PhpRiot
Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...


When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store

Precise Access Controls

The basic ACL as defined in the previous section shows how various privileges may be allowed upon the entire ACL (all resources). In practice, however, access controls tend to have exceptions and varying degrees of complexity. Zend_Acl allows to you accomplish these refinements in a straightforward and flexible manner.

For the example CMS, it has been determined that whilst the 'staff' group covers the needs of the vast majority of users, there is a need for a new 'marketing' group that requires access to the newsletter and latest news in the CMS. The group is fairly self-sufficient and will have the ability to publish and archive both newsletters and the latest news.

In addition, it has also been requested that the 'staff' group be allowed to view news stories but not to revise the latest news. Finally, it should be impossible for anyone (administrators included) to archive any 'announcement' news stories since they only have a lifespan of 1-2 days.

First we revise the role registry to reflect these changes. We have determined that the 'marketing' group has the same basic permissions as 'staff', so we define 'marketing' in such a way that it inherits permissions from 'staff':

<?php
// The new marketing group inherits permissions from staff
$acl->addRole(new Zend_Acl_Role('marketing'), 'staff');

Next, note that the above access controls refer to specific resources (e.g., "newsletter", "latest news", "announcement news"). Now we add these resources:

<?php
// Create Resources for the rules

// newsletter
$acl->addResource(new Zend_Acl_Resource('newsletter'));

// news
$acl->addResource(new Zend_Acl_Resource('news'));

// latest news
$acl->addResource(new Zend_Acl_Resource('latest'), 'news');

// announcement news
$acl->addResource(new Zend_Acl_Resource('announcement'), 'news');

Then it is simply a matter of defining these more specific rules on the target areas of the ACL:

<?php
// Marketing must be able to publish and archive newsletters and the
// latest news
$acl->allow('marketing',
            array(
'newsletter''latest'),
            array(
'publish''archive'));

// Staff (and marketing, by inheritance), are denied permission to
// revise the latest news
$acl->deny('staff''latest''revise');

// Everyone (including administrators) are denied permission to
// archive news announcements
$acl->deny(null'announcement''archive');

We can now query the ACL with respect to the latest changes:

<?php
echo $acl->isAllowed('staff''newsletter''publish') ?
     
"allowed" "denied";
// denied

echo $acl->isAllowed('marketing''newsletter''publish') ?
     
"allowed" "denied";
// allowed

echo $acl->isAllowed('staff''latest''publish') ?
     
"allowed" "denied";
// denied

echo $acl->isAllowed('marketing''latest''publish') ?
     
"allowed" "denied";
// allowed

echo $acl->isAllowed('marketing''latest''archive') ?
     
"allowed" "denied";
// allowed

echo $acl->isAllowed('marketing''latest''revise') ?
     
"allowed" "denied";
// denied

echo $acl->isAllowed('editor''announcement''archive') ?
     
"allowed" "denied";
// denied

echo $acl->isAllowed('administrator''announcement''archive') ?
     
"allowed" "denied";
// denied

Zend Framework