new Zend_Acl

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

new Zend_Acl

Darby Felton
Hi all,

As you may have seen from framework SVN history, the development branch
of Zend_Acl on which I had been working is now merged to the previous
version contained in the incubator.

There is certainly room for improvement in this latest version, and I
would encourage review and welcome feedback to help us focus on the
areas most in need of attention.

I would like to extend a very special thanks to Simon Mundy for his
excellent work on the first version of Zend_Acl, on which this new
design is based. Also, thanks to everyone who has had a hand in the
design discussions, implementation, testing, and feedback along the way!

Best regards,
Darby
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Matthew Ratzloff
Good work, Darby!

Although I know that ACO, ARO, etc. are somewhat standard names, I can't
help but think that there may be more natural, descriptive names for these
concepts.

Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity

Are these set in stone?

-Matt

----- Original Message -----
From: "Darby Felton" <[hidden email]>
To: "Zend Auth List" <[hidden email]>
Cc: "Simon Mundy" <[hidden email]>
Sent: Thursday, December 14, 2006 6:30 PM
Subject: [fw-auth] new Zend_Acl


> Hi all,
>
> As you may have seen from framework SVN history, the development branch
> of Zend_Acl on which I had been working is now merged to the previous
> version contained in the incubator.
>
> There is certainly room for improvement in this latest version, and I
> would encourage review and welcome feedback to help us focus on the
> areas most in need of attention.
>
> I would like to extend a very special thanks to Simon Mundy for his
> excellent work on the first version of Zend_Acl, on which this new
> design is based. Also, thanks to everyone who has had a hand in the
> design discussions, implementation, testing, and feedback along the way!
>
> Best regards,
> Darby

Reply | Threaded
Open this post in threaded view
|

RE: new Zend_Acl

Andi Gutmans
I personally also got confused by Aro and Aco and voiced my opinion about
that a few times :)
If I'm not the only one then it really might make sense to rename. Your
names sound like a good starting point. I know that I'll never get used to
Aco and Aro no matter how many times I remind myself what they mean.
If we can agree on final names then make that change should be very simple
but preferably before 0.6 (which is frozen end of day tomorrow :'(

Andi

> -----Original Message-----
> From: Matthew Ratzloff [mailto:[hidden email]]
> Sent: Thursday, December 14, 2006 10:22 PM
> To: Zend Auth List
> Subject: Re: [fw-auth] new Zend_Acl
>
> Good work, Darby!
>
> Although I know that ACO, ARO, etc. are somewhat standard
> names, I can't help but think that there may be more natural,
> descriptive names for these concepts.
>
> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>
> Are these set in stone?
>
> -Matt
>
> ----- Original Message -----
> From: "Darby Felton" <[hidden email]>
> To: "Zend Auth List" <[hidden email]>
> Cc: "Simon Mundy" <[hidden email]>
> Sent: Thursday, December 14, 2006 6:30 PM
> Subject: [fw-auth] new Zend_Acl
>
>
> > Hi all,
> >
> > As you may have seen from framework SVN history, the
> development branch
> > of Zend_Acl on which I had been working is now merged to
> the previous
> > version contained in the incubator.
> >
> > There is certainly room for improvement in this latest
> version, and I
> > would encourage review and welcome feedback to help us focus on the
> > areas most in need of attention.
> >
> > I would like to extend a very special thanks to Simon Mundy for his
> > excellent work on the first version of Zend_Acl, on which this new
> > design is based. Also, thanks to everyone who has had a hand in the
> > design discussions, implementation, testing, and feedback
> along the way!
> >
> > Best regards,
> > Darby
>

Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Bill Karwin from Zend
I admit every time I see the term Aro I think of the Harry Nilsson song
from the 1970's, "Me and My Arrow".

My apologies if I have caused that song to get stuck in anyone's head!

