I've been trying out the changes in Zend_Acl and this is a major
improvement. Thanks!
One thing I'm having trouble with -- is it possible to create an "allow"
rule that uses an assertion for *all* privileges?
For example, I can create a rule like this:
$acl = new Zend_Acl();
$acl->allow(null, null, 'edit', new MyAssertion());
$allowed = $acl->isAllowed($member, $exam, 'edit');
As expected, Zend_Acl will call the assert() method on the MyAssertion
object and I can test for "edit" permissions.
However, I want the assertion to be called for any privilege on a specific
role/resource combination. So I wrote my rule like this:
$acl = new Zend_Acl();
$acl->allow('member', 'exam', null, new MyAssertion());
$allowed = $acl->isAllowed($member, $exam, 'edit');
With the above code the privilege passed to the assertion is null, when I
was expecting it to be "edit" (as called in $acl->isAllowed());
It seems the workaround would be to explicitly provide all of the privileges
in an array:
$acl = new Zend_Acl();
$acl->allow('member', 'exam', array('edit', 'view', [etc.]), new
MyAssertion());
$allowed = $acl->isAllowed($member, $exam, 'edit');
Is this normal or should I file a bug report?
--
Hector
On Thu, Oct 8, 2009 at 7:31 AM, Ralph Schindler <[email protected]>wrote:
> As a side note, you may also find that by using the assertion system, you
> can create dynamic rules as assertions that will further lookup information
> from the database as needed.
>
> Using this as a reference:
> http://ralphschindler.com/2009/08/13/dynamic-assertions-for-zend_acl-in-zf
>
> Imagine that inside assert(...), you call other methods of a *specific*
> User model object to check if they do indeed has the proper credentials to
> further do said privilege.
>
> -ralph
>
> David Mintz wrote:
>
>
>>
>> On Wed, Oct 7, 2009 at 6:58 PM, tomascejka <[email protected]<mailto:
>> [email protected]>> wrote:
>>
>>
>> I read about Acl and I think about roles and permisson and I want to
>> ask if
>> there is necessary make implementation on database layer. I mean
>> persisting
>> permissions with relations to roles strutured in tree structure.
>>
>> As I have read about Acl there is a possibility that it is not
>> necessary to
>> make another layer above Acl princip implemented in Zend_Acl.
>>
>> Can m
>>
>>
>> As I understand it, it is perfectly OK to write all your ACL rules in PHP
>> and load them at runtime, with no persistence involved. If, however, you
>> want to create an interface through which an administrator can manipulate
>> ACL rules interactively, you obviously will need persistence.
>>
>> --
>> David Mintz
>> http://davidmintz.org/
>>
>> The subtle source is clear and bright
>> The tributary streams flow through the darkness
>>
>
