Version 9 by Gavin
on Sep 05, 2006 21:01.

compared with
Current by Darby Felton
on Sep 06, 2006 11:33.

Key
This line was removed.
This word was removed. This word was added.
This line was added.

Changes (56)

View Page History
<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[{zone-template-instance:ZFDEV:Zend Proposal Zone Template}

{zone-data:component-name}
{zone-data}

{zone-data:revision}
0.2 - Finalised proposal
{zone-data}

{zone-data:overview}
Zend_Acl provides a lightweight and flexible container to manage permissions for multiple groups (AROs) and areas (ACOs).
Zend_Acl provides lightweight and flexible access control list (ACL) functionality. In general, an application may utilize such functionality to control access to certain protected objects by other requesting objects.

In this proposal:

* an *Access Control Object (ACO)* is an object to which access is controlled.
* an *Access Request Object (ARO)* is an object that may request access to an ACO.

For example, if a person requests access to a car, then the person would be the requesting ARO, and the car would be the ACO, since its access is under control.

!Zend_Acl.terminology.gif!

Through the specification and use of an access control list (ACL), an application may control how requesting objects (AROs) are granted access to protected objects (ACOs).
{zone-data}

* No database backend required - complete PHP implementation
* Permits explicit allow-all, allow-specific, neutral, deny-specific, deny-all for all groups
* Authorization queries must be computed with efficiency and speed
* Performance penalties, where reasonably unavoidable, should be isolated to ACL data structure modifications
* Instances must be serializable (e.g., for caching ACL data structures)
{zone-data}

The goal of Zend_Acl was to create a simple, flexible means of creating ACLs, free from the dependencies of Databases, template engines or complex administration tools. The starting point was phpGACL, as its 'allow,deny' and inheritance scheme is straightforward and allows huge flexibility for implementation.

Zend_Acl builds on the tree-based model of phpGACL, providing means to add multiple areas (Access Control Object or ACO) that represent 'areas' or 'domains' within the ACL. Each of these ACOs can be assigned 'actions' that will determine the level of access each 'group' (Access Request Object or ARO) has. These actions are assigned to ACOs simply by calling allow() or deny().
Zend_Acl builds on the tree-based model of phpGACL, providing a means to add multiple ACOs that may represent 'areas' or 'domains' of control within the ACL. Objects under access control may be organized from general (at the tree root) to specific (toward tree leaves). This approach allows for creating very fine-grained access controls, where desirable, with minimal effort.

Each ACO may also be assigned its own set of 'actions' or 'permissions' (e.g., add, edit, delete) that can be used to determine the level of access each requesting ARO would have. Actions may be assigned to ACOs simply by calling {{allow()}} or {{deny()}} on the ACO in question.

AROs may be organized in different ways, according to the particular needs of an application. To accommodate these various organizations, the ARO registry of Zend_Acl is represented by a [directed acyclic graph (DAG)|http://en.wikipedia.org/wiki/Directed_acyclic_graph] data structure. This approach supports having multiple roles or groups, and AROs may also inherit permissions from multiple AROs.

To illustrate by example, an application may need access roles for administrators, members, and the general public. Each of these roles would have a corresponding ARO in the access control list. The general public would have the least access privileges, members would have additional permissions (e.g., to edit their profiles), and administrators would have exclusive permissions to perform administrative operations (e.g., blocking abuse). Suppose we also have an ARO for each login user identity. Each of these "user" AROs may inherit permissions that have been assigned to one or more of the "role" AROs previously mentioned (e.g., administrators). In this way we can add users to, and remove users from, such roles without having to otherwise modify the access controls.
{zone-data}

const MODE_ADD = 2;
const MODE_REMOVE = 3;
const MODE_UNSET = 4;

/**
*
* Retrieve permissions for an ACO based on the ARO, current context
* and an optional path. The optional path parameter allows for a top-down
* search from a root - if not supplied, then this instance is used as a
* target. A 'null' context will return true if no explicit permissions
*/
public function valid($aro = Zend_Acl::ARO_DEFAULT, $context = null, $path = null)

protected function _valid($root, $aro, $context, $path = null)

/**

/**
* Returns the ACL's child nodes
*
* @return Zend_Acl|null
*/
public function getChildren()

/**
* Returns the ACL's path
*

/**
* Returns an array of AROs that can access the ACL
*
* This function will determine which AROs - from either a list of AROs or
* the entire ARO registry - have access to the current ARO.
*
* AROs can be supplied either an an ARO object, an array of ARO objects,
* a string id or an array of string ids. If the ARO parameter is left empty
* then the ARO registry is used to return all members.
*
* To allow fine-grain control, a specific context can also be used to
* validate the AROs
*
* An array of ARO objects is returned upon success or empty
*
* @param mixed $aro
* @param string $context
* @return array
*/
public function getValidAro($context = null, $aro = null)

/**
* Sets allow permissions to the ACL
*
* @return Zend_Acl Provides a fluent interface
*/
public function removeAllow($aro = Zend_Acl::ARO_DEFAULT, $value = null, $path = Zend_Acl::PATH_DEFAULT)
$value = Zend_Acl::ACO_CATCHALL,
$path = Zend_Acl::PATH_DEFAULT)

/**
* @return Zend_Acl Provides a fluent interface
*/
public function removeDeny($aro = Zend_Acl::ARO_DEFAULT, $value = null, $path = Zend_Acl::PATH_DEFAULT)
$value = Zend_Acl::ACO_CATCHALL,
$path = Zend_Acl::PATH_DEFAULT)

