Monday, November 30, 2009

Authorization with rules


In this example, we implement an authorization with rules affecting all resources.

Components used in this example
Implementation of the authorization

class MyAcl
{
The authorization process
  • We get the role and the requested permission from the GET request.
  • We instantiate the authorization object.
  • We create the roles and the rules.
  • We verify if the role is allowed to access the resource. And we return a message accordingly.

    public function process()
    {
        
// We get the role and the requested permission from the GET request.
        
list($role$permission) = $this->_getParameters();
        
// We instantiate the authorization object.
        
$acl = new Zend_Acl();
        
// We create the roles and the rules.
        
$this->_createRoles($acl);
        
$this->_createRules($acl);

        if (
$role and $permission) {
            
// We verify if the role is allowed to access the resource.
            // And we return a message accordingly.
            
$status $acl->isAllowed($rolenull$permission) ? 'allowed' 'denied';
            
$message "The $role is $status to $permission content!";
        } else {
            
$message '';
        }

        return array(
$role$permission$message);
    }
Extraction of the parameters from the GET request

    private function _getParameters()
    {
        
$role = isset($_GET['role'])? $_GET['role'] : '';
        
$permission = isset($_GET['permission'])? $_GET['permission'] : '';

        return array(
$role$permission);
    }
Creation of the roles
  • The guest does not inherit access controls.
  • The staff inherits from the guest.
  • The editor inherits from the staff.
  • The administrator does not inherit access controls.

    private function _createRoles($acl)
    {
        
// The guest does not inherit access controls.
        
$acl->addRole(new Zend_Acl_Role('guest'));
        
// The staff inherits from the guest.
        
$acl->addRole(new Zend_Acl_Role('staff'), 'guest');
        
// The editor inherits from the staff.
        
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
        
// The administrator does not inherit access controls.
        
$acl->addRole(new Zend_Acl_Role('administrator'));
    }
Creation of the rules.
  • The guest is only allowed to view content.
  • The staff is also allowed to edit, to submit or to revise content.
  • The editor is also allowed to publish, to archive or to delete content.
  • The administrator is granted all privileges.

    private function _createRules($acl)
    {
        
// The guest is only allowed to view content.
        
$acl->allow('guest'null'view');
        
// The staff is also allowed to edit, to submit or to revise content.
        
$acl->allow('staff'null, array('edit''submit''revise'));
        
// The editor is also allowed to publish, to archive or to delete content.
        
$acl->allow('editor'null, array('publish''archive''delete'));
        
// The administrator is granted all privileges.
        
$acl->allow('administrator');
    }

}

No comments:

Post a Comment