A
You may be creating a http://pt.wikipedia.org/wiki/Access_Control_List , the permissions that the user has based on their profile within the system. A library that provides a structure for this is the http://framework.zend.com/manual/1.12/en/zend.acl.html .A ACL is composed of three basic functions, they are:ProfileRole)FeaturesResource)Permissions (Permissions)ProfileThe following code defines three base profiles - guest, membro and admin - from which other profiles can inherit. Then a profile identified by someuser is established and inherit the other three profiles. The order in which these roles appear in the array $parents It's important.When necessary, Zend_Acl search for access rules defined not only for the profile consulted (someuser), but also on the profiles from which the consulted profile inherits (guest, membro and admin$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('guest'))
->addRole(new Zend_Acl_Role('member'))
->addRole(new Zend_Acl_Role('admin'));
$parents = array('guest', 'member', 'admin');
$acl->addRole(new Zend_Acl_Role('someUser'), $parents);
$acl->add(new Zend_Acl_Resource('someResource'));
$acl->deny('guest', 'someResource');
$acl->allow('member', 'someResource');
echo $acl->isAllowed('someUser', 'someResource') ? 'allowed' : 'denied';
Create the Access Control ListOne http://pt.wikipedia.org/wiki/Access_Control_List (ACL) can represent any set of physical or virtual objects you want. For demonstration purposes, however, we will create a http://pt.wikipedia.org/wiki/Sistema_de_gerenciamento_de_conte%C3%BAdo (CMS), the ACL, which maintains several layers of groups in a wide variety of areas. To create a new object ACL, we will in ACL without parameters:$acl = new Zend_Acl();
O CMS It will almost always require a hierarchy of permissions to determine the resources of creating your users. There may be a group Guest to allow limited access to demonstrations, a group Staff for most users of CMS that perform most day-to-day operations, a group of Editor for those responsible for publication, reviewing archiving and deleting content, and finally a group Administrador whose tasks can include all of the other groups, as well as maintaining sigilous information, user management, backup and export. This set of permissions can be represented in one profile registration, allowing each group to inherit group privileges pai, as well as providing distinct privileges for only your unique group. Permissions can be expressed as follows:For this example, Zend_Acl_Role is used, but any object that implements Zend_Acl_Role_Interface is acceptable. These groups can be added to the registry profile as follows:$acl = new Zend_Acl();
// Adiciona grupos para o perfil de registro usando Zend_Acl_Role
// O guest não herda os controles de acesso
$roleGuest = new Zend_Acl_Role('guest');
$acl->addRole($roleGuest);
// Staff herda o guest
$acl->addRole(new Zend_Acl_Role('staff'), $roleGuest);
/*
Alternativamente, o acima pode ser escrito:
$acl->addRole(new Zend_Acl_Role('staff'), 'guest');
*/
// Editor de herda de Staff
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
// Administrador não herda os controles de acesso
$acl->addRole(new Zend_Acl_Role('administrator'));
Now that ACL contains the relevant profiles, the rules can be established that define how resources can be accessed by the profiles. No specific resources have been set for this example, which is simplified to illustrate that the rules apply to all resources. Zend_Acl provides an implementation in which the rules only need to be assigned General to the specific, minimizing the number of rules needed, because the resources and functions inherit the rules that are set on their ancestors.Therefore, we can define a fairly complex set of rules with a minimum amount of code. To apply the base permissions as defined above:$acl = new Zend_Acl();
$roleGuest = new Zend_Acl_Role('guest');
$acl->addRole($roleGuest);
$acl->addRole(new Zend_Acl_Role('staff'), $roleGuest);
$acl->addRole(new Zend_Acl_Role('editor'), 'staff');
$acl->addRole(new Zend_Acl_Role('administrator'));
// Somente guests podem visualizar o conteúdo
$acl->allow($roleGuest, null, 'view');
/*
Alternativamente, o acima pode ser escrito:
$acl->allow('guest', null, 'view');
//*/
// Staff herda o privilégio de ver/view de guest, mas também precisa de privilégios
// adicionais
$acl->allow('staff', null, array('edit', 'submit', 'revise'));
// Editor herda os privilégios "visualizar, editar, enviar", e "revisar" de
// staff, mas também precisa de privilégios adicionais
$acl->allow('editor', null, array('publish', 'archive', 'delete'));
// Administrador não herda nada, mas é permitido todos os privilégios
$acl->allow('administrator');
Consult an ACLWe now have one ACL flexible that can be used to determine if the applicants are allowed to perform functions throughout the web application. Conducting queries is quite simple, using the method isAllowed():echo $acl->isAllowed('guest', null, 'view') ?
"allowed" : "denied";
// permitido
echo $acl->isAllowed('staff', null, 'publish') ?
"allowed" : "denied";
// negado
echo $acl->isAllowed('staff', null, 'revise') ?
"allowed" : "denied";
// permitido
echo $acl->isAllowed('editor', null, 'view') ?
"allowed" : "denied";
// permitido por causa da herança de guest
echo $acl->isAllowed('editor', null, 'update') ?
"allowed" : "denied";
// negado, porque não há nenhuma regra para permitir "update"
echo $acl->isAllowed('administrator', null, 'view') ?
"allowed" : "denied";
// permitido porque para administrador é permitido todos os privilégios
echo $acl->isAllowed('administrator') ?
"allowed" : "denied";
// permitido porque para administrador é permitido todos os privilégios
echo $acl->isAllowed('administrator', null, 'update') ?
"allowed" : "denied";
// permitido porque para administrador é permitido todos os privilégios
Complementary reading on the subject: http://www.johnmarques.com.br/php/controle-de-acesso-com-zend_acl/
