Zend_Auth or Zend_Acl in checking against DB record?

Question

In my application you have users and books. Users can create, edit and delete their own books. When a user logs in, he has to choose first which book he wants to work on. That book ID is stored in a session variable, so through the application it's clear which book the user is working on. Users can also share books with eachother, and the owner (who created the book) has more priviliges than other users who have been invited to contribute to the book.

First I implemented it in quite a chaotic way and now I was thinking to do it like this:

• In the bootstrap, the controller plugin Auth is loaded.
• In the controller plugin I check if the user has an identity
• In the controller init() I load my action helper
• In the action helper I load Zend_Acl and check if the user has the priviliges to work on this specific book (check if a link between this user and this book exists) and also if he has the priviliges to perform these actions on the book (maybe he shouldn't be able to delete it).

Does this make sense? And were should I store the book ID? In Zend_Auth::getInstance()->getStorage()?

Edit: And where do I store the role of the user? Also in the storage of Zend_Auth?

Answer 1

I think your approach makes sense. I would store the book ID in a Zend_Session_Namespace and store the user in the storage of Zend_Auth. If the user you are putting in the storage is an object/model, have it implement Zend_Acl_Role_Interface so it contains a getRoleId() method that returns the user's role. This way you can pass your user object directly to any ACL method that requires a role and it can get the role from the object.

If it makes sense, you could have a property of your user object called activeBookId or something like that and store the book ID there if it seems like it can fit into the user object.