In this example, we implement an authorization with rules affecting some resources.
Components used in this example
Implementation of the authorization
class MyAcl
{
- We get the role and the requested permission on a resource from the GET request.
- We instantiate the authorization object.
- We create the roles, the resources and the rules.
- We verify if the role is allowed to access the resource. And we return a message accordingly.
public function process()
{
// We get the role and the requested permission on a resource from the GET request.
list($role, $permission, $resource) = $this->_getParameters();
// We instantiate the authorization object.
$acl = new Zend_Acl();
// We create the roles, the resources and the rules.
$this->_createRoles($acl);
$this->_createResources($acl);
$this->_createRules($acl);
if ($role and $permission) {
// We verify if the role is allowed to access the resource.
// And we return a message accordingly.
$status = $acl->isAllowed($role, $resource, $permission) ? 'allowed' : 'denied';
$resource or $resource = 'content';
$message = "The $role is $status to $permission $resource!";
} else {
$message = '';
}
return array($role, $permission, $resource, $message);
}
private function _getParameters()
{
$role = isset($_GET['role'])? $_GET['role'] : '';
$permission = isset($_GET['permission'])? $_GET['permission'] : '';
$resource = empty($_GET['resource'])? null : $_GET['resource'];
return array($role, $permission, $resource);
}
- The guest does not inherit access controls.
- The staff inherits from the guest.
- The editor and marketing inherits from the staff.
- The administrator does not inherit access controls.
private function _createRoles($acl)
{
// The guest does not inherit access controls.
$acl->addRole(new Zend_Acl_Role('guest'));
// The staff inherits from the guest.
$acl->addRole(new Zend_Acl_Role('staff'), 'guest');
// The editor and marketing inherits from the staff.
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
$acl->addRole(new Zend_Acl_Role('marketing'), 'staff');
// The administrator does not inherit access controls.
$acl->addRole(new Zend_Acl_Role('administrator'));
}
- We add the newsletters.
- We add the news, the latest news, and the announcements.
private function _createResources($acl)
{
// We add the newsletters.
$acl->add(new Zend_Acl_Resource('newsletters'));
// We add the news, the latest news, and the announcements.
$acl->add(new Zend_Acl_Resource('news'));
$acl->add(new Zend_Acl_Resource('latest news'), 'news');
$acl->add(new Zend_Acl_Resource('announcements'), 'news');
}
- The guest is only allowed to view content.
- The staff is also allowed to edit, to submit or to revise content.
- The editor is also allowed to publish, to archive or to delete content.
- The administrator is granted all privileges.
- Marketing is allowed to publish and archive the newsletters and the latest news.
- The staff is denied permission to revise the latest news.
- Everyone is denied permission to archive the news announcements.
private function _createRules($acl)
{
// The guest is only allowed to view content.
$acl->allow('guest', null, 'view');
// The staff is also allowed to edit, to submit or to revise content.
$acl->allow('staff', null, array('edit', 'submit', 'revise'));
// The editor is also allowed to publish, to archive or to delete content.
$acl->allow('editor', null, array('publish', 'archive', 'delete'));
// The administrator is granted all privileges.
$acl->allow('administrator');
// Marketing is allowed to publish and archive the newsletters and the latest news.
$acl->allow('marketing', array('newsletters', 'latest news'),
array('publish', 'archive'));
// The staff is denied permission to revise the latest news.
$acl->deny('staff', 'latest news', 'revise');
// Everyone is denied permission to archive the news announcements.
$acl->deny(null, 'announcements', 'archive');
}
}
No comments:
Post a Comment