Zend Framework Acl with example

Zend_Acl provide implementations for privileges management using roles and resources.
Resources
It is an object to which access is controlled.
Zend provide very simple way to create a resource. Simply implement Zend_Acl_Resource_Interface that provide single method getResourceId().You must override this method in your class.
You can add multiple resources to Zend_Acl. These resource will be added as tree structure. Treee structure allow you to organize resources from general to the specific.
The resource on the top of tree structure will have general privileges, while nodes down in the tree structure will have more specific privileges.
Roles
Role is an object that request access to a resource.
Creation of role is also simple in Zend_Acl. Implement Zend_Acl_Role_Interface and override it getRoleId() method. This is the only method Zend_Acl_Role provided.
In Zend_Acl, Role can be inherited form one or more roles.
To create resources and roles, you will need to first create Zend_Acl instance as

$acl = new Zend_Acl();

And then add role and resources to it as follows

$acl->add(new Zend_Acl_Resource(‘view’));
$acl->add(new Zend_Acl_Resource(‘edit’));
$acl->add(new Zend_Acl_Resource(‘delete’));

Once we create roles and resources we can assign different privileges to different roles on different resources as

$acl->allow(‘guest’,null,’view’);
$acl->allow(‘editor’,array(‘view’,’edit’));
$acl->allow(‘admin’);

Similarly we can use deny() method of Zend_Acl for access denials as

$acl->deny(‘guest’,null,array(’edit’,’delete’));

Later in our code we can check privileges as

$acl->isAllowed(‘guest’,null,’view’);

isAllowed() method return boolean value either true or false based on the privileges.
To see how can we use Zend_Acl component in our applications lets take a simple example.
Let we have different controllers, e.g news, latestNews, Announcements with each having the following actions

<?php
class NewsController extends Zend_Controller_Acion
{
public function viewAction()
{
// add your view code.
}

public function editAction()
{
// add your edit code.

}
public function deleteAction()
{
// add your edit code.

}
}
?>

Similarly create other controllers as well.
Let we have the following specifications

• “guest” can access only view contents, so he can access only “view” action
• “editor” can access view and edit action, but cannot delete.
• “admin” have all the privileges, so he can access all the actions.

To set our roles we will need to create following directory structure
library/My/Controller/Helper/
And
library/My/Controller/Plugin/
In your helper directory create Acl.php and place the following code in it.

<?php
class My_Controller_Helper_Acl
{
public $acl;
public function __construct()
{
$this->acl = new Zend_Acl();
}
public function setRoles()
{
$this->acl->addRole(new Zend_Acl_Role(‘guest’));
$this->acl->addRole(new Zend_Acl_Role(‘editor’));
$this->acl->addRole(new Zend_Acl_Role(‘admin’));

}

public function setResources()
{

$this->acl->add(new Zend_Acl_Resource(’view’));
$this->acl->add(new Zend_Acl_Resource(’edit’));
$this->acl->add(new Zend_Acl_Resource(’delete’));

}

public function setPrivilages()
{
$this->acl->allow(‘guest’,null,’view’);
$this->acl->allow(‘editor’,array(‘view’,’edit’));
$this->acl->allow(‘admin’);
}
public function setAcl()
{
Zend_Registry::set(‘acl’,$this->acl);
}
}
?>

In the code above we are defining our class. In constructor we instantiate Zend_Acl. Then we define three public methods

• setRoles(): add Roles to the acl object.
• setPrivilages(): set different privileges to different roles.
• setAcl() : store acl object using Zend_Registry for future use. This is compulsory.

Now in Library/My/Controller/Plugin/, create Acl.php and place the following code.

class My_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
{
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$acl = Zend_Registry::get(‘acl’);
$usersNs = new Zend_Session_NameSpace(“members”);
If($usersNs->userType==’’){
$roleName=’guest’;
} else {
$roleName=$userType;
}
$privilageName=$request->getActionName();
if(!$acl->isAllowed($roleName,null,$privilageName)){
$request->setControllerName(‘Error’);
$request->setActionName(‘index’);
}
}
}
?>

Explanation:
In the code above we are creating plugin by extending it form Zend_Controller_Plugin_Abstract and override preDispatch() method.
In preDispatch() method we get reference to $acl object using Zend_Registry. This object was store in the registry earlier.
Next we instantiate Session Namespace and check userType. If this is first attempt to access our application we give user a role “guest”. We can set this type at our authentication and give user a specific type when he login.
Next we get Action name by using $request->getActionName() and assign it to $privilageName.
The next line are very crucial. We check the privileges
if(!$acl->isAllowed($roleName,null,$privilageName))
if the above condition is true. It means that the user hasn’t had the privileges to access the requested Action.
So we redirect user to ErrorController’s Index action.
If the condition is false then he access the particular action.
We have now nearly done. However you will need to add the following code to your bootstrap file.

$helper= new My_Controller_Helper_Acl();
$helper->setRoles();
$helper->setResources();
$helper->setPrivilages();
$helper->setAcl();

And then

$frontController->registerPlugin(new My_Controller_Plugin_Acl());

That it your simple role management application.
Now if you first request
http://yourhost/news/view
it will give you access to the specified view Action of the news or any other controller.
However if you request
http://yourhost/news/edit/
you will be redirected to the Error Controller’s index action. I haven’t mention Error Controller, so you better create your own.
For further queries post your comments.

---

Possibly related posts: (automatically generated)

• Zend_Acl (Access Control List) advance usage with example.
• Access control: Why not a helper?