Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version. Compare with Current  |   View Page History

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[

Zend Framework: Zend_RBAC Component Proposal

Proposed Component Name Zend_RBAC
Developer Notes
Proposers Dolf Schimmel (Freeaqingme)
Zend Liaison TBD
Revision 0.5 - 17 December 1909: Initial Draft. (wiki revision: 7)

Table of Contents

1. Overview

Zend_RBAC is a compunent used to determine if a user has access to a resource.

2. References

3. Component Requirements, Constraints, and Acceptance Criteria

  • A user CAN be member of one or more roles
  • A role CAN be the parent of one or more other roles
  • An object CAN be assigned to one or more roles
  • If a user is member of a role (or any of the role's childs) to which the
    requested object was assigned, the user MUST be allowed access. Otherwise, MUST NOT.

4. Dependencies on Other Framework Components


  • Zend_Exception


  • Zend_Db

5. Theory of Operation

Zend_RBAC is a component that can be used to determine whether a subject (user) that has one or more roles, has access to a certain resource, after you have defined the available resources, roles and users. One does only allow (not disallow) roles access to resources, assign users to roles, and determine if any roles inherit from other roles.

Following example based on [1]:

Interns can do everything a healer can do
Doctors can do everything an intern can

Healers have access to object 1 & 2 only
Interns have access to object 1, 2, 3 & 4 only
Doctors have access to object 1, 2, 3, 4, 5 & 6 only

This component is different than Zend_Acl because:

  • Zend_Rbac does not feature the disallowing of access, only allowing access, meaning that there's no problems by design (as is with Zend_Acl: ZF-5369)
  • It makes a distinction between roles and users (subjects) whereas Zend_Acl only has resources and roles
  • It's faster and uses less lines of code (that's what I'm aiming at)
  • It's adapter based by default
  • It does not use privileges *

* If you want to replicate this behaviour, you're advised to use several resources to achieve this. Meaning that where with zend_acl you have one resource named 'resource' with the privileges 'add', 'edit' and 'delete', you're expected to add the resources 'resource_add', 'resource_edit', and 'resource_delete'.

6. Milestones / Tasks

  • Milestone 1: Design notes will be published here
  • Milestone 2: Write unittests
  • Milestone 3: Write working prototype, commit in userbranch
  • Milestone 4: Drop class interface here (or emphasize link to userbranch, hey, developers are lazy by definition)
  • Milestone 5: Get proposal reviewed, updated, accepted
  • Milestone 5: Write documentation (or find s/o to do so, volunteers? )
  • Milestone 6: Get code reviewed by Matthew/liaison and move to trunk
  • Milestone 7: Release immediately, and dont forget to promote Zym meanwhile

If a milestone is already done, begin the description with "[DONE]", like this:

  • Milestone #: [DONE] Unit tests ...

7. Class Index

  • Zend_Rbac
  • Zend_Rbac_Subject
  • Zend_Rbac_Role
  • Zend_Rbac_Resource
  • Zend_Rbac_Adapter_DbTable
  • Zend_Rbac_Assert_?
  • More_To_Come?

8. Use Cases


The following code implements the given scenario under 'operation'

9. Class Skeletons


Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.