Issue Type: Community Driven Feature Created: 2008-06-26T10:47:25.000+0000 Last Updated: 2010-11-05T01:23:18.000+0000 Status: Closed Fix version(s): - 1.11.0 (02/Nov/10)
Reporter: Louis Grenzebach (pknull) Assignee: Gauthier Delamarre (gdelamarre) Tags: - Zend_Acl
Related issues: Attachments: - allowMultipleRolesInIsAllowedChallenge.patch
Inheritance is not always an optimal solution for ACL's. It would be beneficial if isAllowed could take an array as it's first argument for roles, for example:
$acl->isAllowed(array('role1','role2'), 'resource', array('view','edit'))
Posted by Marc Jakubowski (octavian) on 2008-07-01T08:25:46.000+0000
Could you give us a use case when this approach would be useful?
Should this statement return true, when the rule is allowed for both roles only or does only one of them need to match?
A workaround would be to either check both roles separately and then merge results to you need or to create a new dummy role that inherits both roles an then check if it is allowed.
Posted by Louis Grenzebach (pknull) on 2008-07-01T22:56:06.000+0000
I believe it would return true if one matched, as you only need to be allowed on one level. In our environment people are given several roles, which typically coincide with various titles they may have. Some of these roles may not have permission to enter the area, while others do. I was hoping for a way to hand an array of the users roles to the function, without having to loop through them (as your work around suggested (and now after the fact, what I ended up doing)).
Here's my particular case I have a user, who has the roles of SiteAdmin, Teacher, and Staff. Of those roles, only two are allowed access to the view.
While the social heirachy of these roles might imply the order of SiteAdmin > Teacher > Staff, we have cases where this order is changed, so that Teacher > SiteAdmin > Staff. There's also about a half dozen more roles on top of this.
It boils down to users having roles, that are mutually exclusive of each other, but may have access to an item through one more of those roles. I'm just trying to avoid unnecessary loops in my code where plausible.
Posted by Wil Sinclair (wil) on 2009-01-14T13:31:40.000+0000
Assigning to Ralph to get closure on this issues.
Posted by Ralph Schindler (ralph) on 2009-09-08T14:03:19.000+0000
So the proposed API, would that mean that all resources must share the same privelidge or just one? In other words, given many roles, are you expecting it to be ANDed or ORed?
Posted by Ralph Schindler (ralph) on 2009-09-10T08:30:41.000+0000
Updating project management. Trivial, Nice To Have, Next Minor Release.
While this is a worthwhile feature, the ZF team will not develop this feature, but if a community member would like to pick up and develop it, they may make an assignment of it.
Posted by Gauthier Delamarre (gdelamarre) on 2009-10-12T13:53:08.000+0000
Moved public Zend_Acl::isAllowed method to protected Zend_Acl::_isAllowed and replaced it with a method allowing arrays as first parameters. Also updated related UnitTest. No BC break.
Posted by David Broderick (davidbroderick) on 2010-11-04T10:21:13.000+0000
Did this patch make it into the ZF 1.11 release? I don't see the changes from the patch file in Zend\Acl.php
Posted by Gauthier Delamarre (gdelamarre) on 2010-11-05T01:23:18.000+0000
as far as I know this patch was not moved to trunk...
Have you found an issue?
See the Overview section for more details.