The Zend\Permissions\Acl component provides an access control list (ACL) implementation for privileges management.
Use Zend\Permissions\Acl\Acl to create a new instance of an ACL.
use Zend\Permissions\Acl\Acl;
$acl = new Acl();
A resource is an object to which access is controlled. Any ACL resources defined must implement Zend\Permissions\Acl\Resource\ResourceInterface and contain one method: getResourceId().
<?php
namespace Zend\Permissions\Acl\Resource;
interface ResourceInterface
{
/**
* Returns the string identifier of the Resource
*
* @return string
*/
public function getResourceId();
}
Zend\Permissions\Acl\Acl provides a tree structure to which multiple resources can be added.
use Zend\Permissions\Acl\Acl;
use Zend\Permissions\Acl\Role\GenericRole as Role;
use Zend\Permissions\Acl\Resource\GenericResource as Resource;
$acl = new Acl();
$acl->addResource(new Resource('someResource'));
Zend\Permissions\Acl\Acl also supports privileges on resources (e.g. “create”, “read”, “update”, “delete”), so the developer can assign rules that affect all privileges or specific privileges on one or more resources.
A role is an object that may request access to a Resource. To create a role you can use the addRole() method of the Zend\Permissions\Acl\Acl class. You can either pass in a role as a string or pass in an instance of the Zend\Permissions\Acl\Role\GenericRole class.
use Zend\Permissions\Acl\Acl;
use Zend\Permissions\Acl\Role\GenericRole as Role;
$acl = new Acl();
// Add groups to the Role registry using Zend\Permissions\Acl\Role\GenericRole
// Guest does not inherit access controls
$roleGuest = new Role('guest');
$acl->addRole($roleGuest);
// Staff inherits from guest
$acl->addRole(new Role('staff'), $roleGuest);
/*
Alternatively, the above could be written:
$acl->addRole(new Role('staff'), 'guest');
*/
// Editor inherits from staff
$acl->addRole(new Role('editor'), 'staff');
// Administrator does not inherit access controls
$acl->addRole(new Role('administrator'));
Adding to resource using allow() or deny()
use Zend\Permissions\Acl\Acl;
use Zend\Permissions\Acl\Role\GenericRole as Role;
use Zend\Permissions\Acl\Resource\GenericResource as Resource;
$acl = new Acl();
$acl->addRole(new Role('guest'))
->addRole(new Role('member'))
->addRole(new Role('admin'));
$parents = array('guest', 'member', 'admin');
$acl->addRole(new Role('someUser'), $parents);
$acl->addResource(new Resource('someResource'));
$acl->deny('guest', 'someResource');
$acl->allow('member', 'someResource');
echo $acl->isAllowed('someUser', 'someResource') ? 'allowed' : 'denied';
// Guest may only view content
$acl->allow($roleGuest, null, 'view');
/*
Alternatively, the above could be written:
$acl->allow('guest', null, 'view');
//*/
// Staff inherits view privilege from guest, but also needs additional
// privileges
$acl->allow('staff', null, array('edit', 'submit', 'revise'));
// Editor inherits view, edit, submit, and revise privileges from
// staff, but also needs additional privileges
$acl->allow('editor', null, array('publish', 'archive', 'delete'));
// Administrator inherits nothing, but is allowed all privileges
$acl->allow('administrator');
To query ACL roles, use the isAllowed() method passing in the role, resource and privilege.
echo $acl->isAllowed('guest', null, 'view') ?
"allowed" : "denied";
// allowed
echo $acl->isAllowed('staff', null, 'publish') ?
"allowed" : "denied";
// denied
echo $acl->isAllowed('staff', null, 'revise') ?
"allowed" : "denied";
// allowed
echo $acl->isAllowed('editor', null, 'view') ?
"allowed" : "denied";
// allowed because of inheritance from guest
echo $acl->isAllowed('editor', null, 'update') ?
"allowed" : "denied";
// denied because no allow rule for 'update'
echo $acl->isAllowed('administrator', null, 'view') ?
"allowed" : "denied";
// allowed because administrator is allowed all privileges
echo $acl->isAllowed('administrator') ?
"allowed" : "denied";
// allowed because administrator is allowed all privileges
echo $acl->isAllowed('administrator', null, 'update') ?
"allowed" : "denied";
// allowed because administrator is allowed all privileges
Removing Access Controls
To remove access control, you can use the removeAllow() and removeDeny() methods, or you can set a NULL privilege.
<?php
namespace Zend\Permissions\Acl;
class Acl implements AclInterface
{
....
public function removeAllow($roles = null, $resources = null, $privileges = null)
{
return $this->setRule(self::OP_REMOVE, self::TYPE_ALLOW, $roles, $resources, $privileges);
}
/**
* Removes "deny" restrictions from the ACL
*
* @param Role\RoleInterface|string|array $roles
* @param Resource\ResourceInterface|string|array $resources
* @param string|array $privileges
* @return Acl Provides a fluent interface
*/
public function removeDeny($roles = null, $resources = null, $privileges = null)
{
return $this->setRule(self::OP_REMOVE, self::TYPE_DENY, $roles, $resources, $privileges);
}
....
}
Note: This article is based on ZF version 2.4.