問題描述

上下文:

我的問題與我正在開發的論壇非常相似，其中有:

1. 有權查看話題但無法回復或投票的訪客
2. 擁有足夠代表的成員可以編輯/投票其他線程，默認情況下他們可以回復并擁有與訪客相同的權限
3. 幾乎可以做任何事情的管理員

我希望在站點范圍內應用此 ACL，并默認拒絕所有資源.

我閱讀了使用 Zend_Acl 的基礎知識 - 您基本上可以創建角色(來賓、成員、管理員)并拒絕或允許資源(控制器、方法)分配給這些角色.該文檔并未具體說明您應該如何在應用程序中實際實現 acl 代碼，因此我繼續查看 SO..

遇到了一個非常有用的 stackoverflow 來自 marek 的回答，它揭示了一些亮點在這個問題上，但是由于我不熟悉，我仍然無法完全理解如何在考慮最佳實踐的情況下正確實施.

發布者在應用程序根目錄中有一個靜態文件 configAcl.php，它初始化 acl 對象、添加角色、從每個控制器中創建資源、授予 admin 訪問權限對所有內容，允許 normal 訪問除管理員之外的所有內容，并將 acl 對象存儲在注冊表中以備后用.

$acl = new Zend_Acl();$roles = array('admin', 'normal');//控制器腳本名稱.如果憑據檢查，您必須添加所有這些//對您的應用程序來說是全局的.$controllers = array('auth', 'index', 'news', 'admin');foreach ($roles 作為 $role) {$acl->addRole(new Zend_Acl_Role($role));}foreach ($controllers 作為 $controller) {$acl->add(new Zend_Acl_Resource($controller));}//這是管理員用戶的憑據定義.$acl->allow('admin');//可以訪問所有內容.//這里是普通用戶的憑證定義.$acl->allow('正常');//可以訪問所有東西...$acl->deny('normal', 'admin');//... 除了管理控制器.//最后我將整個 ACL 定義存儲到注冊表中以供使用//在 AuthPlugin 插件中.$registry = Zend_Registry::getInstance();$registry->set('acl', $acl);

問題 #1 - 此代碼應該在引導程序中，還是在像這樣的獨立文件中?如果是這樣，在里面說，庫目錄會更好嗎?

它的第二部分是一個擴展 Zend Controller Plugin Abstract 類的新類，它允許它掛鉤到 auth/login 中，邏輯基本上是如果登錄失敗，它會重定向..否則它從注冊表中獲取 acl 對象，獲取身份，并確定是否允許用戶查看此資源.

$identity = $auth->getIdentity();$frontController->registerPlugin(new AuthPlugin());

問題#2 - 我究竟將如何編碼實際返回用戶身份的身份驗證插件部分?我意識到他下面有一些代碼生成了一個 Auth 適配器 db 表對象，該對象將通過用戶 ID 和憑據(散列通過檢查)查詢數據庫表的列./p>

假設我的用戶表由這些數據組成:

user_id user_name 級別1 超級管理員 32 約翰 23 example.com 1

其中級別 3 = 管理員，2 = 成員，1 = 訪客.

問題 #3 - 究竟在哪里放置上述身份驗證代碼的好地方?登錄控制器內部?

問題 #4 - 另一張海報 回復他關于如何在模型內部完成acl邏輯的文章，但他使用的特定方法不受本機支持并且需要解決方法，這可行嗎?這真的是理想的做法嗎?

我的實現:

