Workshop Zend Framework. Part Three: Zend_Acl

Today we look at an example of creating Acl for a system with a large number of roles and resources.

• Part one
  
  • Authentication - user login
  • ACL - distribution of access rights
  
  
• Part two
  
  • Routing - setting the url for various system components
  • Registry - quick access to system constants
• Part three
  
  • Acl - advanced example

Hubrauzer Anexroid kindly provided a description of such a project:

The following access rights exist: Admin, with access to the admin panel. And in the admin about 20-30 sections, 5 admins. All access is different. That is, someone has 2-3 sections, someone - all 20. All menu items are stored in the database.
User - registered on the site. It can create photo albums, comment on news without entering a captcha, etc. + everything that a guest can do.
Enterprise - has a personal page in the catalog, depending on the package purchased - various items in the personal account.
Well, a guest who can view everything unlimited. Comments - with captcha.
There are also consultants - answer questions in consultations.
Moreover, enterprises and consultants have no registration, they are added by the administrator. + again, all the tables in the database are separate - separate administrators, separate users, separate enterprises, consultants separately.

To begin with, we will define roles and resources, create hierarchies of inheritance of resources and roles:

In our example, the upper part of the resource hierarchy will coincide in structure with the hierarchy of roles. In order to conveniently display the hierarchy of resources, we will add abstract resources for each role, except Admin1-N, CompanyPackage1-N, to our list of access rights. This is because the resources for the Guest, User and common resources for all admins and companies have a simple tree structure, which is not the case with the lower nodes of the tree where there will be intersections. For example, Admin1 and Admin2 may have access to the Add News resource, and Zend_Acl resource trees, unfortunately, do not support multiple inheritance. Therefore, resources for the Admin1-N, CompanyPackage1-N roles will be allocated as exceptions, explicitly assigned to the desired roles.

So, we figured out the hierarchy of resources, now let's create Acl directly. To do this, expand the Zend_Acl class:

<?php class Acl extends Zend_Acl { public function __construct() { //   $this->addRole('guest'); $this->addRole('user', 'guest'); $this->addRole('admin', 'user'); $this->addRole('company', 'user'); $this->addRole('company-package-1', 'company'); $this->addRole('company-package-2', 'company'); $this->addRole('company-package-3', 'company'); // ... $this->addRole('admin-1', 'admin'); $this->addRole('admin-2', 'admin'); // ... $this->addRole('admin-5', 'admin'); //  // //   ! $this->add(new Zend_Acl_Resource('guest_res')); //    ,    guest_res $this->add(new Zend_Acl_Resource('add-comments-with-captcha'), 'guest_res'); //   ! $this->add(new Zend_Acl_Resource('user_res')); //    ,    user_res $this->add(new Zend_Acl_Resource('add-comments'), 'user_res'); //   ! $this->add(new Zend_Acl_Resource('admin_res')); //      ,    admin_res $this->add(new Zend_Acl_Resource('admin-tools-list'), 'admin_res'); //   ! $this->add(new Zend_Acl_Resource('company_res')); //      ,    company_res $this->add(new Zend_Acl_Resource('show-company-statistics'), 'company_res'); //      ,    $this->add(new Zend_Acl_Resource('advertise')); $this->add(new Zend_Acl_Resource('add-company')); // , -   $this->deny(null, null, null); $this->allow('guest', 'guest_res', 'show'); $this->allow('user', 'user_res', 'show'); $this->allow('admin','admin_res', 'show'); $this->allow('company','company_res', 'show'); //        $this->allow('company-package-1','advertise', 'show'); $this->allow('admin-1','add-company', 'show'); } } 

And immediately check that everything works as we expected:

 echo $acl->isAllowed('guest', 'add-comments-with-captcha', 'show')?'yes':'no'; // yes echo $acl->isAllowed('guest', 'add-comments', 'show')?'yes':'no'; // no echo $acl->isAllowed('admin-1', 'add-company', 'show')?'yes':'no'; // yes echo $acl->isAllowed('company-package-2', 'advertise', 'show')?'yes':'no'; // no 

In this example, I allowed myself to simplify and introduced one show privilege, which corresponds to the ability to view a particular page. However, you can extend this example and add different privileges if required.
Also, it is obvious that this code does not correspond to the fact that company packages and administrators will be added, and the rights of other roles may change over time. Therefore, you will need to store data in a database and either build an object on demand, retrieving the necessary data, or store a serialized instance of the Acl class in any storage (for example, memcached). This choice is yours, I personally prefer the second option.
In the first post of this cycle, I considered how to create Acl using the “controller / action” strings as resources, which is very convenient in small projects.