That's how I expected assertions to work as well. Transforming the roles and resources into normal Zend_Acl_Role/Resource really limits the usefulness of assertions. This issue is exactly two years old now. There are some workarounds in http://framework.zend.com/issues/browse/ZF-1721 and related issues.
-- Mon On Sun, Jun 14, 2009 at 4:55 PM, Stefan Gehrig <[email protected]> wrote: > Dear all, > > I just started to use Zend_Acl for authorization in one of our projects but > either I do have some real problem understanding the use of assertions or > there is some flaw in the assertion design. > I don't know if some other developers stumbled upon this issue - perhaps > it's just that I don't understand the purpose of assertion correctly. > Let's say, we have the following domain models: > > class App_User implements Zend_Acl_Role > { > //... > > public function getId() > { > return $this->_userId; > } > > public function getRoleId() > { > return $this->_group; > } > > //... > } > > class App_GameSheet implements Zend_Acl_Resource > { > //... > > public function getHomeTeamAdminId() > { > return $this->_homeTeamAdminId; > } > > public function getLeagueAdminId() > { > return $this->_leagueAdminId; > } > > public function getResourceId() > { > return __CLASS__; > } > > //... > } > > class App_Acl_GameSheetAssertion implements Zend_Acl_Assert_Interface > { > public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = > null, > Zend_Acl_Resource_Interface $resource = null, $privilege = null) > { > if (($resource instanceof App_GameSheet) && ($role instanceof > App_User)) { > $userId = $role->getId(); > $leagueAdmin = $resource->getLeagueAdminId (); > $homeTeamAdmin = $resource->getHomeTeamAdminId (); > if (in_array($userId, array($leagueAdmin, $homeTeamAdmin))) { > return true; > } else { > return false; > } > } > return null; > } > } > > I though, I could do the following: > > $acl = new Zend_Acl(); > $acl->addRole(new Zend_Acl_Role('editor')); > $acl->addRole(new Zend_Acl_Role('admin'), 'editor); > $acl->add(new Zend_Acl_Resource('App_GameSheet'); > $acl->allow('admin', null, null, null); > $acl->allow('editor', 'App_GameSheet', null, new > App_Acl_GameSheetAssertion()); > > $gameSheet = App_GameSheet::load(123); > $user = App_User::load(456); > var_dump($acl->isAllowed($user, $gameSheet, null)); > > The problem now is that Zend_Acl changes $role and $resource to simple > Zend_Acl_Role and Zend_Acl_Resource objects before passing them into the > assertion. > Am I totally wrong in my understanding of how this should work? I > personally > think that the preceding solution would be a very elegant way to cope with > such issues. > > Should this be considered a bug or rather an idea for improvement (as this > surely would break BC it would have to wait until ZF 2.0 I assume)? > Is there any other workaround or design that solves this problem using > Zend_Acl? I really thought that I found the philosopher's stone for this > problem ;-) > > Thanks to all of you! > > Best regards > > Stefan > > > >
