For example, lets say you only want the owner of an event to be able to edit it (or a superadmin)
In my class which extends Zend_Acl:
$this->allow('member', 'event', array('edit', 'delete'), new My_Acl_Assert_HasEventPermissions($auth, $request));
The assertion itself:
class My_Acl_Assert_HasEventPermissions implements Zend_Acl_Assert_Interface
{
private $_auth;
private $_request;
public function __construct($auth, $request) {
$this->_auth = $auth;
$this->_request = $request;
}
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null,
Zend_Acl_Resource_Interface $resource = null, $privilege = null)
{
$id = $this->_request->getParam("id");
$user_id = $this->_auth->getIdentity()->user_id;
$events = new My_Db_Table_Events();
if ($role == 'admin' || $role == 'superadmin' || $role == 'employee') {
return true;
}
else {
return ($events->userIsOwner($user_id, $id));
}
}
}
On Wed, Nov 26, 2008 at 7:25 AM, Michał Zieliński <zielun@gmail.com> wrote:
In short:
Structure->editAction('news');
Structure->editAction('events');
User X has access to edit News but is not allowed to edit Events. How can I
achieve it via Zend_Acl?
I`ve only done ACL based on controllers and actions so far. But in this
situation I have to check parameter and if it`s news then allow if events
then deny.
Don`t know how to set resources for this.
Thanks in advance for your propositions and suggestions.
Best regards.
--
View this message in context: http://www.nabble.com/ACL-depended-on-action-parameter-tp20699573p20699573.html
Sent from the Zend Auth mailing list archive at Nabble.com.
没有评论:
发表评论