CODEWITHSUNDEEP
zend-frameworkzend-authzend-acl
Bryan
Bryan

Reputation: 645

zend acl multiple access lists/levels

I'm building a portal where user and companies can join. Users can either be independent or working under a company. There is some basic access which is available to all users regardless of their type (independent or associated with a company). There is some more features which are available to independent users, but if a user is under the company, the company manager will be able to allow/disallow their access to specific features. How can I manage this using Zend_Acl?

Upvotes: 1

Views: 953

Answers (1)

Shane Stillwell
Shane Stillwell

Reputation: 3248

You're ACL's can have conditions.

In the file where I declare my ACLs (a plugin by the way), I have the following declaration. The Acl_AdminCanAccessUsers is a Zend_Acl_Assert_Interface and will either return TRUE or FALSE. Here I am also passing the Request Object to the constructor.

    // Complex function to see if the current user can create/edit the desired user account.
    $acl->allow('client', 'user', array('edit','create'), new Acl_AdminCanAccessUsers($this->_request));

Now let's take a look at Acl_AdminCanAccessUsers

<?php

class Acl_AdminCanAccessUsers implements Zend_Acl_Assert_Interface
{

public function  __construct($request) {
    $this->request = $request;
}

public function  assert(Zend_Acl $acl,
                        Zend_Acl_Role_Interface $role = null,
                        Zend_Acl_Resource_Interface $resource = null,
                        $privilege = null)
{

    /**
     * Can only test when trying to edit a user account
     */
    if ("edit" != $privilege) {
        return TRUE;
    }

    $identity = Zend_Auth::getInstance()->getIdentity();

    /**
     * Get the id from the URL request
     */
    $id = $this->request->getParam('id');

    /**
     * Get user account from DB
     */
    $user = Doctrine_Core::getTable('User')->find($id);

    // Are they editing their own account? Give them a pass
    if ($identity->user_id == $user->user_id) {
        return TRUE;
    }

    // If they don't have the isAdmin flag set to yes on their account
    // Then we'll just deny them immediately
    if ($identity->isAdmin) {
         return TRUE;
    }

    return FALSE;
}
}

As you can see here we are checking the db for the user record and comparing it to a parameter that is requested or checking if they have isAdmin flag set in their Zend_Auth identity. You can do lots of conditional checking for your ACLs if there is more to access than just a role, resource, and privilege.

Happy Coding!

Upvotes: 1

Related Questions