Colin,
Hope this helps:
http://devzone.zend.com/article/3509-Zend_Acl-and-MVC-Integration-Part-I-Basic-Use
http://devzone.zend.com/article/3510-Zend_Acl-and-MVC-Integration-Part-II-Advanced-Use
Aldemar
- Original Message -
From: Colin Guthrie [EMAIL PROTECTED]
To: fw-general@lists.zend.com
Sent: Thursday, September 25, 2008 4:13 PM
Subject: [fw-general] Using ACL asserts to validate access to specific
instances of a generic resource
(resend - first one seemed to get eaten)
Hi,
I'm currently devising how best to deploy Zend_Acl in an application I'm
retrofitting to Zend Framework.
I've spend the time to read the docs and view the webinars and I came to
the conclusion that implementing Zend_Acl_Assert_Interface is the
correct way to go. This isn't a massive cognative leap on my part as
page 25 of the Zend_Acl webinar PDF clearly states an example use of
Asserts as:
* Allow only the author to edit an article.
But when I started thinking about it, I couldn't work out how to do this
part of the validation. A singleton object knows the user details so the
assert method can get that info easily enough. The controller (or other
calling code as the case may be) knows the specific article but how
should it pass this information across to the assert for validation?
I came up with three possible ways:
1) Define a separate resource instance for each and every article and
assign specific access. This is pretty clunky and really doesn't scale,
so let's just ignore this idea.
2) Create a singleton object for my article too prior to checking the
acl. This is OK and not a bad idea overall, but forcing the use of
singletons here seems a little too prescribed for ZF (remember this is
an example provided in the docs!). I'm not averse to this method, but
something about it doesn't quite sit right with me? Perhaps this is
unfounded tho'?
3) This is my current preference. When you create your resource object,
you can define a static set/get methods to a static class variable (or
just make the static class variable public but personally I prefer
methods) that allows some calling code (e.g. the controller) to set an
article id.
Something like:
class My_Article
extends Zend_Acl_Resource
{
private static $id;
public static function setId($id)
{
self::$id = $id;
}
public static function getId()
{
return self::$id;
}
}
They your assert class would be something like...
class My Article_Access
implements Zend_Acl_Assert_Interface
{
public function assert(
Zend_Acl $acl,
Zend_Acl_Role_Interface $role = null,
My_Article $resource = null,
$privilege = null)
{
if (empty($resource))
return false; // This assert only works with a valid article
$user = Zend_Auth::getInstance()-getIdentity();
// Load user ... or more likely have a different user singleton...
$user_id = getUserId($user);
$article_id = $resource-getId();
// Do validation that $article_id has author == $user_id.
return $result;
}
}
So my questions to this list are:
1) Are there any other ways? (aka am I missing the obvious)
2) Is my prefered solution sensible?
3) If this example is continued to be used in the docs as a valid use
of asserts, can this additional information be added as I'd imagine I'm
not the only one running up against this particular brick wall :)
Cheers.
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mandriva Linux Contributor [http://www.mandriva.com/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
