View Source

<h1>USAGE</h1>

<p>There are two valid methods I've identified for using ACL within an application.</p>

<h2>1) ACL as a service</h2>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[

$acl = new Zend_Acl();
$acl->addRole(..)
->addRole(..)
->add(..) // resource
->add(..) // resource
->allow(..); // rules

]]></ac:plain-text-body></ac:macro>

<p>This method lends itself to easy-of-programming, and a simpler approach to Acl. Generally speaking, the type of querying on this type of Acl can be done from anywhere, but it does limit itself to use of simple objects (strings or objects implementing the Role/Resource_interfaces). To be used with application models, the Role_Interface would generally be appended to the User model, and likewise for any &quot;Resources&quot; or resource-type models that might exist in a system. This method also falls short if you plan on using Assertions to do any fine grained (identifier level) acl querying with the applications models.</p>

<h2>2) ACL as an application model</h2>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[

class MyModule_Acl extends Zend_Acl
{
public function __construct() {
$this->addRole(..)
->addRole(..)
->add(..) // resource
->add(..) // resource
->allow(..); // rules
}

public function isAllowed($role = null, $resource = null, $privilege = null) {
$aclRole = $role;
$aclResource = $resource;

if ($role instanceof MyModule_User) {
$aclRole = new MyModule_Acl_Role_User($role);
}

if ($resource instanceof MyModule_BlogPost) {
$aclResource = new MyModule_Acl_Resource_BlogPost($resource);
}

return parent::isAllowed($aclRole, $aclResource, $privilege);
}
}

$acl = new Module_Acl();

]]></ac:plain-text-body></ac:macro>

<p>This method is more full fledged. In a sense, the ACL has become a model within the application itself. Consider this a more &quot;model purist&quot; method for ACL deployment. What this means is that since ALC has become a model, and since you have implemented your own isAllowed, you can then use composition to introduce your business level models to your ACL (application level model).</p>

<p>To understand using composition, imagine this Acl Model</p>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
class MyModule_Acl_Role_User implements Zend_Acl_Role_Interface
{
protected $_user;
public function __construct(MyModule_User $user) {
$this->_user = $user;
}
public function getRoleId() {
return 'user'; // or whatever string satisfies
}
public function getUserObject() {
return $this->_user;
}
public function __get($name) {
return $this->_user->{$name};
}
}
]]></ac:plain-text-body></ac:macro>

<h1>REFERENCES</h1>

<ul>
<li><a href="http://framework.zend.com/issues/browse/ZF-1722">ZF-1722 Zend_Acl assertions broken when inheritance is required (ie DepthFirstSearch)</a></li>
</ul>