File: Zend_Acl-Refining.xml

package info (click to toggle)
zendframework 1.12.9%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: jessie-kfreebsd
  • size: 133,584 kB
  • sloc: xml: 1,311,829; php: 570,173; sh: 170; makefile: 125; sql: 121
file content (185 lines) | stat: -rw-r--r-- 6,371 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
 
<?xml version="1.0" encoding="UTF-8"?>
<!-- Reviewed: no -->
<sect1 id="zend.acl.refining">
    <title>Refining Access Controls</title>

    <sect2 id="zend.acl.refining.precise">
        <title>Precise Access Controls</title>

        <para>
            The basic <acronym>ACL</acronym> as defined in the
            <link linkend="zend.acl.introduction">previous section</link> shows how various
            privileges may be allowed upon the entire <acronym>ACL</acronym> (all resources). In
            practice, however, access controls tend to have exceptions and varying degrees of
            complexity. <classname>Zend_Acl</classname> allows to you accomplish these refinements
            in a straightforward and flexible manner.
        </para>

        <para>
            For the example <acronym>CMS</acronym>, it has been determined that whilst the 'staff'
            group covers the needs of the vast majority of users, there is a need for a new
            'marketing' group that requires access to the newsletter and latest news in the
            <acronym>CMS</acronym>. The group is fairly self-sufficient and will have the ability
            to publish and archive both newsletters and the latest news.
        </para>

        <para>
            In addition, it has also been requested that the 'staff' group be allowed to view news
            stories but not to revise the latest news. Finally, it should be impossible for anyone
            (administrators included) to archive any 'announcement' news stories since they only
            have a lifespan of 1-2 days.
        </para>

        <para>
            First we revise the role registry to reflect these changes. We have determined that the
            'marketing' group has the same basic permissions as 'staff', so we define 'marketing'
            in such a way that it inherits permissions from 'staff':
        </para>

        <programlisting language="php"><![CDATA[
// The new marketing group inherits permissions from staff
$acl->addRole(new Zend_Acl_Role('marketing'), 'staff');
]]></programlisting>

        <para>
            Next, note that the above access controls refer to specific resources (e.g.,
            "newsletter", "latest news", "announcement news"). Now we add these resources:
        </para>

        <programlisting language="php"><![CDATA[
// Create Resources for the rules

// newsletter
$acl->addResource(new Zend_Acl_Resource('newsletter'));

// news
$acl->addResource(new Zend_Acl_Resource('news'));

// latest news
$acl->addResource(new Zend_Acl_Resource('latest'), 'news');

// announcement news
$acl->addResource(new Zend_Acl_Resource('announcement'), 'news');
]]></programlisting>

        <para>
            Then it is simply a matter of defining these more specific rules on the target areas of
            the <acronym>ACL</acronym>:
        </para>

        <programlisting language="php"><![CDATA[
// Marketing must be able to publish and archive newsletters and the
// latest news
$acl->allow('marketing',
            array('newsletter', 'latest'),
            array('publish', 'archive'));

// Staff (and marketing, by inheritance), are denied permission to
// revise the latest news
$acl->deny('staff', 'latest', 'revise');

// Everyone (including administrators) are denied permission to
// archive news announcements
$acl->deny(null, 'announcement', 'archive');
]]></programlisting>

        <para>
            We can now query the <acronym>ACL</acronym> with respect to the latest changes:
        </para>

        <programlisting language="php"><![CDATA[
echo $acl->isAllowed('staff', 'newsletter', 'publish') ?
     "allowed" : "denied";
// denied

echo $acl->isAllowed('marketing', 'newsletter', 'publish') ?
     "allowed" : "denied";
// allowed

echo $acl->isAllowed('staff', 'latest', 'publish') ?
     "allowed" : "denied";
// denied

echo $acl->isAllowed('marketing', 'latest', 'publish') ?
     "allowed" : "denied";
// allowed

echo $acl->isAllowed('marketing', 'latest', 'archive') ?
     "allowed" : "denied";
// allowed

echo $acl->isAllowed('marketing', 'latest', 'revise') ?
     "allowed" : "denied";
// denied

echo $acl->isAllowed('editor', 'announcement', 'archive') ?
     "allowed" : "denied";
// denied

echo $acl->isAllowed('administrator', 'announcement', 'archive') ?
     "allowed" : "denied";
// denied
]]></programlisting>
    </sect2>

    <sect2 id="zend.acl.refining.removing">
        <title>Removing Access Controls</title>

        <para>
            To remove one or more access rules from the <acronym>ACL</acronym>, simply use the
            available <methodname>removeAllow()</methodname> or
            <methodname>removeDeny()</methodname> methods. As with <methodname>allow()</methodname>
            and <methodname>deny()</methodname>, you may provide a <constant>NULL</constant> value
            to indicate application to all roles, resources, and/or privileges:
        </para>

        <programlisting language="php"><![CDATA[
// Remove the denial of revising latest news to staff (and marketing,
// by inheritance)
$acl->removeDeny('staff', 'latest', 'revise');

echo $acl->isAllowed('marketing', 'latest', 'revise') ?
     "allowed" : "denied";
// allowed

// Remove the allowance of publishing and archiving newsletters to
// marketing
$acl->removeAllow('marketing',
                  'newsletter',
                  array('publish', 'archive'));

echo $acl->isAllowed('marketing', 'newsletter', 'publish') ?
     "allowed" : "denied";
// denied

echo $acl->isAllowed('marketing', 'newsletter', 'archive') ?
     "allowed" : "denied";
// denied
]]></programlisting>

        <para>
            Privileges may be modified incrementally as indicated above, but a
            <constant>NULL</constant> value for the privileges overrides such incremental changes:
        </para>

        <programlisting language="php"><![CDATA[
// Allow marketing all permissions upon the latest news
$acl->allow('marketing', 'latest');

echo $acl->isAllowed('marketing', 'latest', 'publish') ?
     "allowed" : "denied";
// allowed

echo $acl->isAllowed('marketing', 'latest', 'archive') ?
     "allowed" : "denied";
// allowed

echo $acl->isAllowed('marketing', 'latest', 'anything') ?
     "allowed" : "denied";
// allowed
]]></programlisting>
    </sect2>
</sect1>
<!--
vim:se ts=4 sw=4 et:
-->