Bill

Andi Gutmans wrote:

> I personally also got confused by Aro and Aco and voiced my opinion about
> that a few times :)
> If I'm not the only one then it really might make sense to rename. Your
> names sound like a good starting point. I know that I'll never get used to
> Aco and Aro no matter how many times I remind myself what they mean.
> If we can agree on final names then make that change should be very simple
> but preferably before 0.6 (which is frozen end of day tomorrow :'(
>
> Andi
>
>  
>> -----Original Message-----
>> From: Matthew Ratzloff [mailto:[hidden email]]
>> Sent: Thursday, December 14, 2006 10:22 PM
>> To: Zend Auth List
>> Subject: Re: [fw-auth] new Zend_Acl
>>
>> Good work, Darby!
>>
>> Although I know that ACO, ARO, etc. are somewhat standard
>> names, I can't help but think that there may be more natural,
>> descriptive names for these concepts.
>>
>> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
>> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>>
>> Are these set in stone?
>>
>> -Matt
>>
>> ----- Original Message -----
>> From: "Darby Felton" <[hidden email]>
>> To: "Zend Auth List" <[hidden email]>
>> Cc: "Simon Mundy" <[hidden email]>
>> Sent: Thursday, December 14, 2006 6:30 PM
>> Subject: [fw-auth] new Zend_Acl
>>
>>
>>    
>>> Hi all,
>>>
>>> As you may have seen from framework SVN history, the
>>>      
>> development branch
>>    
>>> of Zend_Acl on which I had been working is now merged to
>>>      
>> the previous
>>    
>>> version contained in the incubator.
>>>
>>> There is certainly room for improvement in this latest
>>>      
>> version, and I
>>    
>>> would encourage review and welcome feedback to help us focus on the
>>> areas most in need of attention.
>>>
>>> I would like to extend a very special thanks to Simon Mundy for his
>>> excellent work on the first version of Zend_Acl, on which this new
>>> design is based. Also, thanks to everyone who has had a hand in the
>>> design discussions, implementation, testing, and feedback
>>>      
>> along the way!
>>    
>>> Best regards,
>>> Darby
>>>      
>
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

akrabat
In reply to this post by Matthew Ratzloff
Matthew Ratzloff wrote:
> Good work, Darby!

Yeah, it's looking good!

> Although I know that ACO, ARO, etc. are somewhat standard names, I can't
> help but think that there may be more natural, descriptive names for
> these concepts.
>
> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>
> Are these set in stone?
>

I too would prefer more descriptive terms as I keep confusing the two! I
know the "longer" terms don't necessarily capture the full capabilities
of the technical terms, but I don't care!

i.e. I can cope if I need to mentally translate that "this http
connection from that server" is a Zend_Acl_User object when I worry
about if I let it see some data. For me, it's much easier to think like
that than to think about  "that http connection" as an ARO, as I then
need to think about what an ARO is...


Regards,

Rob...
Reply | Threaded
Open this post in threaded view
|

RE: new Zend_Acl

Andi Gutmans
Do you like the proposed names? Any other suggestions?

> -----Original Message-----
> From: Rob Allen [mailto:[hidden email]]
> Sent: Thursday, December 14, 2006 10:59 PM
> To: Zend Auth List
> Subject: Re: [fw-auth] new Zend_Acl
>
> Matthew Ratzloff wrote:
> > Good work, Darby!
>
> Yeah, it's looking good!
>
> > Although I know that ACO, ARO, etc. are somewhat standard names, I
> > can't help but think that there may be more natural,
> descriptive names
> > for these concepts.
> >
> > Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
> > Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
> >
> > Are these set in stone?
> >
>
> I too would prefer more descriptive terms as I keep confusing
> the two! I know the "longer" terms don't necessarily capture
> the full capabilities of the technical terms, but I don't care!
>
> i.e. I can cope if I need to mentally translate that "this
> http connection from that server" is a Zend_Acl_User object
> when I worry about if I let it see some data. For me, it's
> much easier to think like that than to think about  "that
> http connection" as an ARO, as I then need to think about
> what an ARO is...
>
>
> Regards,
>
> Rob...
>

Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

aheimlich
In reply to this post by Matthew Ratzloff
I like Zend_Acl_User (and could see it forming the base of a more advanced "user" class which could also tell whether or not the user is properly authenticated and possibly other things), but I don't think that any of the suggestions for replacing Zend_Acl_Aco quite fit. They seem to be describing the actions one would take on a access-restricted object rather than the object itself (unless I'm misinterperating what an ACO is). I honestly can't think of a better name to describe an object to which access is being restricted than what we already have.

Matthew Ratzloff wrote
Good work, Darby!

Although I know that ACO, ARO, etc. are somewhat standard names, I can't
help but think that there may be more natural, descriptive names for these
concepts.

Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity

Are these set in stone?

-Matt
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Markus Wolff-4
In reply to this post by Andi Gutmans
Andi Gutmans schrieb:
> I personally also got confused by Aro and Aco and voiced my opinion about
> that a few times :)
> If I'm not the only one then it really might make sense to rename.

