Hey, first of all I'm not an advanced ZF programmer, I am just comparing your structure with mine (also about a CMS design).
Some major differences I notice with my logic: 1. Where are the privileges ? It seems that often in a CMS there are privileges, e.g. a user may be able to "view" the list of pages but not to "update" them. Some may "publish" or "delete" them, etc. Of course you can keep it simple but keep this into mind if you have to implement it some day. 2. Groups <-> Roles I see that you have a "many to many" connection between your groups and roles. Why don't you simply make of a group a role, and delete the UserRole, GroupRole and Roles table ? To affect roles to a user you would simply affect them to one or more groups which each may inherit of other groups. In my case I have a hierarchy in Groups table. If the user is not inside a group, he has access to nothing. Of course you'll have to add a table between your roles and your resources. 3. Content rights I have supplementary tables to handle the access on specific parts/pages of the site. Each group of user may have access on specific category's of the site. So I distinguish two kind of groups: "access groups" which restrict the access on the cms admin interface (menu manager, layout manager, images library, etc.) with the "content groups" (restrict the access to some part of the site). Don't know what you think about this, tell me ) 4. I have a table per type of user. Admin table for admin cms users, Members table for subscribers, etc. I see that you handle this with a profile table. Not sure which is best. I just like to separate distinct things. netlynx wrote: > > Hello everyone, > > It has been a while since my last post, (I think that was around > 1.5.0ish). Anyhow, I had stepped away from web projects for a while, and > now I am back to the great new 1.9.x, and am a little lost with the whole > Zend_Application, but I am working hard to catch up. Anyhow Zend_Auth and > Zend_Acl have always been my nemesis, but I think I have them figured out > now to a degree. I am starting a new personal project that will be pretty > similar to a CMS with blogging, forums, and several other features to > begin with. So what got me thinking, (and while reading up on CMS > frameworks that exist, that I could be using but I would rather write my > own, it is more fun that way), is to build the base application without > defining any content types at all, then create the content-types on the > fly with the base framework in place. I probably lost everyone with that > pathetic description, but I have a visual concept in my own mind of what I > mean. Anyhow, getting down to the whole Acl thing what I want to > accomplish is something like this: > > - Start with a base user object. > > - Each base user has a profile (which *actually* I think the required > fields should be part of the user record, and the profile should be > somewhat generic to be extensible to a UserProfile, WebsiteProfile, > AuthorProfile, etc, not necesarily related to a site user, but more > general), for now this will be a one to one relationship. > > - Each user will belong to one or more groups, and each group will contain > one or more users, this will be a many to many relationship. > > - Next we have a base resource, be it a module, controller, action, model, > or individual record (article, profile, etc) > > - A user can have a role for one or more resources. > > - A group can have a role for one or more resources. > > -Roles could be either most restrictive (group_roles *OR* user_roles) or > least restrictive (group_roles *AND* user_roles) > > Queries would look like (forgive the syntax, its just conceptual right > now): > > $uid = 11 > $gid = 12 > $rid = 14 (resource: article) > // Roles may include, Author, Editor, Publisher, etc. > // A user/group may include one or more roles (ie Author and Editor, but > not Publisher) > $rolesByUser = select * from UserRoles where (`uid` = $uid and `rid` = > $rid); > $rolesByGroup = select * from GroupRoles where (`gid` = $gid and `rid` = > $rid); > $roles = array_combine($rolesByUser, $rolesByGroup); > Where $roles would be an array of Zend_Acl_Role objects. > > I have attached a `sample`drawing of the database layout, however maybe > think of this layout as more of a model layout, where the `tables` could > actually be xml files / config files, or some other method of storage, the > data does not necessarily have to come from a database, again, this is > just my vision of the whole thing (and likely it will be primarily > relational database tables none the less). > > Anyhow, what I am trying to do is come up with a fairly generic, > extensible, flexible, robust, (insert other great buzzwords here), Acl > structure. Any feedback, suggestions on the best way to code this, > modifications, or general criticisms about my logic (including your logic > and why its better than mine) would be most appreciated. > > Thanks > Aaron > > http://www.nabble.com/file/p25183869/acl_layout.png > -- View this message in context: http://www.nabble.com/Complex-ACL-tp25183869p25203273.html Sent from the Zend Framework mailing list archive at Nabble.com.
