Now that the ACL contains the relevant roles, rules can be
established that define how resources may be accessed by roles. You may have noticed
that we have not defined any particular resources for this example, which is simplified
to illustrate that the rules apply to all resources. Zend_Acl
provides an implementation whereby rules need only be assigned from general to
specific, minimizing the number of rules needed, because resources and roles inherit
rules that are defined upon their ancestors.
Note
In general, Zend_Acl obeys a given rule if and only if a
more specific rule does not apply.
Consequently, we can define a reasonably complex set of rules with a minimum amount of code. To apply the base permissions as defined above:
<?php
$acl = new Zend_Acl();
$roleGuest = new Zend_Acl_Role('guest');
$acl->addRole($roleGuest);
$acl->addRole(new Zend_Acl_Role('staff'), $roleGuest);
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
$acl->addRole(new Zend_Acl_Role('administrator'));
// Guest may only view content
$acl->allow($roleGuest, null, 'view');
/*
Alternatively, the above could be written:
$acl->allow('guest', null, 'view');
//*/
// Staff inherits view privilege from guest, but also needs additional
// privileges
$acl->allow('staff', null, array('edit', 'submit', 'revise'));
// Editor inherits view, edit, submit, and revise privileges from
// staff, but also needs additional privileges
$acl->allow('editor', null, array('publish', 'archive', 'delete'));
// Administrator inherits nothing, but is allowed all privileges
$acl->allow('administrator');
The NULL values in the above allow() calls
are used to indicate that the allow rules apply to all resources.