Wow, lots going on here. I'll try to help where I can.
I actually blogged about the situation you descibed about blog posts and
owners:
http://ralphschindler.com/2009/08/13/dynamic-assertions-for-zend_acl-in-zf
In that scenario, your assertion would likely be interacting with the
database to determine the proper conclusion.
As for the other modules, you can probably take advantage of the module
initialization:
http://framework.zend.com/manual/en/zend.application.available-resources.html#zend.application.available-resources.modules
This will allow you to set things up prior to routing (if there is an
application wide ACL object.) This way, each module can inject its own
rules into the ACL for the rest of the system to consume, if that is
your intended goal.
I would assume that since you are using a database to store the fine
grained information, you'll likely be using the ACL to describe what
"roles" have access to as opposed to what exact users have access to.
This is where your system will become assertion heavy, which IMO is not
a bad thing. It keeps the ACL checks fairly succinct throughout the
rest of the applicaiton, and most of the actual business logic for
determining access inside your assertions, which are more than likely
inside your models folder (you are modeling access controls after all).
Hope this gets you started,
ralph
taking assertions into consideration. Some modules, such as the Blog,
needs to make use of assertions to allow the owner of a post to edit it
but not edit every other post. So ok, each module also implements some
assertions. But how do I, when constructing the ACL from the database,
take assertions into consideration? My first idea was to store assertion
names in the database to, when registering a module. So that when
building the ACL and stumbling across a resource which needs to have
access defined with an assertion in it, the assertions class name such
as Blog_Acl_Assertion_IsPostOwner and it would then instantiate the
assertion class when building the ACL. But somehow, I don't find that
idea very appealing.
Therefore, I'd like to query you guys if you experience with working
with something like this or just an idea on how to make this happen.
Thank you for reading on through all my babble.
Kind regards
Christian Rasmussen
