Hello, It may help to take a look at the "Implementing Access Control with Zend Framework" webinar slides and code as a starting point:
http://framework.zend.com/wiki/x/3ZQ Others may also be able to point you to additional helpful resources. A little more inline below: Errol Sayre wrote: > I've been looking at incorporating Zend_Acl into my existing application > to make expanding the user permissions, preferences, etc. a little > easier. Looking at the manual pages about it are leaving me a little > empty though, specifically they do a good job of demonstrating how to > come up with your ACL for resources, but I don't see any clear > indication of how one then applies these to a user. > > I guess the implication is that instead of having permissions for > individual users you simply have to define a role that matches the > permissions you'd want for that user and then assign that role to the user. > > This is acceptable, I guess, but my existing application works more on a > basis of checking if the user has a permission. In effect what I have > had in the past is a mirror image of what Zend_Acl assumes. > > Does anyone have any insight on this topic they could share with me? I > don't want to have to specify a role for each resource with the > appropriate permissions. For example, currently I have a few objects > that my application manages: proposals, awards, people, > units/departments, etc. In this I specify add, edit, delete for each for > each user. So user A may be able to add any of those but not modify them > once they're in the system. User B may only be able to enter new > proposals. User C may only be able to edit awards (marking them > approved/denied/etc). > > From my understanding of the Acl, to translate this I would need to > create resources for each of my objects with rules for create, edit, > delete, etc. I would then need to create a role for each to match the > activities: User A would general data entry and have create access for > all resources. User B would have limited data entry. User C would have > no entry permissions but only limited edit permissions. I think that all of these things are currently supported with Zend_Acl. That said, it surely isn't perfect and can use improvement. There are several issues in JIRA to address, and there are also some proposals I hope to review soon regarding various improvements. > Does this sound right? My first thought is that I need to write an Acl > for each user rather than for each resource... I'm just havin’ trouble > wrapping my brain around this properly ;-) You need not create an instance of Zend_Acl for each user, but I suppose it could be reasonable in certain situations. > Appreciate the help. Best regards, Darby
