my implementation works like this:
* Modules are resources
* Controllers are resources, Module is parent
* Actions of controllers are privileges
Few examples:
* Orders_Index with permissions edit/create/detele
* Products_Index with permissions list/view
* Users_Index with permissions all (special type, allows access to all actions)
Tree is constructed as this:
role has privileges, where privilege is 1:1 to resource and where resource is 1:1 to module.
Permissions:
If privilege is defined, but role doesn't have access to it - deny
If privilege is not defined, role has access to it if it has access to resource
If privilege is "all", role has access to all resource privileges
Implementation:
I use database to store all relations and to have easy-to-use admin interface to control roles and permissions. Modules and resources are currently also stored in DB but are not allowed to edit.
There is controller plugin which checks if:
$acl->allow(current_role, request_module . '_' . request_controller, request_action)
Same is used for Zend_Navigation, therefore I have Acl which controls access for a whole application.
That's how I see/use acl, any comments?
--
Juozas Kaziukėnas (juozas@juokaz.com)
Aš internete - JuoKaz (http://www.juokaz.com)
On Fri, Aug 28, 2009 at 12:02 PM, Matthew Weier O'Phinney <matthew@zend.com> wrote:
-- jThierry <thierry@jossermoz.net> wrote
(on Thursday, 27 August 2009, 07:43 PM -0700):
> I've been working on a component to realise the MVC integration of Zend_Acl
> which is different from the proposal
> (http://framework.zend.com/wiki/pages/viewpage.action?pageId=39025) that
> seems to be on hold.
>
> I'm using an action helper the perform the checks at pre dispatch time on
> controllers implementing Zend_Acl_Resource_Interface instead of a plugin and
> am wondering if there's any underlying reason that would encourage the use
> of a plugin.
>
> I would really much appreciate your feedback on the action helper approach.
>
> The code can be found there: http://code.google.com/p/oolala/
While I tend to implement my ACLs in my service layer, I've also
implemented them at the controller layer before as well. Your approach
seems to me to be a natural fit with this latter approach, as it allows
you to explicitly define your controllers as resources, and perform the
checks at the point closest to the actual action.
--
Matthew Weier O'Phinney
Project Lead | matthew@zend.com
Zend Framework | http://framework.zend.com/
没有评论:
发表评论