You certainly aren't :-)

CU
  Markus

Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Tony Brady
In reply to this post by aheimlich
How about Zend_Acl_Target for the ACO since it is the object being  
targeted by the request for access?

Tony

On 15 Dec 2006, at 09:47, AHeimlich wrote:

>
> I like Zend_Acl_User (and could see it forming the base of a more  
> advanced
> "user" class which could also tell whether or not the user is properly
> authenticated and possibly other things), but I don't think that  
> any of the
> suggestions for replacing Zend_Acl_Aco quite fit. They seem to be  
> describing
> the actions one would take on a access-restricted object rather  
> than the
> object itself (unless I'm misinterperating what an ACO is). I  
> honestly can't
> think of a better name to describe an object to which access is being
> restricted than what we already have.
>
>
> Matthew Ratzloff wrote:
>>
>> Good work, Darby!
>>
>> Although I know that ACO, ARO, etc. are somewhat standard names, I  
>> can't
>> help but think that there may be more natural, descriptive names  
>> for these
>> concepts.
>>
>> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
>> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>>
>> Are these set in stone?
>>
>> -Matt
>>
>
> --
> View this message in context: http://www.nabble.com/new-Zend_Acl- 
> tf2824824s16154.html#a7888667
> Sent from the Zend Auth mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Darby Felton
In reply to this post by Matthew Ratzloff
Hi Matt,

Yes, I also agree that these names, though somewhat descriptive, are
likely confusing. The problem with renaming is that it is hard to do for
these classes, but I think we have a solution now. Read on. :)

For example, an ACO need not be an operation, action, or ability. In
fact the "privileges" support upon ACOs is likely more strongly
correlated to such terms. We need something more generic.

Tony Brady's suggestion of ACO --> Zend_Acl_Target is the best
suggestion I've heard so far, and I'm tempted to go with this in the
absence of other suggestions. Thanks, Tony!

For ARO, again, we need a more generic name. Not all AROs represent
users (e.g., roles, groups), but "entity" is too generic.

What about *Zend_Acl_Requester*?

I intend to rename these ARO and ACO entities for clarity, and it is a
trivial matter for users to do this, too. Just write class names that
makes sense to you:

class AccessRequester extends Zend_Acl_Aro
class User implements Zend_Acl_Aro_Interface

class AccessTarget extends Zend_Acl_Aco
class Building implements Zend_Acl_Aco_Interface

Others' thoughts?

Best regards,
Darby

Matthew Ratzloff wrote:

> Good work, Darby!
>
> Although I know that ACO, ARO, etc. are somewhat standard names, I can't
> help but think that there may be more natural, descriptive names for
> these concepts.
>
> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>
> Are these set in stone?
>
> -Matt
>
> ----- Original Message ----- From: "Darby Felton" <[hidden email]>
> To: "Zend Auth List" <[hidden email]>
> Cc: "Simon Mundy" <[hidden email]>
> Sent: Thursday, December 14, 2006 6:30 PM
> Subject: [fw-auth] new Zend_Acl
>
>
>> Hi all,
>>
>> As you may have seen from framework SVN history, the development branch
>> of Zend_Acl on which I had been working is now merged to the previous
>> version contained in the incubator.
>>
>> There is certainly room for improvement in this latest version, and I
>> would encourage review and welcome feedback to help us focus on the
>> areas most in need of attention.
>>
>> I would like to extend a very special thanks to Simon Mundy for his
>> excellent work on the first version of Zend_Acl, on which this new
>> design is based. Also, thanks to everyone who has had a hand in the
>> design discussions, implementation, testing, and feedback along the way!
>>
>> Best regards,
>> Darby
>
>
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Darby Felton
What about "Resource" as a substitute for "ACO"?

What about "Role" as a substitute for "ARO"?

I'm a bit unsure of "Role," since an ARO would very often represent a
user, and it might be confusing to equate a user with a role, since,
depending on your situation, you might consider a user to be able to
assume various roles and/or to be a member of various groups. But maybe
that's not confusing in terms of using Zend_Acl, I'm not sure.

(Thanks to Andi for the suggestions!)

What does everyone think?

