Authorization with assertions

In this example, we implement an authorization with rules and assertions.

Components used in this example

• Zend_Acl
• Zend_Acl_Assert_Interface
• Zend_Acl_Resource_Interface
• Zend_Acl_Role
• Zend_Acl_Role_Interface

---

MyAssert MyAcl MyHtml Entry point HTML | Try it | View source code

Implementation of the assertion

• The site status is stored in a global variable for the purpose of this example.
• People excluding the administrator are allowed to only view content when the site is under maintenance.

class MyAssert implements Zend_Acl_Assert_Interface
{
    public function assert(
        Zend_Acl $acl,
        Zend_Acl_Role_Interface $role = null,
        Zend_Acl_Resource_Interface $resource = null,
        $privilege = null)
    {
        // The site status is stored in a global variable for the purpose of this example.
        global $maintenance;

        // People excluding the administrator are allowed to only view content
        // when the site is under maintenance.
        return !(
            $maintenance and
            $role->getRoleId() != 'administrator' and
            $privilege != 'view');
    }

}

Implementation of the authorization

class MyAcl
{

The authorization process

• The site status is stored in a global variable for the purpose of this example.
• We get the role and the requested permission from the GET request. We also get if the site is under maintenance or not.
• We instantiate the authorization object.
• We create the roles and the rules.
• We verify if the role is allowed to access the resource. And we return a message accordingly.

    public function process()
    {
        // The site status is stored in a global variable for the purpose of this example.
        global $maintenance;

        // We get the role and the requested permission from the GET request.
        // We also get if the site is under maintenance or not.
        list($role, $permission, $maintenance) = $this->_getParameters();
        // We instantiate the authorization object.
        $acl = new Zend_Acl();
        // We create the roles and the rules.
        $this->_createRoles($acl);
        $this->_createRules($acl);

        if ($role and $permission) {
            // We verify if the role is allowed to access the resource.
            // And we return a message accordingly.
            $status = $acl->isAllowed($role, null, $permission) ? 'allowed' : 'denied';
            $message = "The $role is $status to $permission content!";
        } else {
            $message = '';
        }

        return array($role, $permission, $maintenance, $message);
    }

Extraction of the parameters from the GET request

    private function _getParameters()
    {
        $role = isset($_GET['role'])? $_GET['role'] : '';
        $permission = isset($_GET['permission'])? $_GET['permission'] : '';
        $maintenance = isset($_GET['maintenance'])? $_GET['maintenance'] : '';

        return array($role, $permission, $maintenance);
    }

Creation of the roles

• The guest does not inherit access controls.
• The staff inherits from the guest.
• The editor inherits from the staff.
• The administrator does not inherit access controls.

    private function _createRoles($acl)
    {
        // The guest does not inherit access controls.
        $acl->addRole(new Zend_Acl_Role('guest'));
        // The staff inherits from the guest.
        $acl->addRole(new Zend_Acl_Role('staff'), 'guest');
        // The editor inherits from the staff.
        $acl->addRole(new Zend_Acl_Role('editor'), 'staff');
        // The administrator does not inherit access controls.
        $acl->addRole(new Zend_Acl_Role('administrator'));
    }

Creation of the rules with the assertion

• The guest is only allowed to view content.
• The staff is also allowed to edit, to submit or to revise content.
• The editor is also allowed to publish, to archive or to delete content.
• The administrator is granted all privileges.

    private function _createRules($acl)
    {
        // The guest is only allowed to view content.
        $acl->allow('guest', null, 'view', new MyAssert);
        // The staff is also allowed to edit, to submit or to revise content.
        $acl->allow('staff', null, array('edit', 'submit', 'revise'), new MyAssert);
        // The editor is also allowed to publish, to archive or to delete content.
        $acl->allow('editor', null, array('publish', 'archive', 'delete'), new MyAssert);
        // The administrator is granted all privileges.
        $acl->allow('administrator');
    }

}

Displaying items

class MyHtml
{

Displaying the title of the page based on the file name.

    public static function printTitle()
    {
        $basename = basename(__FILE__, '.php');
        $title = ucwords(str_replace('-' , ' ', $basename));
        $zfVersion = Zend_Version::VERSION;
        $phpVersion = phpversion();
        echo "ZfEx $title (ZF/$zfVersion PHP/$phpVersion)";
    }

Displaying the selected option

    public static function printSelected($value, $target)
    {
        $value == $target and print 'selected="selected"';
    }

}

Processing the authorization

• We return the role, the permission and the authorization result, to display in the form.

$acl = new MyAcl;
// We return the role, the permission and the authorization result, to display in the form.
list($role, $permission, $maintenance, $message) = $acl->process();

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title><?php MyHtml::printTitle();?></title>
    <style type="text/css">
      body {
          font-family: arial, sans-serif;
          font-size: 0.9em;
      }
    </style>
  </head>

  <body>

    <p>EXAMPLE <?php MyHtml::printTitle();?></p>
    <hr />

    <form>
      Select a role:
      <select name="role" value="<?php echo $role;?>">
        <option <?php MyHtml::printSelected($role, 'guest');?>>guest</option>
        <option <?php MyHtml::printSelected($role, 'staff');?>>staff</option>
        <option <?php MyHtml::printSelected($role, 'editor');?>>editor</option>
        <option <?php MyHtml::printSelected($role, 'administrator');?>>administrator</option>
      </select>

      Select a permission:
      <select name="permission" value="<?php echo $permission;?>">
        <optgroup label="guest level">
          <option <?php MyHtml::printSelected($permission, 'view');?>>view</option>
        </optgroup>
        <optgroup label="staff level">
          <option <?php MyHtml::printSelected($permission, 'edit');?>>edit</option>
          <option <?php MyHtml::printSelected($permission, 'submit');?>>submit</option>
          <option <?php MyHtml::printSelected($permission, 'revise');?>>revise</option>
        </optgroup>
        <optgroup label="editor level">
          <option <?php MyHtml::printSelected($permission, 'publish');?>>publish</option>
          <option <?php MyHtml::printSelected($permission, 'archive');?>>archive</option>
          <option <?php MyHtml::printSelected($permission, 'delete');?>>delete</option>
        </optgroup>
        <optgroup label="administrator level">
          <option <?php MyHtml::printSelected($permission, 'administer');?>>administer</option>
        </optgroup>
      </select>

      Select site maintenance:
      <select name="maintenance" value="<?php echo $maintenance;?>">
        <option value="" <?php MyHtml::printSelected($maintenance, '');?>>off</option>
        <option <?php MyHtml::printSelected($maintenance, 'on');?>>on</option>
      </select>

      <input type="submit" value="Submit" />
    </form>

    (Note: People are only allowed to view content during site maintenance,
    except the administrator)

    <br /> <br />
    <hr />
    AUTHENTICATION RESULT
    <br /> <br />
    <?php echo $message;?>

  </body>
</html>