/**
* Returns allow permissions for the current ACL
*
* @return Zend_Acl_Permission Provides a fluent interface
*/
public function getAllow()

/**
* Returns deny permissions for the current ACL
*
* @param mixed $path
* @return Zend_Acl_Permission Provides a fluent interface
*/
public function getDeny()

/**
* Removes an ACL node
*
* If a path is provided and exists, it will be destroyed. If no path is
* provided then the current ACL will instead be removed from its parent
* (if the current ACL is not root)
*
* @param string $path
* @return boolean
* @throws Zend_Acl_Exception
*/
public function remove($path = null)

/**
* Removes an ARO from current node and all children
*
* @param mixed $aro
* @param mixed $context
* @param mixed $path
* @return boolean
*/
public function removeAro($aro, $context = Zend_Acl::ACO_CATCHALL, $path = null)

/**
* Removes an ARO from current node and all children
*
* @param Zend_Acl $root
* @param mixed $aro
* @param mixed $context
* @return boolean
*/
protected function _valid($root, $aro, $context)

/**
* Adds permissions to one or more permission containers
*
* @return Zend_Acl Provides a fluent interface
*/
protected function _setPermission($acl, $value, $aro, $path, $mode = Zend_Acl::MODE_SET)
$mode = Zend_Acl::MODE_SET)

/**
* If the target path does not exist, a new empty ACL is created.
*
* @param string $path
* @return Zend_Acl_Permission
*/
* Creates new 'virtual' ACLs to target (nonexistent) path
*
* @param mixed $path
* @return Zend_Acl
*/

/**
* Expand a path to retrieve target node
*
* @param Zend_Acl $root
* @param mixed $path
* @return Zend_Acl
*/
protected function _findPath(Zend_Acl $root, $path)

/**
* Determines if the current ACL is root
*
* @return boolean
*/
public function canAccess(Zend_Acl $aclo, $context = null, $path = null)

/**
* Returns an ACO tree that the current ARO has access to
*
* This function will determine which AROs - from either a list of AROs or
* the entire ARO registry - have access to the current ARO.
*
* AROs can be supplied either an an ARO object, an array of ARO objects,
* a string id or an array of string ids. If the ARO parameter is left empty
* then the ARO registry is used to return all members.
*
* To allow fine-grain control, a specific context can also be used to
* validate the AROs
*
* An array of ARO objects is returned upon success or empty
*
* @param mixed $aro
* @param string $context
* @return array
*/
public function getValidAco(Zend_Acl $aco, $context = null)

protected function _getValidAco(Zend_Acl $aco, $context)

/**
* Add parent to current ARO
*
* Returns a score for the selected permission
*
* A score of 2 represents an explicit match, a score of 1 represents an
* implied match and a 0 represents a non-match or unspecified permission.
* The score is factored according to an exact match for an ARO (3), a
* match for an inherited ARO (2) or a match for an any/all ARO (1).
*
* @param string $type
* @return integer
*/
public function score($type, Zend_Acl_Aro $aro, $context = null)

/**
* Returns the contents of the selected permission
*
* @param string $type
* @return array
*/
public function getPermissions($type)

/**
* Sets contexts for a permission
*
*
* If $values contains the magic value Zend_Acl::ACO_CATCHALL then all
* nominated aros will provide an explicit match for the permission type.
* Otherwise, as each context is set, the opposite is checked for to ensure
* no deadlocks for permissions
*

/**
* Retrieves permission for selected type Parses context value
*
* Ensures that the magic Zend_Acl::ACO_CATCHALL value is returned as a
* @return single array (as it overrides all other explicit contexts) if exists.
*/
protected function _getPermission($type, $aro)
* Otherwise cast the value(s) as an array for storage.
/**
* Retrieves ARO from registry
*
* The default aro is used if exists in the registry, otherwise the
* 'default' (or anonymous) aro is returned.
*
* @return string
*/
protected function _getAro($aro, $acl) _getContext($value)

/**
* Parses context value
* Returns a score factor for the selected Aro
*
* Ensures that the magic Zend_Acl::ACO_CATCHALL value is returned as a
* single array (as it overrides all other explicit contexts) if exists.
* Otherwise cast the value(s) as an array for storage.
* Ensures that a specific permission context is assigned a higher score
* than an inherited permission
*
* @return string integer
*/
protected function _getContext($value) _getFactor(Zend_Acl_Aro $aro, $id)

/**
*/
protected $_aro;

/**
* Parent Aco
* @var Zend_Acl
*/
protected $_aco;

/**
* Registry instance
* @var array
*/
static protected $_instance;

/**
* Instance of Zend_Acl_Aro_Registry
* @param Zend_Acl_Aro $group
*/

/**
* Add unique ARO to registry
*
* @param Zend_Acl_Aro $aro

/**
* FInd group in Remove ARO from registry
*
* @param Zend_Acl_Aro $aro
* @return boolean
*/
public function remove($aro, $aco)

/**
* FInd group in registry
*
* If the named group does not exist, the default ARO is returned
*
*/
public function find($aro)

/**
* Return registry as an array of ARO objects
*
* @return array
*/
public function toArray()
}

class Zend_Acl_Exception extends Zend_Exception
?> {}
{code}
{zone-data}

{zone-template-instance}
{zone-template-instance}]]></ac:plain-text-body></ac:macro>