問題 #1

class App_Model_Acl 擴展 Zend_Acl{const ROLE_GUEST = '客人';const ROLE_USER = '用戶';const ROLE_PUBLISHER = '出版商';const ROLE_EDITOR = '編輯';const ROLE_ADMIN = '管理員';const ROLE_GOD = '上帝';受保護的靜態 $_instance;/* 單例模式 */受保護的函數 __construct(){$this->addRole(new Zend_Acl_Role(self::ROLE_GUEST));$this->addRole(new Zend_Acl_Role(self::ROLE_USER), self::ROLE_GUEST);$this->addRole(new Zend_Acl_Role(self::ROLE_PUBLISHER), self::ROLE_USER);$this->addRole(new Zend_Acl_Role(self::ROLE_EDITOR), self::ROLE_PUBLISHER);$this->addRole(new Zend_Acl_Role(self::ROLE_ADMIN), self::ROLE_EDITOR);//超級管理員的獨特角色$this->addRole(new Zend_Acl_Role(self::ROLE_GOD));$this->allow(self::ROLE_GOD);/* 添加新資源 */$this->add(new Zend_Acl_Resource('mvc:users'))->add(new Zend_Acl_Resource('mvc:users.auth'), 'mvc:users')->add(new Zend_Acl_Resource('mvc:users.list'), 'mvc:users');$this->allow(null, 'mvc:users', array('index', 'list'));$this->allow('guest', 'mvc:users.auth', array('index', 'login'));$this->allow('guest', 'mvc:users.list', array('index', 'list'));$this->deny(array('user'), 'mvc:users.auth', array('login'));/* 添加新資源 */$moduleResource = new Zend_Acl_Resource('mvc:snippets');$this->add($moduleResource)->add(new Zend_Acl_Resource('mvc:snippets.crud'), $moduleResource)->add(new Zend_Acl_Resource('mvc:snippets.list'), $moduleResource);$this->allow(null, $moduleResource, array('index', 'list'));$this->allow('user', 'mvc:snippets.crud', array('create', 'update', 'delete', 'read', 'list'));$this->allow('guest', 'mvc:snippets.list', array('index', 'list'));返回 $this;}受保護的靜態 $_user;公共靜態函數 setUser(Users_Model_User $user = null){if (null === $user) {throw new InvalidArgumentException('$user is null');}self::$_user = $user;}/**** @return App_Model_Acl*/公共靜態函數 getInstance(){if (null === self::$_instance) {self::$_instance = new self();}返回 self::$_instance;}公共靜態函數 resetInstance(){self::$_instance = null;self::getInstance();}}class Smapp extends Bootstrap//類 Bootstrap 擴展 Zend_Application_Bootstrap_Bootstrap{/*** @var App_Model_User*/受保護的靜態 $_currentUser;公共函數 __construct($application){parent::__construct($application);}公共靜態函數 setCurrentUser(Users_Model_User $user){self::$_currentUser = $user;}/*** @return App_Model_User*/公共靜態函數 getCurrentUser(){if (null === self::$_currentUser) {self::setCurrentUser(Users_Service_User::getUserModel());}返回 self::$_currentUser;}/*** @return App_Model_User*/公共靜態函數 getCurrentUserId(){$user = self::getCurrentUser();返回 $user->getId();}}

在類引導程序

受保護的函數 _initUser(){$auth = Zend_Auth::getInstance();如果 ($auth->hasIdentity()) {if ($user = Users_Service_User::findOneByOpenId($auth->getIdentity())) {$userLastAccess = strtotime($user->last_access);//在5分鐘內更新上次登錄時間的日期如果((時間() - $userLastAccess)> 60 * 5){$date = new Zend_Date();$user->last_access = $date->toString('YYYY-MM-dd HH:mm:ss');$user->save();}Smapp::setCurrentUser($user);}}返回 Smapp::getCurrentUser();}受保護的函數 _initAcl(){$acl = App_Model_Acl::getInstance();Zend_View_Helper_Navigation_HelperAbstract::setDefaultAcl($acl);Zend_View_Helper_Navigation_HelperAbstract::setDefaultRole(Smapp::getCurrentUser()->role);Zend_Registry::set('Zend_Acl', $acl);返回 $acl;}

和 Front_Controller_Plugin

class App_Plugin_Auth 擴展 Zend_Controller_Plugin_Abstract{私人 $_identity;/*** acl 對象** @var zend_acl*/私人 $_acl;/*** 如果有當前頁面，則指向該頁面* 用戶，但他們無權訪問* 資源** @var 數組*/私人 $_noacl = array('module' => 'admin','控制器' =>'錯誤'，'動作' =>'無認證');/*** 沒有當前用戶的頁面** @var 未知類型*/private $_noauth = array('module' => 'users','控制器' =>'認證','動作' =>'登錄');/*** 驗證當前用戶的請求** @param zend_controller_request $request*/公共函數 preDispatch(Zend_Controller_Request_Abstract $request){$this->_identity = Smapp::getCurrentUser();$this->_acl = App_Model_Acl::getInstance();如果 (!empty($this->_identity)) {$role = $this->_identity->role;} 別的 {$角色=空；}$controller = $request->controller;$module = $request->module;$controller = $controller;$action = $request->action;//從更具體到不太具體$moduleLevel = 'mvc:'.$module;$controllerLevel = $moduleLevel .'.'.$控制器;$privelege = $action;如果 ($this->_acl->has($controllerLevel)) {$resource = $controllerLevel;} 別的 {$resource = $moduleLevel;}if ($module != 'default' && $controller != 'index') {if ($this->_acl->has($resource) && !$this->_acl->isAllowed($role, $resource, $privelege)) {如果 (!$this->_identity) {$request->setModuleName($this->_noauth['module']);$request->setControllerName($this->_noauth['controller']);$request->setActionName($this->_noauth['action']);//$request->setParam('authPage', 'login');} 別的 {$request->setModuleName($this->_noacl['module']);$request->setControllerName($this->_noacl['controller']);$request->setActionName($this->_noacl['action']);//$request->setParam('authPage', 'noauth');}throw new Exception('拒絕訪問.' . $resource . '::' . $role);}}}}

