Complex ACL [cross post]

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Complex ACL [cross post]

ajmurray
Hello everyone, (Please forgive my cross post here, I am not getting any response in the Zend Framework group, thought I might have better luck here, even though it is more an ACL thread rather than an Auth thread)

It has been a while since my last post, (I think that was around 1.5.0ish).  Anyhow, I had stepped away from web projects for a while, and now I am back to the great new 1.9.x, and am a little lost with the whole Zend_Application, but I am working hard to catch up.  Anyhow Zend_Auth and Zend_Acl have always been my nemesis, but I think I have them figured out now to a degree.  I am starting a new personal project that will be pretty similar to a CMS with blogging, forums, and several other features to begin with.  So what got me thinking, (and while reading up on CMS frameworks that exist, that I could be using but I would rather write my own, it is more fun that way), is to build the base application without defining any content types at all, then create the content-types on the fly with the base framework in place.  I probably lost everyone with that pathetic description, but I have a visual concept in my own mind of what I mean.  Anyhow, getting down to the whole Acl thing what I want to accomplish is something like this:

- Start with a base user object.

- Each base user has a profile (which *actually* I think the required fields should be part of the user record, and the profile should be somewhat generic to be extensible to a UserProfile, WebsiteProfile, AuthorProfile, etc, not necesarily related to a site user, but more general), for now this will be a one to one relationship.

- Each user will belong to one or more groups, and each group will contain one or more users, this will be a many to many relationship.

- Next we have a base resource, be it a module, controller, action, model, or individual record (article, profile, etc)

- A user can have a role for one or more resources.

- A group can have a role for one or more resources.

-Roles could be either most restrictive (group_roles *OR* user_roles) or least restrictive (group_roles *AND* user_roles)

Queries would look like (forgive the syntax, its just conceptual right now):

$uid = 11
$gid = 12
$rid = 14 (resource: article)
// Roles may include, Author, Editor, Publisher, etc.
// A user/group may include one or more roles (ie Author and Editor, but not Publisher)
$rolesByUser = select * from UserRoles where (`uid` = $uid and `rid` = $rid);
$rolesByGroup = select * from GroupRoles where (`gid` = $gid and `rid` = $rid);
$roles = array_combine($rolesByUser, $rolesByGroup);
Where $roles would be an array of Zend_Acl_Role objects.

I have attached a `sample`drawing of the database layout, however maybe think of this layout as more of a model layout, where the `tables` could actually be xml files / config files, or some other method of storage, the data does not necessarily have to come from a database, again, this is just my vision of the whole thing (and likely it will be primarily relational database tables none the less).

Anyhow, what I am trying to do is come up with a fairly generic, extensible, flexible, robust, (insert other great buzzwords here), Acl structure.  Any feedback, suggestions on the best way to code this, modifications, or general criticisms about my logic (including your logic and why its better than mine) would be most appreciated.

Thanks
Aaron

Reply | Threaded
Open this post in threaded view
|

Re: Complex ACL [cross post]

Jamie Krasnoo
Your implementation of the Acl looks really complicated when it
doesn't need to be. If you find yourself assigning multiple roles to a
user, you should step back and take a look at what you're doing. A lot
of the rules you described should be dynamic assertions. Using
multiple Acl objects for permissions is a pain, and Zend_Acl really
isn't designed to do that.

You should read the blog post that Ralph Schindler made on dynamic
assertions. You'll want to rethink everything after you've read it.
You'll find it here:
http://ralphschindler.com/2009/08/13/dynamic-assertions-for-zend_acl-in-zf

Keep it simple.

Jamie

On Fri, Aug 28, 2009 at 3:09 PM, netlynx<[hidden email]> wrote:

>
> Hello everyone, (Please forgive my cross post here, I am not getting any
> response in the Zend Framework group, thought I might have better luck here,
> even though it is more an ACL thread rather than an Auth thread)
>
> It has been a while since my last post, (I think that was around 1.5.0ish).
> Anyhow, I had stepped away from web projects for a while, and now I am back
> to the great new 1.9.x, and am a little lost with the whole
> Zend_Application, but I am working hard to catch up.  Anyhow Zend_Auth and
> Zend_Acl have always been my nemesis, but I think I have them figured out
> now to a degree.  I am starting a new personal project that will be pretty
> similar to a CMS with blogging, forums, and several other features to begin
> with.  So what got me thinking, (and while reading up on CMS frameworks that
> exist, that I could be using but I would rather write my own, it is more fun
> that way), is to build the base application without defining any content
> types at all, then create the content-types on the fly with the base
> framework in place.  I probably lost everyone with that pathetic
> description, but I have a visual concept in my own mind of what I mean.
> Anyhow, getting down to the whole Acl thing what I want to accomplish is
> something like this:
>
> - Start with a base user object.
>
> - Each base user has a profile (which *actually* I think the required fields
> should be part of the user record, and the profile should be somewhat
> generic to be extensible to a UserProfile, WebsiteProfile, AuthorProfile,
> etc, not necesarily related to a site user, but more general), for now this
> will be a one to one relationship.
>
> - Each user will belong to one or more groups, and each group will contain
> one or more users, this will be a many to many relationship.
>
> - Next we have a base resource, be it a module, controller, action, model,
> or individual record (article, profile, etc)
>
> - A user can have a role for one or more resources.
>
> - A group can have a role for one or more resources.
>
> -Roles could be either most restrictive (group_roles *OR* user_roles) or
> least restrictive (group_roles *AND* user_roles)
>
> Queries would look like (forgive the syntax, its just conceptual right now):
>
> $uid = 11
> $gid = 12
> $rid = 14 (resource: article)
> // Roles may include, Author, Editor, Publisher, etc.
> // A user/group may include one or more roles (ie Author and Editor, but not
> Publisher)
> $rolesByUser = select * from UserRoles where (`uid` = $uid and `rid` =
> $rid);
> $rolesByGroup = select * from GroupRoles where (`gid` = $gid and `rid` =
> $rid);
> $roles = array_combine($rolesByUser, $rolesByGroup);
> Where $roles would be an array of Zend_Acl_Role objects.
>
> I have attached a `sample`drawing of the database layout, however maybe
> think of this layout as more of a model layout, where the `tables` could
> actually be xml files / config files, or some other method of storage, the
> data does not necessarily have to come from a database, again, this is just
> my vision of the whole thing (and likely it will be primarily relational
> database tables none the less).
>
> Anyhow, what I am trying to do is come up with a fairly generic, extensible,
> flexible, robust, (insert other great buzzwords here), Acl structure.  Any
> feedback, suggestions on the best way to code this, modifications, or
> general criticisms about my logic (including your logic and why its better
> than mine) would be most appreciated.
>
> Thanks
> Aaron
>
> http://www.nabble.com/file/p25197810/acl_layout.png
> --
> View this message in context: http://www.nabble.com/Complex-ACL--cross-post--tp25197810p25197810.html
> Sent from the Zend Auth mailing list archive at Nabble.com.
>
>