Comments on: Dynamic Assertions for Zend_Acl in ZF

By: gogink

gogink — Tue, 05 Apr 2011 23:20:31 +0000

What if resources is dynamic? If resorces are items with itemId and userId (user that create item)?How to dynamicly add resorces by userID, and then assert those same resources?

By: Weltkind

Weltkind — Thu, 24 Mar 2011 07:46:53 +0000

Great thanks for this article! It is that I need so much!

By: Wil Moore III

Wil Moore III — Wed, 16 Feb 2011 08:27:23 +0000

Nice article Ralph. I sort of wish I had read this before implementing the same; however, doing so allowed me to dig pretty deep.

Konr mentioned this quite a while ago, but I thought I’d bring it up here in case anyone else stumbles across this article.

Instead of this:

// if role is publisher, he can always modify a post
if ($user->getRoleId() == ‘publisher’) {
return true;
}

I do this:

$acl->allow(‘publisher’, ‘blogPost’, array(‘publish’,'modify’));

Just to be clear; Is there any reason (besides demonstration purposes) to check the publisher’s roleId via the assertion class vs. int he allow definition?

By: Dynamic Assertions for Zend_Acl in ZF | Zend Framework University

Dynamic Assertions for Zend_Acl in ZF | Zend Framework University — Fri, 27 Aug 2010 23:39:26 +0000

[...] Zend_Acl can now be used to make concise, dynamic and expressive ACL systems. The assertion system that is in place in Zend_Acl can be leveraged in ways never seen before out of the box. While the User/BlogPost example is on the simple side, you can use this article to start thinking about the different ways such a system can be leveraged in your own projects where dynamic assertions would simplify controller or model code that is already in place. Author: Ralph Schindler Source: Ralph Schindler » Zend Framework [...]

By: Cameron

Cameron — Wed, 02 Dec 2009 07:23:03 +0000

This is literally the best webpage I have ever seen. Thanks, Ralph.

By: Hector Virgen

Hector Virgen — Tue, 13 Oct 2009 21:20:33 +0000

Hi Ralph,

In your class UserCanModifyBlogPostAssertion, you are throwing an InvalidArgumentException if the role is not a User or the resource is not a BlogPost. I’ve found that this can cause a problem if you query the ACL with strings instead of objects:

$acl->isAllowed(‘user’, $blogPost, ‘modify’); // throws exception

Although the query doesn’t make a whole lot of sense, this is still correct usage of Zend_Acl. It may be better to return false in your assertion if you can’t work with the passed in objects.

By: Hector Virgen

Hector Virgen — Thu, 08 Oct 2009 22:20:52 +0000

These changes are a huge improvement. Well done! It used to take me days to build a dynamic ACL system from scratch — now I can do it in a few minutes.

By: David Mintz

David Mintz — Thu, 08 Oct 2009 19:38:54 +0000

“In plain English, what developers want to be able to do is be able to design assertions that can accept application models that implement the Resource or Role interface, and be able to apply some dynamic or custom logic to assess whether or not the given role has access to the given resource.”

That’s actually pretty funny, believe it or not. (-:

By: Jonathan

Jonathan — Thu, 20 Aug 2009 10:04:48 +0000

Great Article! Thanks!

By: Toxygene

Toxygene — Wed, 19 Aug 2009 18:42:57 +0000

class User implements Zend_Acl_Role_Interface {
public $id;
public function __construct($id, $role) {
$this->id = $id;
$this->role = $role;
}
public function getRoleId()
{
return “{$this->role}-{$this->id}”;
}
}

class Post implements Zend_Acl_Resource_Interface {
public $id;
public $authorId;
public function __construct($id = null, $authorId = null) {
$this->id = $id;
$this->authorId = $authorId;
}
public function isAuthor(User $user) {
return $user->id == $this->authorId;
}
public function getResourceId() {
if ($this->id) {
return “posts-{$this->id}”;
} else {
return “posts”;
}
}
}

class IsAuthorOfPost implements Zend_Acl_Assert_Interface {
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null) {
// type checks
return $resource->isAuthor($role);
}
}

$acl = new Zend_Acl();
$acl->addRole(“users”)
->addRole(“authors”, array(“users”))
->addRole(“admins”)
->addResource(“posts”)
->allow(“admins”, “posts”)
->allow(“authors”, “posts”, “create”)
->allow(“authors”, “posts”, array(“delete”, “edit”), new IsAuthorOfPost());

$allan = new User(1, “users”);
$acl->addRole($allan, $allan->role);

$mary = new User(2, “authors”);
$acl->addRole($mary, $mary->role);

$joe = new User(3, “authors”);
$acl->addRole($joe, $joe->role);

$mike = new User(4, “admins”);
$acl->addRole($mike, $mike->role);

var_dump($acl->isAllowed($allan, new Post(), “create”)); // false, users cannot create posts
var_dump($acl->isAllowed($mary, new Post(), “create”)); // true, authors can create posts
var_dump($acl->isAllowed($joe, new Post(), “create”)); // true, authors can create posts
var_dump($acl->isAllowed($mike, new Post(), “create”)); // true, admins can do anything with a post

$joesPost = new Post(1, $joe->id);
$acl->addResource($joesPost, “posts”);

var_dump($acl->isAllowed($allan, $joesPost, “edit”)); // false, Allan is not an author
var_dump($acl->isAllowed($mary, $joesPost, “edit”)); // false, Marry is not the author of the post
var_dump($acl->isAllowed($joe, $joesPost, “edit”)); // true, Joe is the author of the post
var_dump($acl->isAllowed($mike, $joesPost, “edit”)); // true, admins can do anything with posts