Now that the ACL contains the relevant roles, rules can be
established that define how resources may be accessed by roles. You may have noticed
that we have not defined any particular resources for this example, which is simplified
to illustrate that the rules apply to all resources.
provides an implementation whereby rules need only be assigned from general to
specific, minimizing the number of rules needed, because resources and roles inherit
rules that are defined upon their ancestors.
Zend_Acl obeys a given rule if and only if a
more specific rule does not apply.
Consequently, we can define a reasonably complex set of rules with a minimum amount of code. To apply the base permissions as defined above:
$acl = new Zend_Acl();
$roleGuest = new Zend_Acl_Role('guest');
$acl->addRole(new Zend_Acl_Role('staff'), $roleGuest);
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
// Guest may only view content
$acl->allow($roleGuest, null, 'view');
Alternatively, the above could be written:
$acl->allow('guest', null, 'view');
// Staff inherits view privilege from guest, but also needs additional
$acl->allow('staff', null, array('edit', 'submit', 'revise'));
// Editor inherits view, edit, submit, and revise privileges from
// staff, but also needs additional privileges
$acl->allow('editor', null, array('publish', 'archive', 'delete'));
// Administrator inherits nothing, but is allowed all privileges
NULL values in the above
are used to indicate that the allow rules apply to all resources.