PhpRiot
Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...


When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store

Writing Conditional ACL Rules with Assertions

Sometimes a rule for allowing or denying a role access to a resource should not be absolute but dependent upon various criteria. For example, suppose that certain access should be allowed, but only between the hours of 8:00am and 5:00pm. Another example would be denying access because a request comes from an IP address that has been flagged as a source of abuse. Zend_Acl has built-in support for implementing rules based on whatever conditions the developer needs.

Zend_Acl provides support for conditional rules with Zend_Acl_Assert_Interface. In order to use the rule assertion interface, a developer writes a class that implements the assert() method of the interface:

<?php
class CleanIPAssertion implements Zend_Acl_Assert_Interface
{
    public function 
assert(Zend_Acl $acl,
                           
Zend_Acl_Role_Interface $role null,
                           
Zend_Acl_Resource_Interface $resource null,
                           
$privilege null)
    {
        return 
$this->_isCleanIP($_SERVER['REMOTE_ADDR']);
    }

    protected function 
_isCleanIP($ip)
    {
        
// ...
    
}
}

Once an assertion class is available, the developer must supply an instance of the assertion class when assigning conditional rules. A rule that is created with an assertion only applies when the assertion method returns TRUE.

<?php
$acl 
= new Zend_Acl();
$acl->allow(nullnullnull, new CleanIPAssertion());

The above code creates a conditional allow rule that allows access to all privileges on everything by everyone, except when the requesting IP is "blacklisted." If a request comes in from an IP that is not considered "clean," then the allow rule does not apply. Since the rule applies to all roles, all resources, and all privileges, an "unclean" IP would result in a denial of access. This is a special case, however, and it should be understood that in all other cases (i.e., where a specific role, resource, or privilege is specified for the rule), a failed assertion results in the rule not applying, and other rules would be used to determine whether access is allowed or denied.

The assert() method of an assertion object is passed the ACL, role, resource, and privilege to which the authorization query (i.e., isAllowed()) applies, in order to provide a context for the assertion class to determine its conditions where needed.

Zend Framework