> Date: Sat, 14 Mar 2009 17:57:16 -0400
> From: [email protected]
> To: [email protected]
> Subject: Re: [fw-general] Should Zend_Auth implement Zend_Acl_Role_Interface?
>
> -- [email protected] <[email protected]> wrote
> (on Saturday, 14 March 2009, 05:36 PM +0000):
> > Currently (as far as I can tell) Zend_Auth only allows you to retrieve the
> > identity of some authenticated entity. With Zend_Auth_Adapter_DbTable I
> > would
> > be able to retrieve this entity's roleId through getResultRowObject(). But
> > this
> > is not persistent (as in: is not stored in a storage mechanism like
> > Zend_Auth's
> > identity). Do you think it is fair to suggest that Zend_Auth should have the
> > ability to store an identity's roleId for adapters that support this
> > possibilty
> > (such as Zend_Auth_Adapter_Db)?
> >
> > My suggestion would be to have Zend_Auth implement Zend_Acl_Role_Interface
> > so
> > that it has a getRoleId method, which would return null or false if it is
> > not
> > available/unknown. What do you think? If you feel it is not Zend_Auth's
> > responsibility to store an identity's roleId, where would you suggest this
> > should be stored? A regular session perhaps? I would love to read your
> > views on
> > the matter.
>
> Zend_Auth and Zend_Acl fulfill two very different purposes.
>
> Zend_Auth is providing _authentication_: is a person who they say they
> are?
>
> Zend_Acl is providing access control lists, which are a form of
> _authorization_: does a given role have access to a given resource?
>
> Authentication simply is the action of verifying credentials. Once you
> have done that, you will have some form of identity object -- and *that*
> object would be a candidate for implemening the role interface. In terms
> of Zend_Auth, this would be an object you receive after calling
> getIdentity() on your authentication adapter -- which is completely
> separate from Zend_Auth itself. (Zend_Auth allows the identity to be
> anything -- a string, an array, or an object.)
Hi Matthew,
Thanks for the response.
Yeah, I kind of knew my suggestion wasn't all that 'correct' but I couldn't
think of another place to store more information about the identity. But I do
understand the distinction between authentication and authorization (although
my proposal may suggest I don't). I just wasn't aware of the fact that the
identity object could be of mixed type. Should have read the docs more
properly. My apologies. Thanks for the pointer though!
So, if I understand you correctly and if I understand the current
Zend_Auth_Adapter_DbTable implementation correctly (or any adapter for that
matter): I should extend Zend_Auth_Adapter_DbTable or implement a whole new
adapter that would return a Zend_Auth_Result with more eleborate info about the
identity stored in the identity key of the Zend_Auth_Result object? Or is there
already some kind of mechanism which will allow me to configure the
Zend_Auth_Adapter_DbTable such that it stores more info in the Zend_Auth_Result
object that I am not aware of?
If not, from what I can see in Zend_Auth_Adapter_DbTable I would implement
something like the following to get the job done:
override _authenticateValidateResult() such that it does something like:
$this->_authenticateResultInfo['identity'] = array(
'identity' => $this->_resultRow[ $this->_identityColumn ],
'roleId' => $this->_resultRow[ 'roleId' ] // or maybe allow for a preset
_roleIdColumn with a new setRoleIdColumn method
);
// just before:
return $this->_authenticateCreateAuthResult();
Would you agree?
Thanks in advance.
Cheers
> --
> Matthew Weier O'Phinney
> Software Architect | [email protected]
> Zend Framework | http://framework.zend.com/
_________________________________________________________________
De leukste online filmpjes vind je op MSN Video!
http://video.msn.com/video.aspx?mkt=nl-nl