最后 - Auth_Controller` :)

class Users_AuthController 擴展了 Smapp_Controller_Action{//會話受保護的 $_storage;公共函數 getStorage(){if (null === $this->_storage) {$this->_storage = new Zend_Session_Namespace(__CLASS__);}返回 $this->_storage;}公共函數 indexAction(){返回 $this->_forward('登錄');}公共函數 loginAction(){$openId = null;if ($this->getRequest()->isPost() and $openId = ($this->_getParam('openid_identifier', false))) {//沒做什么} elseif (!isset($_GET['openid_mode'])) {返回;}//$userService = $this->loadService('User');$userService = new Users_Service_User();$result = $userService->authenticate($openId, $this->getResponse());如果 ($result->isValid()) {$identity = $result->getIdentity();if (!$identity['Profile']['display_name']) {返回 $this->_helper->redirector->gotoSimpleAndExit('update', 'profile');}$this->_redirect('/');} 別的 {$this->view->errorMessages = $result->getMessages();}}公共函數 logoutAction(){$auth = Zend_Auth::getInstance();$auth->clearIdentity();//Zend_Session::destroy();$this->_redirect('/');}}

問題 2

將其保存在 Zend_Auth 中.

成功驗證后 - 在存儲中寫入身份.$auth->getStorage()->write($result->getIdentity());

identity - 只是 user_id

數據庫設計

創建表`用戶`(`id` bigint(20) NOT NULL AUTO_INCREMENT,`open_id` varchar(255) 非空，`role` varchar(20) 不為空，`last_access` 日期時間非空，`created_at` 日期時間非空，主鍵(`id`)，唯一鍵`op??en_id`(`open_id`)) 引擎=InnoDB 默認字符集=utf8創建表`user_profile`(`user_id` bigint(20) 非空，`display_name` varchar(100) 默認為空，`email` varchar(100) 默認為空，`real_name` varchar(100) 默認為空，`website_url` varchar(255) 默認為空，`location` varchar(100) 默認為空，`生日` 日期默認為空，`about_me` 文本，`view_count` int(11) NOT NULL DEFAULT '0',`updated_at` 日期時間非空，主鍵(`user_id`)) 引擎=InnoDB 默認字符集=utf8;

一些糖

/*** SM的代碼庫** @類別* @包裹* @子包* @copyright 版權所有 (c) 2009 Pavel V Egorov* @author Pavel V Egorov* @link http://epavel.ru/* @自 2009 年 9 月 8 日起*/類 Smapp_View_Helper_IsAllowed 擴展 Zend_View_Helper_Abstract{受保護的 $_acl;受保護的 $_user;公共函數 isAllowed($resource = null, $privelege = null){return (bool) $this->getAcl()->isAllowed($this->getUser(), $resource, $privelege);}/*** @return App_Model_Acl*/公共函數 getAcl(){if (null === $this->_acl) {$this->setAcl(App_Model_Acl::getInstance());}返回 $this->_acl;}/*** @return App_View_Helper_IsAllowed*/公共函數 setAcl(Zend_Acl $acl){$this->_acl = $acl;返回 $this;}/*** @return Users_Model_User*/公共函數 getUser(){if (null === $this->_user) {$this->setUser(Smapp::getCurrentUser());}返回 $this->_user;}/*** @return App_View_Helper_IsAllowed*/公共函數 setUser(Users_Model_User $user){$this->_user = $user;返回 $this;}}

對于任何視圖腳本中的類似內容

 <?php if ($this->isAllowed('mvc:snippets.crud', 'update')) : ?><a title="編輯 &laquo;<?=$this->escape($snippetInfo['title'])?>&raquo; snippet">Edit</a><?php endif?>

有問題嗎?:)

Context:

My questions pertain to a forum I'm developing pretty much exactly like SO, where there are:

1. guests who have access to view threads but can't reply or vote
2. members who, with enough rep, can edit/vote others threads, and by default they can reply and have the same privileges as guests
3. admins who can pretty much do anything

I would want this ACL to be applied site-wide, and by default deny all resources.

