Comments on: Extending Zend_Acl to support custom roles and resources http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html Random secrets of PHP, web development Sun, 20 Jun 2010 17:42:32 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Snef http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-41666 Snef Wed, 21 Jan 2009 08:32:26 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-41666 Also, should i only use $acl->allow and 'forget' the $acl->deny? Imagine a user (user:1) is bound to group1 and 3. $acl->allow('group:1', 'dummy:foo'); $acl->deny('group:3', 'dummy:foo'); $this->isAllowed('user:1', 'dummy:foo'); // returns false? Yes, it was denied because of membership of group3, but the user is allowed by membership of group1. So the user should be allowed, isn't it? I know, in this example I just could remove the deny rule, but it is just an example! Also, should i only use $acl->allow and ‘forget’ the $acl->deny?
Imagine a user (user:1) is bound to group1 and 3.

$acl->allow(‘group:1′, ‘dummy:foo’);
$acl->deny(‘group:3′, ‘dummy:foo’);

$this->isAllowed(‘user:1′, ‘dummy:foo’); // returns false?

Yes, it was denied because of membership of group3, but the user is allowed by membership of group1. So the user should be allowed, isn’t it?

I know, in this example I just could remove the deny rule, but it is just an example!

]]> By: Terra http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-41408 Terra Tue, 20 Jan 2009 05:02:57 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-41408 you make a good point - you make a good point -

]]> By: Snef http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-41318 Snef Mon, 19 Jan 2009 14:55:12 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-41318 Hi. I know, it is an old entry but i just got to start playing with it. Solution looks nice but i'm having some trouble to alter the code so that is can work with 'group-parenting'. I want to be able to define groups that inherit from other groups. When a user/group has been found, the parents should also be entered in the acl (like Zend_Acl will work). Ever thought of such a solution? (It would be nice if it could do both... assigning users to different groups and that the groups could inherit from other groups..) Hi. I know, it is an old entry but i just got to start playing with it. Solution looks nice but i’m having some trouble to alter the code so that is can work with ‘group-parenting’.

I want to be able to define groups that inherit from other groups. When a user/group has been found, the parents should also be entered in the acl (like Zend_Acl will work). Ever thought of such a solution?
(It would be nice if it could do both… assigning users to different groups and that the groups could inherit from other groups..)

]]> By: Willem Luijk http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-34716 Willem Luijk Fri, 26 Dec 2008 22:16:22 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-34716 Hi Gergely, You know roles times resources can grow quite large. Is it in your solution possible to read only the needed combinations when testing if access to a resource need to be evaluated? Hi Gergely,

You know roles times resources can grow quite large. Is it in your solution possible to read only the needed combinations when testing if access to a resource need to be evaluated?

]]> By: Tim Reynolds http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-29370 Tim Reynolds Sun, 07 Dec 2008 16:37:05 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-29370 Nice post. Thank you for the info. Keep it up. Nice post. Thank you for the info. Keep it up.

]]> By: Cesar B. aka the Mover http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-24698 Cesar B. aka the Mover Wed, 05 Nov 2008 00:14:41 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-24698 This Blog reminds me the reason I like bloging so much, the interaction is very important with readers and you guys have it right. Looks great too, will be back for more posts, David the mover. : - ) This Blog reminds me the reason I like bloging so much, the interaction is very important with readers and you guys have it right. Looks great too, will be back for more posts, David the mover. : – )

]]> By: Import from China http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-13325 Import from China Sat, 19 Jul 2008 20:15:04 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-13325 I came across this blog the other day and you got some great info here - thanks. I came across this blog the other day and you got some great info here – thanks.

]]> By: ang http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-12893 ang Sun, 13 Jul 2008 14:04:01 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-12893 Very good article, I will try your code into my app that is being developed. Thanx for sharing. Very good article, I will try your code into my app that is being developed. Thanx for sharing.

]]> By: Psychic Advice http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-12839 Psychic Advice Sat, 12 Jul 2008 14:27:51 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-12839 Thanks for the great info. I hope you'll follow this with some more great content. Thanks for the great info. I hope you’ll follow this with some more great content.

]]> By: Joshua Ross http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html/comment-page-1#comment-8339 Joshua Ross Mon, 05 May 2008 22:06:32 +0000 http://blog.felho.hu/extending-zend_acl-to-support-custom-roles-and-resources.html#comment-8339 I find a lot of problems with your assessment of Zend_Acl. I personally found it to be a robust enough tool to handle a very complicated ACL at my previous company. Through the use of an Override Assertion I was able to provide the same granular access control as you show without mixing and intermingling the concept of the controller layer with the model layer. I think you have subverted all the power of the inheritance that is native to Zend_Acl. The sacrifice of which, I would contend, is a performance hit for which it appears you are implementing extensive caching. I would additionally point out that you are incorrect about no resource registry, Zend_Acl itself is a resource registry which contains a role registry object. Using an override assertion you only load your Zend_Acl object with roles and resources. Cache/Serialize that object all you want. This keeps the object very lightweight and utilizes its inheritance capabilities. The only time you need granular control is when a user is denied access to a resource. At that point is when the override assertion would be called and you perform a query to an overrides table using the user's id instead of the role that was checked against the ACL. You of course cache the result. Using this approach you eliminate all the extensions you wrote and you instead query a model for an override and then check that against the ACL. All of which can be done in about 10 lines of code. I would further contend that most forums are comprised of boards containing topics and access control is normally granted to a group(role) to a board(resource) and not at a topic level. Although it looks like you put some thought into your approach, I think the better approach is using the built in assertion capability of Zend_Acl. None the less, I enjoy your blog so keep up the posts! =] I find a lot of problems with your assessment of Zend_Acl. I personally found it to be a robust enough tool to handle a very complicated ACL at my previous company. Through the use of an Override Assertion I was able to provide the same granular access control as you show without mixing and intermingling the concept of the controller layer with the model layer. I think you have subverted all the power of the inheritance that is native to Zend_Acl. The sacrifice of which, I would contend, is a performance hit for which it appears you are implementing extensive caching.

I would additionally point out that you are incorrect about no resource registry, Zend_Acl itself is a resource registry which contains a role registry object.

Using an override assertion you only load your Zend_Acl object with roles and resources. Cache/Serialize that object all you want. This keeps the object very lightweight and utilizes its inheritance capabilities. The only time you need granular control is when a user is denied access to a resource. At that point is when the override assertion would be called and you perform a query to an overrides table using the user’s id instead of the role that was checked against the ACL. You of course cache the result.

Using this approach you eliminate all the extensions you wrote and you instead query a model for an override and then check that against the ACL. All of which can be done in about 10 lines of code.

I would further contend that most forums are comprised of boards containing topics and access control is normally granted to a group(role) to a board(resource) and not at a topic level.

Although it looks like you put some thought into your approach, I think the better approach is using the built in assertion capability of Zend_Acl. None the less, I enjoy your blog so keep up the posts! =]

]]>