2009年2月26日星期四

Re: [fw-auth] Extending Zend_Auth

Keith makes a good point... In the execution cycle of your application,
Zend_Auth is really only encountered during the AuthController
(Authentication time) and the resultant of this operation is stored inside
the Persistence Mechanism (ala Zend_Session by default for Zend_Auth).

What I suggest is you create a Front Controller Plugin (you can even bypass
Zend_Acl for this) and simply per request at preDispatch time, simply check
to ensure the user is not banned. If the user IS banned, you can then "log
them out". This effectively means this:

$auth = Zend_Auth::getInstance();
If ($auth->hasIdentity()) {
// do some logic to check for banning

If ($userRowJustQueries->is_banned == 'true') {
$auth->clearIdentity();
// send user to banned page

$request->setDispatched(true);
}
}

Hope that helps!
-Ralph


On 2/26/09 8:27 AM, "bennyg" <ben@magiconlinesolutions.co.uk> wrote:

>
> i'm can see what you mean about using Zend_ACL but this still wouldn't solve
> my problem as if I gave a user a role of banned then their old role would
> still be persisted in the session until the next time they authenticate.
>
> I could create a front controller plugin to reauthorise a user on each page
> load but it seems far more logical to keep all the authentication in the
> same place.
>
> It would be interesting to know how other have handled this and what would
> be considered best practice.
>
>
> keith Pope-4 wrote:
>>
>> I think you are getting confused with authentication and
>> authorization. Authentication is making sure someone who they say they
>> are. Authorization is making sure that person can access a resource.
>>
>> So you have Zend_Auth and Zend_Acl (Authentication & Authorization)
>>
>> You can do a check per request using an ACL assertion, ala a Front
>> Controller Plugin
>>
>> 2009/2/26 bennyg <ben@magiconlinesolutions.co.uk>:
>>>
>>> I've implemented Zend_Auth on a new project that I'm working but would
>>> like
>>> to make a few changes to how it works.
>>>
>>> The main change I would like to make would be to reauthenticate a user on
>>> each page load so if I choose to ban them they get logged out instantly.
>>>
>>> To me it makes sence to implement this functionality within Zend_Auth by
>>> extending the class.
>>>
>>> I can only find one example of someone extending Zend_Auth so would like
>>> to
>>> check if this is the best method to solve my problem.
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Extending-Zend_Auth-tp22223840p22223840.html
>>> Sent from the Zend Auth mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>>
>> --
>> ----------------------------------------------------------------------
>> [MuTe]
>> ----------------------------------------------------------------------
>>
>>

--
Ralph Schindler
Software Engineer | ralph.schindler@zend.com
Zend Framework | http://framework.zend.com/

没有评论: