Authorization is the process of specifying access to resources to different users based on defined roles. Zend Framework provides Zend_Acl to define and enforce an Access Control List (ACL).

Resources

In Zend Framework context resources are usually actions you want to control access to. Zend provides the Zend_Acl_Resource class to create resources. Each resource should have a unique ID to identify it.

1
new Zend_Acl_Resource('resourceId');

Then you can add the resource to Zend_Acl using Zend_Acl::add:

1
Zend_Acl::add(new Zend_Acl_Resource('resourceId'));

Roles

In your application, roles are the different kind of users your application serves. Zend framework provides Zend_Acl_Role to create roles, and they work very similar to Resources:

1
Zend_Acl::addRole(new Zend_Acl_Role('roleId'));

Since it is very usual to have roles in a hierarchical structure you can have roles that inherit from other roles. You only need to specify the role you want to inherit from as the second argument of Zend_Acl_Role constructor:

1
new Zend_Acl_Role('roleId', 'parentRole');

Rules

Rules are when we specify if a role has or not access to an specific resource. Zend_Acl uses a white list approach by default, so you need to explicitly define each rule for your system. For giving permissions to a specif role to a resource you can use Zend_Acl::allow:

1
Zend_Acl::allow('guestId', 'resourceId');

Putting it all together

To put this all together I like to have a model that controls all the rules:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php
/**
 * ACL model
 */
class Application_Model_Acl extends Zend_Acl
{
    /**
     * Initialize authorization
     */
    public function __construct()
    {
        $this->createRoles();
        $this->createResources();
        $this->createRules();
    }

    /**
     * Create roles
     */
    protected function createRoles()
    {
        $this->addRole(new Zend_Acl_Role('guest'));
        $this->addRole(new Zend_Acl_Role('admin'), 'guest');
    }

    /**
     * Create resources
     */
    protected function createResources()
    {
        // Some Controller::Action keys
        $this->add(new Zend_Acl_Resource('error::error'));
        $this->add(new Zend_Acl_Resource('auth::login'));
        $this->add(new Zend_Acl_Resource('index::index'));
        $this->add(new Zend_Acl_Resource('auth::logout'));
        $this->add(new Zend_Acl_Resource('admin::index'));
    }

    /**
     * Create access rules
     */
    protected function createRules()
    {
        // Guest permissions
        $this->allow('guest', 'error::error');
        $this->allow('guest', 'auth::login');
        $this->allow('guest', 'index::index');

        // Admin permissions
        $this->allow('admin', 'auth::logout');
        $this->allow('admin', 'admin::index');
    }
}

Now we have a model that we can easily instantiate it to initialize our ACL. You can see that for the resource keys I used a combination of controller::key.

Because we want to activate our ACL with every request the best bet is to make a plugin to run it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
/**
 * ACL Plugin
 */
class Application_Plugin_Acl extends Zend_Controller_Plugin_Abstract
{
    /**
     * Index of the role in the authentication storage
     * @const string
     */
    const ROLE_INDEX = 'role';

    /**
     * Default role for not logged users
     * @const string
     */
    const DEFAULT_ROLE = 'guest';

    /**
     * Verify if the logged user has access to the requested resource. If the
     * user does not have access they will be redirected to an authorization
     * page
     *
     * @param Zend_Controller_Request_Abstract $request
     */
    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {
        // We get the current role from the Authentication object
        $auth = Zend_Auth::getInstance();
        $user = $auth->getIdentity();

        if (isset($user->{self::ROLE_INDEX})) {
            $role = $user->{self::ROLE_INDEX};
        } else {
            $role = self::DEFAULT_ROLE;
        }

        $acl = new Application_Model_Acl();
        if (
            !$acl->isAllowed(
                $role,
                $request->getControllerName() . '::' . $request->getActionName()
            )
        ) {
            // Redirect to login page
        }
    }
}

That’s it, we have our authorization system ready.

[ authentication  design_patterns  php  programming  ]
Mutexes in C++ design_patterns programming
Passing by reference to a thread in C++ design_patterns programming
Futures, async, packaged_tasks and promises in C++ design_patterns programming
C++ Header files  design_patterns programming
Google auth with Beego authentication programming