Skip to end of metadata
Go to start of metadata


<p>There are two valid methods I've identified for using ACL within an application.</p>

<h2>1) ACL as a service</h2>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[

$acl = new Zend_Acl();
->add(..) // resource
->add(..) // resource
->allow(..); // rules


<p>This method lends itself to easy-of-programming, and a simpler approach to Acl. Generally speaking, the type of querying on this type of Acl can be done from anywhere, but it does limit itself to use of simple objects (strings or objects implementing the Role/Resource_interfaces). To be used with application models, the Role_Interface would generally be appended to the User model, and likewise for any "Resources" or resource-type models that might exist in a system. This method also falls short if you plan on using Assertions to do any fine grained (identifier level) acl querying with the applications models.</p>

<h2>2) ACL as an application model</h2>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[

class MyModule_Acl extends Zend_Acl
public function __construct()

Unknown macro: { $this->addRole(..) ->addRole(..) ->add(..) // resource ->add(..) // resource ->allow(..); // rules }

public function isAllowed($role = null, $resource = null, $privilege = null) {
$aclRole = $role;
$aclResource = $resource;

if ($role instanceof MyModule_User)

Unknown macro: { $aclRole = new MyModule_Acl_Role_User($role); }

if ($resource instanceof MyModule_BlogPost)

Unknown macro: { $aclResource = new MyModule_Acl_Resource_BlogPost($resource); }

return parent::isAllowed($aclRole, $aclResource, $privilege);

$acl = new Module_Acl();


<p>This method is more full fledged. In a sense, the ACL has become a model within the application itself. Consider this a more "model purist" method for ACL deployment. What this means is that since ALC has become a model, and since you have implemented your own isAllowed, you can then use composition to introduce your business level models to your ACL (application level model).</p>

<p>To understand using composition, imagine this Acl Model</p>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
class MyModule_Acl_Role_User implements Zend_Acl_Role_Interface
protected $_user;
public function __construct(MyModule_User $user)

Unknown macro: { $this->_user = $user; }

public function getRoleId()

Unknown macro: { return 'user'; // or whatever string satisfies }

public function getUserObject()

Unknown macro: { return $this->_user; }

public function __get($name) {
return $this->_user->{$name};


<li><a href="">ZF-1722 Zend_Acl assertions broken when inheritance is required (ie DepthFirstSearch)</a></li>

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Jul 02, 2008

    <p>For ZF2.0 , please, rename the add() method as addRessource(). So more logical, isn't it ?</p>