In this example, we implement an authorization with rules affecting some resources.
Components used in this example
class MyAcl
{
- We get the role and the requested permission on a resource from the GET request.
- We instantiate the authorization object.
- We create the roles, the resources and the rules.
- We verify if the role is allowed to access the resource. And we return a message accordingly.
public function process()
{
list($role, $permission, $resource) = $this->_getParameters();
$acl = new Zend_Acl();
$this->_createRoles($acl);
$this->_createResources($acl);
$this->_createRules($acl);
if ($role and $permission) {
$status = $acl->isAllowed($role, $resource, $permission) ? 'allowed' : 'denied';
$resource or $resource = 'content';
$message = "The $role is $status to $permission $resource!";
} else {
$message = '';
}
return array($role, $permission, $resource, $message);
}
private function _getParameters()
{
$role = isset($_GET['role'])? $_GET['role'] : '';
$permission = isset($_GET['permission'])? $_GET['permission'] : '';
$resource = empty($_GET['resource'])? null : $_GET['resource'];
return array($role, $permission, $resource);
}
- The guest does not inherit access controls.
- The staff inherits from the guest.
- The editor and marketing inherits from the staff.
- The administrator does not inherit access controls.
private function _createRoles($acl)
{
$acl->addRole(new Zend_Acl_Role('guest'));
$acl->addRole(new Zend_Acl_Role('staff'), 'guest');
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
$acl->addRole(new Zend_Acl_Role('marketing'), 'staff');
$acl->addRole(new Zend_Acl_Role('administrator'));
}
- We add the newsletters.
- We add the news, the latest news, and the announcements.
private function _createResources($acl)
{
$acl->add(new Zend_Acl_Resource('newsletters'));
$acl->add(new Zend_Acl_Resource('news'));
$acl->add(new Zend_Acl_Resource('latest news'), 'news');
$acl->add(new Zend_Acl_Resource('announcements'), 'news');
}
- The guest is only allowed to view content.
- The staff is also allowed to edit, to submit or to revise content.
- The editor is also allowed to publish, to archive or to delete content.
- The administrator is granted all privileges.
- Marketing is allowed to publish and archive the newsletters and the latest news.
- The staff is denied permission to revise the latest news.
- Everyone is denied permission to archive the news announcements.
private function _createRules($acl)
{
$acl->allow('guest', null, 'view');
$acl->allow('staff', null, array('edit', 'submit', 'revise'));
$acl->allow('editor', null, array('publish', 'archive', 'delete'));
$acl->allow('administrator');
$acl->allow('marketing', array('newsletters', 'latest news'),
array('publish', 'archive'));
$acl->deny('staff', 'latest news', 'revise');
$acl->deny(null, 'announcements', 'archive');
}
}
class MyHtml
{
public static function printTitle()
{
$basename = basename(__FILE__, '.php');
$title = ucwords(str_replace('-' , ' ', $basename));
$zfVersion = Zend_Version::VERSION;
$phpVersion = phpversion();
echo "ZfEx $title (ZF/$zfVersion PHP/$phpVersion)";
}
public static function printSelected($value, $target)
{
$value == $target and print 'selected="selected"';
}
}
- We get the role, the permission, the resource and the authorization result, to display in the form.
$acl = new MyAcl;
list($role, $permission, $resource, $message) = $acl->process();
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title><?php MyHtml::printTitle();?></title>
<style type="text/css">
body {
font-family: arial, sans-serif;
font-size: 0.9em;
}
</style>
</head>
<body>
<p>EXAMPLE <?php MyHtml::printTitle();?></p>
<hr />
<form>
Select a role:
<select name="role" value="<?php echo $role;?>">
<option <?php MyHtml::printSelected($role, 'guest');?>>guest</option>
<option <?php MyHtml::printSelected($role, 'staff');?>>staff</option>
<option <?php MyHtml::printSelected($role, 'marketing');?>>marketing</option>
<option <?php MyHtml::printSelected($role, 'editor');?>>editor</option>
<option <?php MyHtml::printSelected($role, 'administrator');?>>administrator</option>
</select>
Select a permission:
<select name="permission" value="<?php echo $permission;?>">
<optgroup label="guest level">
<option <?php MyHtml::printSelected($permission, 'view');?>>view</option>
</optgroup>
<optgroup label="staff level">
<option <?php MyHtml::printSelected($permission, 'edit');?>>edit</option>
<option <?php MyHtml::printSelected($permission, 'submit');?>>submit</option>
<option <?php MyHtml::printSelected($permission, 'revise');?>>revise</option>
</optgroup>
<optgroup label="editor level">
<option <?php MyHtml::printSelected($permission, 'publish');?>>publish</option>
<option <?php MyHtml::printSelected($permission, 'archive');?>>archive</option>
<option <?php MyHtml::printSelected($permission, 'delete');?>>delete</option>
</optgroup>
<optgroup label="administrator level">
<option <?php MyHtml::printSelected($permission, 'administer');?>>administer</option>
</optgroup>
</select>
Select a resource:
<select name="resource" value="<?php echo $resource;?>">
<option value="" <?php MyHtml::printSelected($resource, null);?>>all</option>
<option <?php MyHtml::printSelected($resource, 'newsletters');?>>newsletters</option>
<optgroup label="news">
<option <?php MyHtml::printSelected($resource, 'news');?>>news</option>
<option <?php MyHtml::printSelected($resource, 'latest news');?>>latest news</option>
<option <?php MyHtml::printSelected($resource, 'announcements');?>>announcements</option>
</optgroup>
</select>
<input type="submit" value="Submit" />
</form>
(Note:
Marketing is allowed to publish or archive newsletters and the latest news.
Everyone is denied permission to archive annoucements.)
<br /> <br />
<hr />
AUTHENTICATION RESULT
<br /> <br />
<?php echo $message;?>
</body>
</html>