I read the basics of using Zend_Acl - in that you basically create roles ( guest, member, admin ) and either deny or allow resources ( controllers, methods ) to those roles. The documentation isn't very specific on how you should actually implement the acl code in your application, so I went looking on SO..

Came across a pretty useful stackoverflow answer from marek which sheds some light on the issue, however due to my unfamiliarity I still can't fully grok how to properly implement this with best practices in mind.

The poster has a static file configAcl.php in the application root which initializes the acl object, adds roles, creates a resource out of every controller, gives admin access to everything, gives normal access to everything but the admin and stores the acl object in the registry for later use.

$acl = new Zend_Acl();

$roles  = array('admin', 'normal');

// Controller script names. You have to add all of them if credential check
// is global to your application.
$controllers = array('auth', 'index', 'news', 'admin');

foreach ($roles as $role) {
    $acl->addRole(new Zend_Acl_Role($role));
}
foreach ($controllers as $controller) {
    $acl->add(new Zend_Acl_Resource($controller));
}

// Here comes credential definiton for admin user.
$acl->allow('admin'); // Has access to everything.

// Here comes credential definition for normal user.
$acl->allow('normal'); // Has access to everything...
$acl->deny('normal', 'admin'); // ... except the admin controller.

// Finally I store whole ACL definition to registry for use
// in AuthPlugin plugin.
$registry = Zend_Registry::getInstance();
$registry->set('acl', $acl);

Question #1 - Should this code be in the bootstrap, or in a standalone file such as this? If so would it be better if it was inside say, the library directory?

The second part of it is a new class extending the Zend Controller Plugin Abstract class which allows it to be hooked into auth/login, the logic is basically if the login fails, it redirects.. otherwise it grabs the acl object from the registry, grabs the identity, and determines if the user is allowed to view this resource.

$identity = $auth->getIdentity();

$frontController->registerPlugin(new AuthPlugin());

Question #2 - How exactly would I code the auth plugin part that actually returns the identity of the user? I realize that he had some code below that generated a Auth adapter db table object which would query a database table's column by user id and credential ( hashed pass check ).. I'm confused on where this fits in with the getIdentity part.

Let's say my users table was composed of this data:

user_id    user_name    level
1          superadmin   3
2          john         2
3          example.com  1

Where level 3 = admin, 2 = member, 1 = guest.

Question #3 - where exactly is a good place to put the above auth code in? Inside of the login controller?

Question #4 - another poster replies with his article on how the acl logic should be done inside models, yet the specific method which he uses is not natively supported and requires a workaround, is this feasible? And is this really how it ideally should be done?

My implementation:

Question #1

class App_Model_Acl extends Zend_Acl
{   
    const ROLE_GUEST        = 'guest';
    const ROLE_USER         = 'user';
    const ROLE_PUBLISHER    = 'publisher';
    const ROLE_EDITOR       = 'editor';
    const ROLE_ADMIN        = 'admin';
    const ROLE_GOD          = 'god';

    protected static $_instance;

    /* Singleton pattern */
    protected function __construct()
    {
        $this->addRole(new Zend_Acl_Role(self::ROLE_GUEST));
        $this->addRole(new Zend_Acl_Role(self::ROLE_USER), self::ROLE_GUEST);
        $this->addRole(new Zend_Acl_Role(self::ROLE_PUBLISHER), self::ROLE_USER);
        $this->addRole(new Zend_Acl_Role(self::ROLE_EDITOR), self::ROLE_PUBLISHER);
        $this->addRole(new Zend_Acl_Role(self::ROLE_ADMIN), self::ROLE_EDITOR);

        //unique role for superadmin
        $this->addRole(new Zend_Acl_Role(self::ROLE_GOD));

        $this->allow(self::ROLE_GOD);

        /* Adding new resources */
        $this->add(new Zend_Acl_Resource('mvc:users'))
             ->add(new Zend_Acl_Resource('mvc:users.auth'), 'mvc:users')
             ->add(new Zend_Acl_Resource('mvc:users.list'), 'mvc:users');

        $this->allow(null, 'mvc:users', array('index', 'list'));
        $this->allow('guest', 'mvc:users.auth', array('index', 'login'));
        $this->allow('guest', 'mvc:users.list', array('index', 'list'));
        $this->deny(array('user'), 'mvc:users.auth', array('login'));


