Monday, November 30, 2009

Authorization with rules

In this example, we implement an authorization with rules affecting all resources.

Components used in this example
Implementation of the authorization

class MyAcl
The authorization process
  • We get the role and the requested permission from the GET request.
  • We instantiate the authorization object.
  • We create the roles and the rules.
  • We verify if the role is allowed to access the resource. And we return a message accordingly.

    public function process()
// We get the role and the requested permission from the GET request.
list($role$permission) = $this->_getParameters();
// We instantiate the authorization object.
$acl = new Zend_Acl();
// We create the roles and the rules.

        if (
$role and $permission) {
// We verify if the role is allowed to access the resource.
            // And we return a message accordingly.
$status $acl->isAllowed($rolenull$permission) ? 'allowed' 'denied';
$message "The $role is $status to $permission content!";
        } else {
$message '';

        return array(
Extraction of the parameters from the GET request

    private function _getParameters()
$role = isset($_GET['role'])? $_GET['role'] : '';
$permission = isset($_GET['permission'])? $_GET['permission'] : '';

        return array(
Creation of the roles
  • The guest does not inherit access controls.
  • The staff inherits from the guest.
  • The editor inherits from the staff.
  • The administrator does not inherit access controls.

    private function _createRoles($acl)
// The guest does not inherit access controls.
$acl->addRole(new Zend_Acl_Role('guest'));
// The staff inherits from the guest.
$acl->addRole(new Zend_Acl_Role('staff'), 'guest');
// The editor inherits from the staff.
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
// The administrator does not inherit access controls.
$acl->addRole(new Zend_Acl_Role('administrator'));
Creation of the rules.
  • The guest is only allowed to view content.
  • The staff is also allowed to edit, to submit or to revise content.
  • The editor is also allowed to publish, to archive or to delete content.
  • The administrator is granted all privileges.

    private function _createRules($acl)
// The guest is only allowed to view content.
// The staff is also allowed to edit, to submit or to revise content.
$acl->allow('staff'null, array('edit''submit''revise'));
// The editor is also allowed to publish, to archive or to delete content.
$acl->allow('editor'null, array('publish''archive''delete'));
// The administrator is granted all privileges.


No comments:

Post a Comment