Thank you for your reply,
It does help. I hadn't consired using the field names in the priviliges.
That does make sense. Using your example, one can refine it to say, make
an article readable by all, but create a privilige 'update_title', to
allow some users to update it's title field.
I guess the whole confusion comes from the fact that I have a resource
(The article) for which there are fields (The title) for which I want to
register priviliges (read, update, etc.). Sometimes you'd just want to
make a whole (Zend_Db_Table deprived) model accessible whole, but
sometimes you may want to limit access to parts of it. It then is
unclear whether the whole Zend_Db_Table, or one of it's fields is the
actual resource for which I want to register a privilege.
Greetings,
Maurice Fonk
Darby Felton wrote:
Hi Maurice,
Zend_Acl also supports the idea of "privileges" upon resources. If you
were to utilize such privileges for updating the username and for the
timestamp, to follow your example, then you need not create a resource
object for these.
To use another simple example, imagine an article resource, to which
there are "create", "read", "update", and "delete" privileges. Each of
these is not a resource itself but rather a privilege upon a resource.
Examples using privileges are documented in the manual:
http://framework.zend.com/manual/en/zend.acl.html
The Zend_Acl unit tests also contain usage examples with privileges.
Maybe you could map your model columns to privileges?
Hope this helps!
Best regards,
Darby
Maurice Fonk wrote:
Hello,
I too would like to comment on this. I've been trying to use Zend_Acl to
restrict access to my models. Basically, what I want is to make certain
fields of a database row editable to some, but not to all. It's not that
difficult to make some class extending Zend_Db_Table_Row implement
Zend_Acl_Resource_Interface. But that only gets you halfway there. If I
make getResourceId() return the name of the model I can restrict access
(create/edit/delete) of a row to certain groups of users.
But if I want to, say, restrict a user to update his or her username,
but not the timestamp their account was created (because it's fixed)
would I really have to create acl resources for all the fields?
I came across this while thinking about my little javascript
Zend_Db_Table implementation. I have written a post on my blog (
http://naneau.nl/2007/04/18/securing-jstable/ ) about this. But like I
said before, if you make the row, or model, your resource, there are
still some restrictions left you have to cover.
Do you have any thoughts on this?
Best regards,
Maurice Fonk
Juan Felipe Alvarez Saldarriaga wrote:
Hey :)
I want to implement Zend_Acl into my application, but I dont know how
to put work that with a database model, there are some tutorial or
page that I can see ?
Another question about Zend_Acl, in the example to add resources:
$acl->add(new Zend_Acl_Resource('newsletter')); // newsletter
This "newsletter" is what ? a controller ? a method ?, cause I want to
restrict access to the controllers, this is my idea, check permissions
of the current user using Zend_Acl, then restrict the access to some
controllers to this user, is this possible ?
Thx.