        /* Adding new resources */
        $moduleResource = new Zend_Acl_Resource('mvc:snippets');
        $this->add($moduleResource)
             ->add(new Zend_Acl_Resource('mvc:snippets.crud'), $moduleResource)
             ->add(new Zend_Acl_Resource('mvc:snippets.list'), $moduleResource);

        $this->allow(null, $moduleResource, array('index', 'list'));
        $this->allow('user', 'mvc:snippets.crud', array('create', 'update', 'delete', 'read', 'list'));
        $this->allow('guest', 'mvc:snippets.list', array('index', 'list'));

        return $this;
    }

    protected static $_user;

    public static function setUser(Users_Model_User $user = null)
    {
        if (null === $user) {
            throw new InvalidArgumentException('$user is null');
        }

        self::$_user = $user;
    }

    /**
     * 
     * @return App_Model_Acl
     */
    public static function getInstance()
    {
        if (null === self::$_instance) {
            self::$_instance = new self();
        }
        return self::$_instance;
    }

    public static function resetInstance()
    {
        self::$_instance = null;
        self::getInstance();
    }
}



class Smapp extends Bootstrap // class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
{
    /**
     * @var App_Model_User
     */
    protected static $_currentUser;

    public function __construct($application)
    {
        parent::__construct($application);
    }

    public static function setCurrentUser(Users_Model_User $user)
    {
        self::$_currentUser = $user;
    }

    /**
     * @return App_Model_User
     */
    public static function getCurrentUser()
    {
        if (null === self::$_currentUser) {
            self::setCurrentUser(Users_Service_User::getUserModel());
        }
        return self::$_currentUser;
    }

    /**
     * @return App_Model_User
     */
    public static function getCurrentUserId()
    {
        $user = self::getCurrentUser();
        return $user->getId();
    }

}

in class bootstrap

protected function _initUser()
{
    $auth = Zend_Auth::getInstance();
    if ($auth->hasIdentity()) {
        if ($user = Users_Service_User::findOneByOpenId($auth->getIdentity())) {
            $userLastAccess = strtotime($user->last_access);
            //update the date of the last login time in 5 minutes
            if ((time() - $userLastAccess) > 60*5) {
                $date = new Zend_Date();
                $user->last_access = $date->toString('YYYY-MM-dd HH:mm:ss');
                $user->save();
            }
            Smapp::setCurrentUser($user);
        }
    }
    return Smapp::getCurrentUser();
}

protected function _initAcl()
{
    $acl = App_Model_Acl::getInstance();
    Zend_View_Helper_Navigation_HelperAbstract::setDefaultAcl($acl);
    Zend_View_Helper_Navigation_HelperAbstract::setDefaultRole(Smapp::getCurrentUser()->role);
    Zend_Registry::set('Zend_Acl', $acl);
    return $acl;
}

and Front_Controller_Plugin

class App_Plugin_Auth extends Zend_Controller_Plugin_Abstract
{
    private $_identity;

    /**
     * the acl object
     *
     * @var zend_acl
     */
    private $_acl;

    /**
     * the page to direct to if there is a current
     * user but they do not have permission to access
     * the resource
     *
     * @var array
     */
    private $_noacl = array('module' => 'admin',
                             'controller' => 'error',
                             'action' => 'no-auth');

    /**
     * the page to direct to if there is not current user
     *
     * @var unknown_type
     */
    private $_noauth = array('module' => 'users',
                             'controller' => 'auth',
                             'action' => 'login');


    /**
     * validate the current user's request
     *
     * @param zend_controller_request $request
     */
    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {
        $this->_identity = Smapp::getCurrentUser();
        $this->_acl = App_Model_Acl::getInstance();

        if (!empty($this->_identity)) {
            $role = $this->_identity->role;
        } else {
            $role = null;
        }

        $controller = $request->controller;
        $module = $request->module;
        $controller = $controller;
        $action = $request->action;

