Zend ACl How to implement Custom Dynamic Assertion?

2
votes

Thanks to all in advance for posting answers. Actually I am learning the Zend framework so now I am working with Zend ACL for allowed/deny multiple user roles to access controller/action. so for this, I did create a helper in app/controllers/helpers/acl.php and a code in app/bootstrap.php. now I did use this helper in bootstrap.php so when the application will be load/initialize then it will be work. Now it's working but I am looking for advance I want to add custom assertion where is allowed only for the user which is related to him like I can only edit or delete post I did create it.

So if you can help me please do. My code is posted below

file App/Controllers/Helpers/Acl.php

<?php
require_once 'Zend/Controller/Action/Helper/Abstract.php';

class Zend_Controller_Action_Helper_Acl extends Zend_Controller_Action_Helper_Abstract {

    protected $acl;
    protected $role;

    function __construct() {
        $this->sess = new Zend_Session_Namespace("session");
        $this->logger = Zend_Registry::get('logger');
    }

    protected function getAcl(){

        if (is_null($this->acl)){

            $acl = new Zend_Acl();

            $roles  = array('owner', 'administrator', 'editor', 'readonly');

            $controllers = array('index', 'projects', 'applications', 'checks', 'settings', 'ajax', 'error', 'languageswitch');

            //Add Roles
            foreach ($roles as $role) {
                $acl->addRole(new Zend_Acl_Role($role));
            }

            //Add Resources
            foreach ($controllers as $controller) {
                $acl->add(new Zend_Acl_Resource($controller));

                //Administrator, Editior, Readonly
                if($controller == 'projects'){
                    $acl->allow('administrator', $controller, array('main', 'add', 'detail', 'edit'));
                    $acl->allow('editor', $controller, array('main', 'add', 'detail', 'edit'));
                    $acl->allow('readonly', $controller, array('main', 'add', 'detail'));
                }else if($controller == 'applications'){
                    $acl->allow('administrator', $controller, array('main', 'add', 'detail', 'edit', 'auditview', 'delete'));
                    $acl->allow('editor', $controller, array('main', 'add', 'detail', 'edit', 'audit'));
                    $acl->allow('readonly', $controller, array('main', 'detail', 'audit'));
                }else {
                    $acl->allow('administrator', $controller);
                    $acl->allow('editor', $controller);
                    $acl->allow('readonly', $controller);
                }
            }

            //Owner
            $acl->allow('owner'); // Owner Has access to everything.

            $this->acl = $acl;

        }

        return $this->acl;

    }

    protected function getRole(){

        if (is_null($this->role)){

            $session = new Zend_Session_Namespace('session');
            $role = (isset($session->currentrole)) ? $session->currentrole : 'guest';
            $this->role = $role;

        }

        return $this->role;

    }

    public function direct($resource, $privilege = null){

        $acl = $this->getAcl();
        $role = $this->getRole();
        $allowed = $acl->isAllowed($role, $resource, $privilege);
        return $allowed;
    }

}

file App/Bootstrap.php

    //Set Role Permission
    $acl = new Zend_Controller_Action_Helper_Acl();
    Zend_Registry::set('acl', $acl);

    $permission = Zend_Registry::get('acl');
    $request = new Zend_Controller_Request_Http();
    $resource = $request->getControllerName();
    $privilege = $request->getActionName();
    if (!$permission->direct($resource, $privilege)) {
        $request->setControllerName('error');
        $request->setActionName('error');
    }
1
phpzend-framework

1 Answers

1
votes

My advice is to use a different approach.

First, you should create a class where you define you full ACL definitions, for example "My_Acl" that extends Zend_Acl. Register in My_Acl all your roles, resources and privileges. Make "My_Acl" singleton in order to get your configured Acl ( Zend_Acl ) using My_Acl::getInstance(). If you like you can also register this instance in your Zend_Registry.

Since you want to check in the user has privileges to access any action of any controller, my advice is to create a Plugin and register it at predispatch, in order to check all access in a single point.

You can also create an action helper ( eg My_Controller_Action_Helper_Acl ) with a isAllowed method that proxies the $alc->isAllowed, in order to check if a specific part of yuor action is accessible to the current logged user.