Monday, November 30, 2009

Authorization for specific resources

In this example, we implement an authorization with rules affecting some resources.

Components used in this example
Implementation of the authorization

class MyAcl
The authorization process
  • We get the role and the requested permission on a resource from the GET request.
  • We instantiate the authorization object.
  • We create the roles, the resources and the rules.
  • We verify if the role is allowed to access the resource. And we return a message accordingly.

    public function process()
// We get the role and the requested permission on a resource from the GET request.
list($role$permission$resource) = $this->_getParameters();
// We instantiate the authorization object.
$acl = new Zend_Acl();
// We create the roles, the resources and the rules.

        if (
$role and $permission) {
// We verify if the role is allowed to access the resource.
            // And we return a message accordingly.
$status $acl->isAllowed($role$resource$permission) ? 'allowed' 'denied';
$resource or $resource 'content';
$message "The $role is $status to $permission $resource!";
        } else {
$message '';

        return array(
Extraction of the parameters from the GET request

    private function _getParameters()
$role = isset($_GET['role'])? $_GET['role'] : '';
$permission = isset($_GET['permission'])? $_GET['permission'] : '';
$resource = empty($_GET['resource'])? null $_GET['resource'];

        return array(
Creation of the roles
  • The guest does not inherit access controls.
  • The staff inherits from the guest.
  • The editor and marketing inherits from the staff.
  • The administrator does not inherit access controls.

    private function _createRoles($acl)
// The guest does not inherit access controls.
$acl->addRole(new Zend_Acl_Role('guest'));
// The staff inherits from the guest.
$acl->addRole(new Zend_Acl_Role('staff'), 'guest');
// The editor and marketing inherits from the staff.
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
$acl->addRole(new Zend_Acl_Role('marketing'), 'staff');
// The administrator does not inherit access controls.
$acl->addRole(new Zend_Acl_Role('administrator'));
Creation of the resources
  • We add the newsletters.
  • We add the news, the latest news, and the announcements.

    private function _createResources($acl)
// We add the newsletters.
$acl->add(new Zend_Acl_Resource('newsletters'));
// We add the news, the latest news, and the announcements.
$acl->add(new Zend_Acl_Resource('news'));
$acl->add(new Zend_Acl_Resource('latest news'), 'news');
$acl->add(new Zend_Acl_Resource('announcements'), 'news');
Creation of the rules.
  • The guest is only allowed to view content.
  • The staff is also allowed to edit, to submit or to revise content.
  • The editor is also allowed to publish, to archive or to delete content.
  • The administrator is granted all privileges.
  • Marketing is allowed to publish and archive the newsletters and the latest news.
  • The staff is denied permission to revise the latest news.
  • Everyone is denied permission to archive the news announcements.

    private function _createRules($acl)
// The guest is only allowed to view content.
// The staff is also allowed to edit, to submit or to revise content.
$acl->allow('staff'null, array('edit''submit''revise'));
// The editor is also allowed to publish, to archive or to delete content.
$acl->allow('editor'null, array('publish''archive''delete'));
// The administrator is granted all privileges.

// Marketing is allowed to publish and archive the newsletters and the latest news.
$acl->allow('marketing', array('newsletters''latest news'),
// The staff is denied permission to revise the latest news.
$acl->deny('staff''latest news''revise');
// Everyone is denied permission to archive the news announcements.


No comments:

Post a Comment