        //go from more specific to less specific
        $moduleLevel = 'mvc:'.$module;
        $controllerLevel = $moduleLevel . '.' . $controller;
        $privelege = $action;


        if ($this->_acl->has($controllerLevel)) {
            $resource = $controllerLevel;
        } else {
            $resource = $moduleLevel;
        }

        if ($module != 'default' && $controller != 'index') {
            if ($this->_acl->has($resource) && !$this->_acl->isAllowed($role, $resource, $privelege)) {
                if (!$this->_identity) {
                    $request->setModuleName($this->_noauth['module']);
                    $request->setControllerName($this->_noauth['controller']);
                    $request->setActionName($this->_noauth['action']);
                    //$request->setParam('authPage', 'login');
                } else {
                   $request->setModuleName($this->_noacl['module']);
                   $request->setControllerName($this->_noacl['controller']);
                   $request->setActionName($this->_noacl['action']);
                   //$request->setParam('authPage', 'noauth');
               }
               throw new Exception('Access denied. ' . $resource . '::' . $role);
            }
        }
    }
}

and finnaly - Auth_Controller` :)

class Users_AuthController extends Smapp_Controller_Action 
{   
    //sesssion
    protected $_storage;

    public function getStorage()
    {
        if (null === $this->_storage) {
            $this->_storage = new Zend_Session_Namespace(__CLASS__);
        }
        return $this->_storage;
    }

    public function indexAction()
    {
        return $this->_forward('login');
    }

    public function loginAction()
    {   
        $openId = null;
        if ($this->getRequest()->isPost() and $openId = ($this->_getParam('openid_identifier', false))) {
            //do nothing
        } elseif (!isset($_GET['openid_mode'])) {
            return; 
        }

        //$userService = $this->loadService('User');

        $userService = new Users_Service_User();

        $result = $userService->authenticate($openId, $this->getResponse());

        if ($result->isValid()) {
            $identity = $result->getIdentity();
            if (!$identity['Profile']['display_name']) {
                return $this->_helper->redirector->gotoSimpleAndExit('update', 'profile');
            }
            $this->_redirect('/');
        } else {
            $this->view->errorMessages = $result->getMessages();
        }
    }

    public function logoutAction()
    {
        $auth = Zend_Auth::getInstance();
        $auth->clearIdentity();
        //Zend_Session::destroy();
        $this->_redirect('/');
    }
}

Question #2

keep it inside Zend_Auth.

after succesfull auth - write identity in storage. $auth->getStorage()->write($result->getIdentity());

the identity - is simply user_id

DB design

CREATE TABLE `user` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `open_id` varchar(255) NOT NULL,
  `role` varchar(20) NOT NULL,
  `last_access` datetime NOT NULL,
  `created_at` datetime NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `open_id` (`open_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8

CREATE TABLE `user_profile` (
  `user_id` bigint(20) NOT NULL,
  `display_name` varchar(100) DEFAULT NULL,
  `email` varchar(100) DEFAULT NULL,
  `real_name` varchar(100) DEFAULT NULL,
  `website_url` varchar(255) DEFAULT NULL,
  `location` varchar(100) DEFAULT NULL,
  `birthday` date DEFAULT NULL,
  `about_me` text,
  `view_count` int(11) NOT NULL DEFAULT '0',
  `updated_at` datetime NOT NULL,
  PRIMARY KEY (`user_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

some sugar

/**
 * SM's code library
 * 
 * @category    
 * @package     
 * @subpackage  
 * @copyright   Copyright (c) 2009 Pavel V Egorov
 * @author      Pavel V Egorov
 * @link        http://epavel.ru/
 * @since       08.09.2009
 */


class Smapp_View_Helper_IsAllowed extends Zend_View_Helper_Abstract
{
    protected $_acl;
    protected $_user;

    public function isAllowed($resource = null, $privelege = null)
    {
        return (bool) $this->getAcl()->isAllowed($this->getUser(), $resource, $privelege);
    }

    /**
     * @return App_Model_Acl
     */
    public function getAcl()
    {
        if (null === $this->_acl) {
            $this->setAcl(App_Model_Acl::getInstance());
        }
        return $this->_acl;
    }

    /**
     * @return App_View_Helper_IsAllowed
     */
    public function setAcl(Zend_Acl $acl)
    {
        $this->_acl = $acl;
        return $this;
    }

    /**
     * @return Users_Model_User
     */
    public function getUser()
    {
        if (null === $this->_user) {
            $this->setUser(Smapp::getCurrentUser());
        }
        return $this->_user;
    }

    /**
     * @return App_View_Helper_IsAllowed
     */
    public function setUser(Users_Model_User $user)
    {
        $this->_user = $user;
        return $this;
    }

}

for things like this in any view script

 <?php if ($this->isAllowed('mvc:snippets.crud', 'update')) : ?>
    <a title="Edit &laquo;<?=$this->escape($snippetInfo['title'])?>&raquo; snippet">Edit</a>
 <?php endif?>

Questions? :)

這篇關于實用 Zend_ACL + Zend_Auth 實現和最佳實踐的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！