TechQA.

Zend_ACL guest roles overide Adminstrator roles?

122 views Asked by At

I have created Zend_ACL with three roles :'administrator, guest, *edito*r'. I want guest cannot access /album/index after login. Administrator, editor can access /album/index. All other pages are accessible by all.

I created the access list below with Acl.php in helper.

/library/My/Helper/Acl.php:

public function __construct() {

    $this->acl = new Zend_Acl();
}

public function setRoles() {

    $this->acl->addRole(new Zend_Acl_Role('guest'));
    $this->acl->addRole(new Zend_Acl_Role('editor'));
    $this->acl->addRole(new Zend_Acl_Role('administrator'));

}

public function setResource () {



    $this->acl->add(new Zend_Acl_Resource('album::index'));
    $this->acl->add(new Zend_Acl_Resource('album::add'));
    $this->acl->add(new Zend_Acl_Resource('album::edit'));
    $this->acl->add(new Zend_Acl_Resource('album::delete'));
    $this->acl->add(new Zend_Acl_Resource('auth::index'));
    $this->acl->add(new Zend_Acl_Resource('auth::logout'));
    $this->acl->add(new Zend_Acl_Resource('error::error'));

}

public function setPrivilages() {

    $allowEditorAdmin=array('administrator','editor');
    $allowAll=array('administrator','guest','editor');
    $this->acl->allow($allowEditorAdmin,'album::index');
    $this->acl->allow($allowAll,'album::add');
    $this->acl->allow($allowAll,'album::edit');
    $this->acl->allow($allowAll,'album::delete');
    $this->acl->allow($allowAll,'auth::index');
    $this->acl->allow($allowAll,'auth::logout');
    $this->acl->allow($allowAll,'error::error');

Then, I create a plugin Acl.php

public function preDispatch(Zend_Controller_Request_Abstract $request) {

    $acl1 = new My_Controller_Helper_Acl();

    $acl = Zend_Registry::get('acl');
    $userNs = new Zend_Session_Namespace('members');
    if($userNs->userType=='')
    {

        $roleName='guest';
    }
    else
        $roleName=$userNs->userType;


if(!$acl->isAllowed($roleName,$request->getControllerName()."::".$request->getActionname()))
            {

        echo $request->getControllerName()."::".$request->getActionName();
        $request->setControllerName('auth');
        $request->setActionName('index');
    }

    else
        echo "got authenticated";

}

  • The problem is my code "isallowed" not work correctly. The 'guest,editor,administrator' cannot access to /album/index after authenticate successfully. They redirect to /auth/index

     if(!$acl->isAllowed($roleName,$request->getControllerName()."::".$request->getActionname()))
        {

    echo $request->getControllerName()."::".$request->getActionName();
    $request->setControllerName('auth');
    $request->setActionName('index');
}

else
    echo "got authenticated";       
}
zend-framework zend-auth zend-acl
Original Q&A
1

There are 1 answers

0
Janis Peisenieks On

As far as I can tell, You are using 2 different ACL instances, and never set up the appropriate ACL in the first place. I can share a bit of my own code, that does almost the same thing:

In Bootstrap.php

    $this->_acl = new Model_AuthAcl();

    //Check for access rights
    $fc = Zend_Controller_Front::getInstance();
    $fc->registerPlugin(new App_Plugin_AccessCheck($this->_acl));

In App_Plugin_AccessCheck

class App_Plugin_AccessCheck extends Zend_Controller_Plugin_Abstract
{

    private $_acl = null;

    public function __construct(Zend_Acl $acl)
    {
        $this->_acl = $acl;
    }

    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {
        $module = $request->getModuleName();
        $resource = $request->getControllerName();
        $action = $request->getActionName();



        try {
            if (!$this->_acl->isAllowed(Zend_Registry::get('role'), $module . ':' . $resource, $action)) {

                $request->setControllerName('authentication')->setModuleName('default')
                    ->setActionName('login');
            }
        }
        catch (Exception $ex) {
            if (APPLICATION_ENV == "development") {
                var_dump($ex->getMessage());
            }
        }

    }

}

In Model_AuthAcl

class Model_AuthAcl extends Zend_Acl
{

    /**
     * Creates the resource, role trees
     */
    public function __construct ()
    {
        //Create roles
        $this->addRole(new Zend_Acl_Role('guest')); 
        $this->addRole(new Zend_Acl_Role('user'), 'guest'); 
        $this->addRole(new Zend_Acl_Role('admin'), 'user'); 


        //Create resources
        //Default module
        $this->addResource(new Zend_Acl_Resource('default'))
             ->addResource(new Zend_Acl_Resource('default:authentication'), 'default')
             ->addResource(new Zend_Acl_Resource('default:error'), 'default')

        //Admin module
             ->addResource(new Zend_Acl_Resource('admin'))
             ->addResource(new Zend_Acl_Resource('admin:index'), 'admin')





        //Guest permissions
        $this->deny('guest')
             ->allow('guest', 'default:authentication', array('index', 'login', 'logout', 'email', 'forgot'))
             ->allow('guest', 'default:error', array('error'))
             ->allow('guest', 'api:authentication', array('index', 'get', 'head', 'post', 'put', 'delete'))

            //Admin permissions
             ->deny('admin', 'admin:admins')

        ;
    }
}

May not be the most OOP solution, bet it sure as hell works.

Hope this helps you set up your dream ACL :)

Related Questions in ZEND-FRAMEWORK

Related Questions in ZEND-AUTH

Related Questions in ZEND-ACL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions