Zend ACL 适合我的需求吗?
我的应用程序基于 Zend Framework。我使用 Zend_Auth 进行身份验证,但我不确定 Zend_Acl 是否适合我,因为坦率地说,我看到的示例对于我的需求来说太简单了或者让我困惑。
我将应用程序中的元素视为资源,并且这些资源可以拥有特权。包含资源权限的角色是动态定义并分配给用户的。我将此信息存储在标准化表中。
- 用户有一个角色
- 一个角色可以有多个资源
- 资源可以有多个权限
角色实际上只是没有层次结构的资源权限的集合。资源的一个例子是“页面”。每个人都可以查看页面,但经过身份验证的用户需要“添加”、“编辑”或“删除”权限才能对页面执行任何其他操作。
这与 Zend ACL 相匹配吗?我对 ACL 的看法是否会给我带来问题?
我的解决方案
Typeonerror 获得了荣誉,但这是我的具体解决方案。
我扩展了 Zend_Acl 来简化使用,因为我只加载当前用户的角色:
class My_Acl extends Zend_Acl
{
protected $_role_id;
public function setRole($role_id)
{
$this->_role_id = $role_id;
return $this->addRole($role_id);
}
public function getRole()
{
return $this->_role_id;
}
public function deny($resource, $privilege)
{
return parent::deny($this->_role_id, $resource, $privilege);
}
public function allow($resource, $privilege)
{
return parent::allow($this->_role_id, $resource, $privilege);
}
public function isAllowed($resource, $privilege)
{
return parent::isAllowed($this->_role_id, $resource, $privilege);
}
}
为了填充 ACL,我执行一个返回 resource、privilege< 的查询/code> 和 role_id 列。如果用户的角色没有该权限,则结果集中的 role_id 列为空。
$acl = new My_Acl();
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
$userInfo = $auth->getStorage()->read();
$acl->setRole($userInfo->role_id);
} else {
$acl->setRole('');
}
// QUERY HERE
foreach ($privileges as $privilege) {
if (!$acl->has($privilege['resource'])) {
$acl->addResource($privilege['resource']);
}
if (is_null($privilege['role_id'])) {
$acl->deny($privilege['resource'], $privilege['privilege']);
} else {
$acl->allow($privilege['resource'], $privilege['privilege']);
}
}
I have based my application upon the Zend Framework. I am using Zend_Auth for authentication, but I'm not sure if Zend_Acl will work for me because, frankly, the examples I've seen are either too simplistic for my needs or confuse me.
I'm thinking of elements in my application as Resources and these Resources can have have Privileges. Roles containing Resource Privileges are dynamically defined assigned to users. I'm storing this information in normalized tables.
- Users have a Role
- A Role can have multiple Resources
- Resources can have multiple Privileges
Roles are really just collections of Resource Privileges with no hierarchy. An example of a Resource would be 'Page'. Everyone can view the pages, but a authenticated user would need 'add', 'edit', or 'delete' privileges to do anything else with pages.
Does this mesh with Zend ACL? Am I thinking ACL in a way that's going to create problems for me?
My Solution
Typeonerror gets the credit, but here's my specific solution.
I extended Zend_Acl to simplify my usage because I only load the role of the current user:
class My_Acl extends Zend_Acl
{
protected $_role_id;
public function setRole($role_id)
{
$this->_role_id = $role_id;
return $this->addRole($role_id);
}
public function getRole()
{
return $this->_role_id;
}
public function deny($resource, $privilege)
{
return parent::deny($this->_role_id, $resource, $privilege);
}
public function allow($resource, $privilege)
{
return parent::allow($this->_role_id, $resource, $privilege);
}
public function isAllowed($resource, $privilege)
{
return parent::isAllowed($this->_role_id, $resource, $privilege);
}
}
To populate the the ACL I execute a query which returns resource, privilege, and role_id columns. The role_id column is null in the result set if the user's role does not have that privilege.
$acl = new My_Acl();
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
$userInfo = $auth->getStorage()->read();
$acl->setRole($userInfo->role_id);
} else {
$acl->setRole('');
}
// QUERY HERE
foreach ($privileges as $privilege) {
if (!$acl->has($privilege['resource'])) {
$acl->addResource($privilege['resource']);
}
if (is_null($privilege['role_id'])) {
$acl->deny($privilege['resource'], $privilege['privilege']);
} else {
$acl->allow($privilege['resource'], $privilege['privilege']);
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这就是它的工作原理,我认为你正在以准确的方式思考它。您可以添加资源,然后添加权限以允许某些用户角色访问它们。例如,在我的 CMS 中,我有“开发人员”、“管理员”和“用户”。在下面的代码中,我添加了常规访问权限,然后从某些用户的访问权限中删除了一些操作和特定方法。当然,这对于我的应用程序来说非常具体,但基本上,您必须从 auth->getIdentity() (或类似的)获取用户的角色,然后从数据库添加您的角色/资源。
编辑
我想我还应该解释一下,我有一个
Typeoneerror_Controller_Plugin_Acl,每当请求任何资源时都会使用它。在这里,我创建了请求资源创建的“标签”,并检查用户是否有权访问该标签:That's exactly how it works and I think you're thinking about it in an accurate way. You can add your resources and then add privileges to allow certain user roles to access them. For example, in my CMS, I have "developers", "admins", and "users". In the code below I add general access and then remove some actions and specific methods from certain user's access. Of course this is pretty specific to my application but basically, you'd have to get the user's role from auth->getIdentity() (or similar) and then add your roles/resources from the database.
Edit
Guess I should also explain that I have an
Typeoneerror_Controller_Plugin_Aclwhich is used whenever any resource is requested. Here I create the "tag" that the requested resource makes and check whether the user has access to that tag: