Monday, November 30, 2009

Authorization with assertions


In this example, we implement an authorization with rules and assertions.

Components used in this example
Implementation of the assertion
  • The site status is stored in a global variable for the purpose of this example.
  • People excluding the administrator are allowed to only view content when the site is under maintenance.

class MyAssert implements Zend_Acl_Assert_Interface
{
    public function 
assert(
        
Zend_Acl $acl,
        
Zend_Acl_Role_Interface $role null,
        
Zend_Acl_Resource_Interface $resource null,
        
$privilege null)
    {
        
// The site status is stored in a global variable for the purpose of this example.
        
global $maintenance;

        
// People excluding the administrator are allowed to only view content
        // when the site is under maintenance.
        
return !(
            
$maintenance and
            
$role->getRoleId() != 'administrator' and
            
$privilege != 'view');
    }

}

Authorization for specific resources


In this example, we implement an authorization with rules affecting some resources.

Components used in this example
Implementation of the authorization

class MyAcl
{
The authorization process
  • We get the role and the requested permission on a resource from the GET request.
  • We instantiate the authorization object.
  • We create the roles, the resources and the rules.
  • We verify if the role is allowed to access the resource. And we return a message accordingly.

    public function process()
    {
        
// We get the role and the requested permission on a resource from the GET request.
        
list($role$permission$resource) = $this->_getParameters();
        
// We instantiate the authorization object.
        
$acl = new Zend_Acl();
        
// We create the roles, the resources and the rules.
        
$this->_createRoles($acl);
        
$this->_createResources($acl);
        
$this->_createRules($acl);

        if (
$role and $permission) {
            
// We verify if the role is allowed to access the resource.
            // And we return a message accordingly.
            
$status $acl->isAllowed($role$resource$permission) ? 'allowed' 'denied';
            
$resource or $resource 'content';
            
$message "The $role is $status to $permission $resource!";
        } else {
            
$message '';
        }

        return array(
$role$permission$resource$message);
    }
Extraction of the parameters from the GET request

    private function _getParameters()
    {
        
$role = isset($_GET['role'])? $_GET['role'] : '';
        
$permission = isset($_GET['permission'])? $_GET['permission'] : '';
        
$resource = empty($_GET['resource'])? null $_GET['resource'];

        return array(
$role$permission$resource);
    }
Creation of the roles
  • The guest does not inherit access controls.
  • The staff inherits from the guest.
  • The editor and marketing inherits from the staff.
  • The administrator does not inherit access controls.

    private function _createRoles($acl)
    {
        
// The guest does not inherit access controls.
        
$acl->addRole(new Zend_Acl_Role('guest'));
        
// The staff inherits from the guest.
        
$acl->addRole(new Zend_Acl_Role('staff'), 'guest');
        
// The editor and marketing inherits from the staff.
        
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
        
$acl->addRole(new Zend_Acl_Role('marketing'), 'staff');
        
// The administrator does not inherit access controls.
        
$acl->addRole(new Zend_Acl_Role('administrator'));
    }
Creation of the resources
  • We add the newsletters.
  • We add the news, the latest news, and the announcements.

    private function _createResources($acl)
    {
        
// We add the newsletters.
        
$acl->add(new Zend_Acl_Resource('newsletters'));
        
// We add the news, the latest news, and the announcements.
        
$acl->add(new Zend_Acl_Resource('news'));
        
$acl->add(new Zend_Acl_Resource('latest news'), 'news');
        
$acl->add(new Zend_Acl_Resource('announcements'), 'news');
    }
Creation of the rules.
  • The guest is only allowed to view content.
  • The staff is also allowed to edit, to submit or to revise content.
  • The editor is also allowed to publish, to archive or to delete content.
  • The administrator is granted all privileges.
  • Marketing is allowed to publish and archive the newsletters and the latest news.
  • The staff is denied permission to revise the latest news.
  • Everyone is denied permission to archive the news announcements.

    private function _createRules($acl)
    {
        
// The guest is only allowed to view content.
        
$acl->allow('guest'null'view');
        
// The staff is also allowed to edit, to submit or to revise content.
        
$acl->allow('staff'null, array('edit''submit''revise'));
        
// The editor is also allowed to publish, to archive or to delete content.
        
$acl->allow('editor'null, array('publish''archive''delete'));
        
// The administrator is granted all privileges.
        
$acl->allow('administrator');

        
// Marketing is allowed to publish and archive the newsletters and the latest news.
        
$acl->allow('marketing', array('newsletters''latest news'),
            array(
'publish''archive'));
        
// The staff is denied permission to revise the latest news.
        
$acl->deny('staff''latest news''revise');
        
// Everyone is denied permission to archive the news announcements.
        
$acl->deny(null'announcements''archive');
    }

}

Authorization with rules


In this example, we implement an authorization with rules affecting all resources.

Components used in this example
Implementation of the authorization

class MyAcl
{
The authorization process
  • We get the role and the requested permission from the GET request.
  • We instantiate the authorization object.
  • We create the roles and the rules.
  • We verify if the role is allowed to access the resource. And we return a message accordingly.

    public function process()
    {
        
// We get the role and the requested permission from the GET request.
        
list($role$permission) = $this->_getParameters();
        
// We instantiate the authorization object.
        
$acl = new Zend_Acl();
        
// We create the roles and the rules.
        
$this->_createRoles($acl);
        
$this->_createRules($acl);

        if (
$role and $permission) {
            
// We verify if the role is allowed to access the resource.
            // And we return a message accordingly.
            
$status $acl->isAllowed($rolenull$permission) ? 'allowed' 'denied';
            
$message "The $role is $status to $permission content!";
        } else {
            
$message '';
        }

        return array(
$role$permission$message);
    }
Extraction of the parameters from the GET request

    private function _getParameters()
    {
        
$role = isset($_GET['role'])? $_GET['role'] : '';
        
$permission = isset($_GET['permission'])? $_GET['permission'] : '';

        return array(
$role$permission);
    }
Creation of the roles
  • The guest does not inherit access controls.
  • The staff inherits from the guest.
  • The editor inherits from the staff.
  • The administrator does not inherit access controls.

    private function _createRoles($acl)
    {
        
// The guest does not inherit access controls.
        
$acl->addRole(new Zend_Acl_Role('guest'));
        
// The staff inherits from the guest.
        
$acl->addRole(new Zend_Acl_Role('staff'), 'guest');
        
// The editor inherits from the staff.
        
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
        
// The administrator does not inherit access controls.
        
$acl->addRole(new Zend_Acl_Role('administrator'));
    }
Creation of the rules.
  • The guest is only allowed to view content.
  • The staff is also allowed to edit, to submit or to revise content.
  • The editor is also allowed to publish, to archive or to delete content.
  • The administrator is granted all privileges.

    private function _createRules($acl)
    {
        
// The guest is only allowed to view content.
        
$acl->allow('guest'null'view');
        
// The staff is also allowed to edit, to submit or to revise content.
        
$acl->allow('staff'null, array('edit''submit''revise'));
        
// The editor is also allowed to publish, to archive or to delete content.
        
$acl->allow('editor'null, array('publish''archive''delete'));
        
// The administrator is granted all privileges.
        
$acl->allow('administrator');
    }

}