Re: [fw-general] Using ACL asserts to validate access to specific instances of a generic resource
I think your articles should implement the Resource_Interface and your users should implement the Role_Interface. The article/resource will have knowlnedge about who its creator is and since both objects are passed to the assertion you could then simple do something like: if ($article->ownerId == $role->userId) { echo "this is allowed"; } It's more or less what you proposed earlier, but without the need for static variables. And if a resource/article has also knowledge about the category it's in you could also decide that it requests the owner-id of the category and use that. - http://devshed.excudo.net http://devshed.excudo.net -- View this message in context: http://www.nabble.com/Using-ACL-asserts-to-validate-access-to-specific-instances-of-a-generic-resource-tp19678452p19686252.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Using ACL asserts to validate access to specific instances of a generic resource
Colin Guthrie-6 wrote: > > ([...] the Zend_Acl webinar PDF clearly states an example use of > Asserts as: > * Allow only the author to edit an article. > > > But when I started thinking about it, I couldn't work out how to do this > part of the validation. A singleton object knows the user details so the > assert method can get that info easily enough. The controller (or other > calling code as the case may be) knows the specific article but how > should it pass this information across to the assert for validation? I'm not sure what you mean with part the the validation... you mean that every article is tied to to a certain group of users? In that case i think the way to go would be to assign roles to these users and then loop through this data, setting an allow rule for each combination or role and resource. You don't even need assertions for that. - http://devshed.excudo.net http://devshed.excudo.net -- View this message in context: http://www.nabble.com/Using-ACL-asserts-to-validate-access-to-specific-instances-of-a-generic-resource-tp19678452p19683340.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Using ACL asserts to validate access to specific instances of a generic resource
Colin, Hope this helps: http://devzone.zend.com/article/3509-Zend_Acl-and-MVC-Integration-Part-I-Basic-Use http://devzone.zend.com/article/3510-Zend_Acl-and-MVC-Integration-Part-II-Advanced-Use Aldemar - Original Message - From: "Colin Guthrie" <[EMAIL PROTECTED]> To: Sent: Thursday, September 25, 2008 4:13 PM Subject: [fw-general] Using ACL asserts to validate access to specific instances of a generic resource (resend - first one seemed to get eaten) Hi, I'm currently devising how best to deploy Zend_Acl in an application I'm retrofitting to Zend Framework. I've spend the time to read the docs and view the webinars and I came to the conclusion that implementing Zend_Acl_Assert_Interface is the correct way to go. This isn't a massive cognative leap on my part as page 25 of the Zend_Acl webinar PDF clearly states an example use of Asserts as: * Allow only the author to edit an article. But when I started thinking about it, I couldn't work out how to do this part of the validation. A singleton object knows the user details so the assert method can get that info easily enough. The controller (or other calling code as the case may be) knows the specific article but how should it pass this information across to the assert for validation? I came up with three possible ways: 1) Define a separate resource instance for each and every article and assign specific access. This is pretty clunky and really doesn't scale, so let's just ignore this idea. 2) Create a singleton object for my article too prior to checking the acl. This is OK and not a bad idea overall, but forcing the use of singletons here seems a little too prescribed for ZF (remember this is an example provided in the docs!). I'm not averse to this method, but something about it doesn't quite sit right with me? Perhaps this is unfounded tho'? 3) This is my current preference. When you create your resource object, you can define a static set/get methods to a static class variable (or just make the static class variable public but personally I prefer methods) that allows some calling code (e.g. the controller) to set an article id. Something like: class My_Article extends Zend_Acl_Resource { private static $id; public static function setId($id) { self::$id = $id; } public static function getId() { return self::$id; } } They your assert class would be something like... class My Article_Access implements Zend_Acl_Assert_Interface { public function assert( Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, My_Article $resource = null, $privilege = null) { if (empty($resource)) return false; // This assert only works with a valid article $user = Zend_Auth::getInstance()->getIdentity(); // Load user ... or more likely have a different user singleton... $user_id = getUserId($user); $article_id = $resource->getId(); // Do validation that $article_id has author == $user_id. return $result; } } So my questions to this list are: 1) Are there any other ways? (aka am I missing the obvious) 2) Is my prefered solution sensible? 3) If this example is continued to be used in the docs as a valid use of asserts, can this additional information be added as I'd imagine I'm not the only one running up against this particular brick wall :) Cheers. Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited [http://www.tribalogic.net/] Open Source: Mandriva Linux Contributor [http://www.mandriva.com/] PulseAudio Hacker [http://www.pulseaudio.org/] Trac Hacker [http://trac.edgewall.org/]
[fw-general] Using ACL asserts to validate access to specific instances of a generic resource
(resend - first one seemed to get eaten) Hi, I'm currently devising how best to deploy Zend_Acl in an application I'm retrofitting to Zend Framework. I've spend the time to read the docs and view the webinars and I came to the conclusion that implementing Zend_Acl_Assert_Interface is the correct way to go. This isn't a massive cognative leap on my part as page 25 of the Zend_Acl webinar PDF clearly states an example use of Asserts as: * Allow only the author to edit an article. But when I started thinking about it, I couldn't work out how to do this part of the validation. A singleton object knows the user details so the assert method can get that info easily enough. The controller (or other calling code as the case may be) knows the specific article but how should it pass this information across to the assert for validation? I came up with three possible ways: 1) Define a separate resource instance for each and every article and assign specific access. This is pretty clunky and really doesn't scale, so let's just ignore this idea. 2) Create a singleton object for my article too prior to checking the acl. This is OK and not a bad idea overall, but forcing the use of singletons here seems a little too prescribed for ZF (remember this is an example provided in the docs!). I'm not averse to this method, but something about it doesn't quite sit right with me? Perhaps this is unfounded tho'? 3) This is my current preference. When you create your resource object, you can define a static set/get methods to a static class variable (or just make the static class variable public but personally I prefer methods) that allows some calling code (e.g. the controller) to set an article id. Something like: class My_Article extends Zend_Acl_Resource { private static $id; public static function setId($id) { self::$id = $id; } public static function getId() { return self::$id; } } They your assert class would be something like... class My Article_Access implements Zend_Acl_Assert_Interface { public function assert( Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, My_Article $resource = null, $privilege = null) { if (empty($resource)) return false; // This assert only works with a valid article $user = Zend_Auth::getInstance()->getIdentity(); // Load user ... or more likely have a different user singleton... $user_id = getUserId($user); $article_id = $resource->getId(); // Do validation that $article_id has author == $user_id. return $result; } } So my questions to this list are: 1) Are there any other ways? (aka am I missing the obvious) 2) Is my prefered solution sensible? 3) If this example is continued to be used in the docs as a valid use of asserts, can this additional information be added as I'd imagine I'm not the only one running up against this particular brick wall :) Cheers. Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited [http://www.tribalogic.net/] Open Source: Mandriva Linux Contributor [http://www.mandriva.com/] PulseAudio Hacker [http://www.pulseaudio.org/] Trac Hacker [http://trac.edgewall.org/]