Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...

When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store

Defining Access Controls

Now that the ACL contains the relevant roles, rules can be established that define how resources may be accessed by roles. You may have noticed that we have not defined any particular resources for this example, which is simplified to illustrate that the rules apply to all resources. Zend_Acl provides an implementation whereby rules need only be assigned from general to specific, minimizing the number of rules needed, because resources and roles inherit rules that are defined upon their ancestors.


In general, Zend_Acl obeys a given rule if and only if a more specific rule does not apply.

Consequently, we can define a reasonably complex set of rules with a minimum amount of code. To apply the base permissions as defined above:

= new Zend_Acl();

$roleGuest = new Zend_Acl_Role('guest');
$acl->addRole(new Zend_Acl_Role('staff'), $roleGuest);
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
$acl->addRole(new Zend_Acl_Role('administrator'));

// Guest may only view content

Alternatively, the above could be written:
$acl->allow('guest', null, 'view');

// Staff inherits view privilege from guest, but also needs additional
// privileges
$acl->allow('staff'null, array('edit''submit''revise'));

// Editor inherits view, edit, submit, and revise privileges from
// staff, but also needs additional privileges
$acl->allow('editor'null, array('publish''archive''delete'));

// Administrator inherits nothing, but is allowed all privileges

The NULL values in the above allow() calls are used to indicate that the allow rules apply to all resources.

Zend Framework