of material here to allow you to create rules, roles and privileges. Bundling it all up into a cache/database/session is outside the scope of these pages, but trivial if you read those sections too

Posted by: Mike on: 2011-05-11 23:19:43 ⁋

Yep, very disappointing. Then again, all of Zend documentation sucks to the point of borderline worthlessness. Too bad, because it's a great tool.

Posted by: Lance on: 2011-05-25 18:38:56 ⁋

I can't believe how lazy some of you are. Here is a class that uses php.activerecord (and mysql) to get roles, resources, and the privileges...

require_once('Zend/Acl.php');

/* acl related tables

CREATE TABLE `acl_roles` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`name` varchar(45) DEFAULT NULL,
`parent_id` int(10) unsigned DEFAULT NULL,
PRIMARY KEY (`id`)
);

CREATE TABLE `acl_resources` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`name` varchar(45) DEFAULT NULL,
`parent_id` int(10) unsigned DEFAULT NULL,
PRIMARY KEY (`id`)
);

CREATE TABLE `acl_roles_resources` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`acl_role_id` int(10) unsigned NOT NULL,
`acl_resource_id` int(10) unsigned NOT NULL,
`privilege` varchar(45) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `ux_role_res_priv` (`acl_role_id`,`acl_resource_id`,`privilege`)
);

*/

class MyAcl
{
private $acl = null;

function __construct()
{
$this->acl = new Zend_Acl();
$this->_initRoles();
$this->_initResources();
$this->_initPrivileges();
}

function isAllowed($some_role, $some_resource, $some_privilege)
{
return $this->acl->isAllowed($some_user, $some_resource, $some_action);
}

private function _initRoles()
{
$roles = AclRole::all();
foreach($roles as $role)
{
if($role->parent)
{
$parent = $this->acl->getRole($role->parent->name);
if(is_null($parent))
{
// if parent hasn't been created in memory, do so
$parent = new Zend_Acl_Role($role->parent->name);
$this->acl->addRole($parent);
}
$this->acl->addRole(new Zend_Acl_Role($role->name), $parent);
}
else
{
// only needs to be done if it doesn't exist
if(!$this->acl->hasRole($role->name))
{
$this->acl->addRole(new Zend_Acl_Role($role->name));
}
}
}
}

private function _initResources()
{
$resources = AclResource::all();
foreach($resources as $resource)
{
if($resource->parent)
{
$parent = $this->acl->get($resource->parent->name);
if(is_null($parent))
{
$parent = new Zend_Acl_Resource($resource->parent->name);
$this->acl->addResource($parent);
}
$this->acl->addResource(new Zend_Acl_Resource($resource->name), $parent);
}
else
{
if(!$this->acl->has($resource->name))
{
$this->acl->addResource(new Zend_Acl_Resource($resource->name));
}
}
}
}

private function _initPrivileges()
{
$privileges = AclRolesResource::all();
foreach($privileges as $privilege)
{
// make sure role and resource are valid
if($privilege->acl_role && $privilege->acl_resource)
{
$this->acl->allow($privilege->acl_role->name, $privilege->acl_resource->name, $privilege->privilege);
}
else
{
echo 'WARNING: unable to create privilege

Posted by: Lance on: 2011-05-25 18:42:49 ⁋

//oops I guess there is a limit to a comment
// close the echo and add 4 parens

}
}
}
}
}

// you should be able to paste into any good editor and have it format.

Posted by: Jeff on: 2011-06-21 23:06:51 ⁋

It's lazy to expect examples / code samples to be provided for any particular task that the Zend Framework can be used for, as if that was some kind of natural entitlement, however it's also lazy to simply explain ZF functionality in a very abstract, no-realistic-examples kind of fashion.

Granted, if you're searching for "Zend_Acl" you probably know what an ACL is, and have some clue as to how to implement one with a DB back-end, but the complete and total lack of examples in the documentation is really, really disappointing.

Posted by: Rob on: 2011-07-07 06:13:29 ⁋

If the correct answer to asking for a working example for a common use case is "I can't believe how lazy some of you are" and 100+ lines of code, then perhaps this isn't the framework for me.

Posted by: Leo on: 2011-07-11 11:37:20 ⁋

This documentation really needs more working examples. The outlines alone aren't enough to get it working. One reason I love php.net is because every function they have has documented examples which clearly put you on the right path.

Posted by: Benji on: 2011-07-11 13:59:01 ⁋

I agree most of people here, Symfony2 has concrete sample, why ZF don't ?
I feel like if i were in Java World.
Excuse me but Java is not what i need for webApps. In need a framework to develop quickly, not one where i have to do a lot of POC to be sure it run as i want.

Posted by: Chris on: 2011-10-12 12:48:02 ⁋

Hmm... even though I agree with the fact there is a lack of examples, the doc itself are pretty clear and simple to understand. The ZF doc is here to explain how it works and its scope. Starting from this, it should be good enough to write some tests on your own application to see how it handles. Nothing more. It shouldn't take that much amount of time. As a developer, you're supposed to find your way first on your own, then thanks to the logs and docs, and at last, with the help of people (forums, workmates, technical lead...).

Posted by: The Space Cowboy on: 2011-12-04 02:58:31 ⁋

Fact is, I have implemented access control using PHP + MySQL + Zend Framework.

The "how's" of it took some time to learn, however it's taken some time, and some trial and error to learn how to do it.

There is enough documentation on Zend Framework here, and out there on the web, to learn how to do it. I hate to say to "ask google" but what you're asking for isn't a single function call. Rather, it's "programming" and it's something you have to put some effort into.

- a 15 year programming veteran

Posted by: Iain on: 2011-12-07 21:17:06 ⁋

Here's another thing to throw into the mix - how do you persist assertions?

Agree with the comments re: poor docs.

As an analogy, if you buy a camera, the manual won't teach you how to be a great photographer. However, the manual will give photographers all of the information they need to be up and running quickly with that camera.

Hopefully, when I understand enough about how the framework is put together, I'll be able to give some of my time to help out in some way.