Best regards,
Darby

Darby Felton wrote:

> Hi Matt,
>
> Yes, I also agree that these names, though somewhat descriptive, are
> likely confusing. The problem with renaming is that it is hard to do for
> these classes, but I think we have a solution now. Read on. :)
>
> For example, an ACO need not be an operation, action, or ability. In
> fact the "privileges" support upon ACOs is likely more strongly
> correlated to such terms. We need something more generic.
>
> Tony Brady's suggestion of ACO --> Zend_Acl_Target is the best
> suggestion I've heard so far, and I'm tempted to go with this in the
> absence of other suggestions. Thanks, Tony!
>
> For ARO, again, we need a more generic name. Not all AROs represent
> users (e.g., roles, groups), but "entity" is too generic.
>
> What about *Zend_Acl_Requester*?
>
> I intend to rename these ARO and ACO entities for clarity, and it is a
> trivial matter for users to do this, too. Just write class names that
> makes sense to you:
>
> class AccessRequester extends Zend_Acl_Aro
> class User implements Zend_Acl_Aro_Interface
>
> class AccessTarget extends Zend_Acl_Aco
> class Building implements Zend_Acl_Aco_Interface
>
> Others' thoughts?
>
> Best regards,
> Darby
>
> Matthew Ratzloff wrote:
>> Good work, Darby!
>>
>> Although I know that ACO, ARO, etc. are somewhat standard names, I can't
>> help but think that there may be more natural, descriptive names for
>> these concepts.
>>
>> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
>> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>>
>> Are these set in stone?
>>
>> -Matt
>>
>> ----- Original Message ----- From: "Darby Felton" <[hidden email]>
>> To: "Zend Auth List" <[hidden email]>
>> Cc: "Simon Mundy" <[hidden email]>
>> Sent: Thursday, December 14, 2006 6:30 PM
>> Subject: [fw-auth] new Zend_Acl
>>
>>
>>> Hi all,
>>>
>>> As you may have seen from framework SVN history, the development branch
>>> of Zend_Acl on which I had been working is now merged to the previous
>>> version contained in the incubator.
>>>
>>> There is certainly room for improvement in this latest version, and I
>>> would encourage review and welcome feedback to help us focus on the
>>> areas most in need of attention.
>>>
>>> I would like to extend a very special thanks to Simon Mundy for his
>>> excellent work on the first version of Zend_Acl, on which this new
>>> design is based. Also, thanks to everyone who has had a hand in the
>>> design discussions, implementation, testing, and feedback along the way!
>>>
>>> Best regards,
>>> Darby
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Lars Strojny-2
Hi,

Am Freitag, den 15.12.2006, 12:36 -0500 schrieb Darby Felton:
> What about "Resource" as a substitute for "ACO"?

Maybe Zend_Acl_Rule or Zend_Acl_Paradigm or Zend_Acl_Meme?

> What about "Role" as a substitute for "ARO"?

I would prefer this, yes.

Greets, Lars
--
      "Kriterium des Wahren ist nicht seine unmittelbare
          Kommunizierbarkeit an jedermann"
         -- Theodor Wiesengrund Adorno, aus: »Negative Dialektik«

name: Lars H. Strojny      web: http://strojny.net 
street: Engelsstraße 23    blog: http://usrportage.de
city: D-51103 Köln         mail/jabber: [hidden email]
f-print: 1FD5 D8EE D996 8E3E 1417  328A 240F 17EB 0263 AC07

signature.asc (844 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Rob Marscher
In reply to this post by Darby Felton
I've also used "Resource" for "ACO" in another application.  The name we
used for an "ARO" was "Caller."
-Rob

[first post here... but I've been reading for a while]

Darby Felton wrote:

> What about "Resource" as a substitute for "ACO"?
>
> What about "Role" as a substitute for "ARO"?
>
> I'm a bit unsure of "Role," since an ARO would very often represent a
> user, and it might be confusing to equate a user with a role, since,
> depending on your situation, you might consider a user to be able to
> assume various roles and/or to be a member of various groups. But maybe
> that's not confusing in terms of using Zend_Acl, I'm not sure.
>
> (Thanks to Andi for the suggestions!)
>
> What does everyone think?
>
> Best regards,
> Darby
>
> Darby Felton wrote:
>  
>> Hi Matt,
>>
>> Yes, I also agree that these names, though somewhat descriptive, are
>> likely confusing. The problem with renaming is that it is hard to do for
>> these classes, but I think we have a solution now. Read on. :)
>>
>> For example, an ACO need not be an operation, action, or ability. In
>> fact the "privileges" support upon ACOs is likely more strongly
>> correlated to such terms. We need something more generic.
>>
>> Tony Brady's suggestion of ACO --> Zend_Acl_Target is the best
>> suggestion I've heard so far, and I'm tempted to go with this in the
>> absence of other suggestions. Thanks, Tony!
>>
>> For ARO, again, we need a more generic name. Not all AROs represent
>> users (e.g., roles, groups), but "entity" is too generic.
>>
>> What about *Zend_Acl_Requester*?
>>
>> I intend to rename these ARO and ACO entities for clarity, and it is a
>> trivial matter for users to do this, too. Just write class names that
>> makes sense to you:
>>
>> class AccessRequester extends Zend_Acl_Aro
>> class User implements Zend_Acl_Aro_Interface
>>
>> class AccessTarget extends Zend_Acl_Aco
>> class Building implements Zend_Acl_Aco_Interface
>>
>> Others' thoughts?
>>
>> Best regards,
>> Darby
>>
>> Matthew Ratzloff wrote:
>>    
>>> Good work, Darby!
>>>
>>> Although I know that ACO, ARO, etc. are somewhat standard names, I can't
>>> help but think that there may be more natural, descriptive names for
>>> these concepts.
>>>
>>> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
>>> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>>>
>>> Are these set in stone?
>>>
>>> -Matt
>>>
>>> ----- Original Message ----- From: "Darby Felton" <[hidden email]>
>>> To: "Zend Auth List" <[hidden email]>
>>> Cc: "Simon Mundy" <[hidden email]>
>>> Sent: Thursday, December 14, 2006 6:30 PM
>>> Subject: [fw-auth] new Zend_Acl
>>>
>>>
>>>      
>>>> Hi all,
>>>>
>>>> As you may have seen from framework SVN history, the development branch
>>>> of Zend_Acl on which I had been working is now merged to the previous
>>>> version contained in the incubator.
>>>>
>>>> There is certainly room for improvement in this latest version, and I
>>>> would encourage review and welcome feedback to help us focus on the
>>>> areas most in need of attention.
>>>>
>>>> I would like to extend a very special thanks to Simon Mundy for his
>>>> excellent work on the first version of Zend_Acl, on which this new
>>>> design is based. Also, thanks to everyone who has had a hand in the
>>>> design discussions, implementation, testing, and feedback along the way!
>>>>
>>>> Best regards,
>>>> Darby
>>>>        
>>    
>
>  
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Ralph Schindler
In reply to this post by Darby Felton
-1 on Target.  To me the api should read as close to english as
possible.  For example, if you use words like requester and target, you
then have to explain what relationship requesters have to targets.

I prefer more natural words, even though its not a list in the technical
sense, whats wrong with Zend_Acl_List?  To me, in the ACL world, without
knowing much about ACL, I inherently understand how the List and the
Requester might interact with one another.

Another option simply could be stick closer to the words that make up
the ACL (pattern):
Zend_Acl_ControlList
Zend_Acl_Accessor

Together, you can jump to the conclusion, without knowing much about
ACL, how they interrelate.

Darby Felton wrote:

> Hi Matt,
>
> Yes, I also agree that these names, though somewhat descriptive, are
> likely confusing. The problem with renaming is that it is hard to do for
> these classes, but I think we have a solution now. Read on. :)
>
> For example, an ACO need not be an operation, action, or ability. In
> fact the "privileges" support upon ACOs is likely more strongly
> correlated to such terms. We need something more generic.
>
> Tony Brady's suggestion of ACO --> Zend_Acl_Target is the best
> suggestion I've heard so far, and I'm tempted to go with this in the
> absence of other suggestions. Thanks, Tony!
>
> For ARO, again, we need a more generic name. Not all AROs represent
> users (e.g., roles, groups), but "entity" is too generic.
>
> What about *Zend_Acl_Requester*?
>
> I intend to rename these ARO and ACO entities for clarity, and it is a
> trivial matter for users to do this, too. Just write class names that
> makes sense to you:
>
> class AccessRequester extends Zend_Acl_Aro
> class User implements Zend_Acl_Aro_Interface
>
> class AccessTarget extends Zend_Acl_Aco
> class Building implements Zend_Acl_Aco_Interface
>
> Others' thoughts?
>
> Best regards,
> Darby
>
> Matthew Ratzloff wrote:
>> Good work, Darby!
>>
>> Although I know that ACO, ARO, etc. are somewhat standard names, I can't
>> help but think that there may be more natural, descriptive names for
>> these concepts.
>>
>> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
>> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>>
>> Are these set in stone?
>>
>> -Matt
>>
>> ----- Original Message ----- From: "Darby Felton" <[hidden email]>
>> To: "Zend Auth List" <[hidden email]>
>> Cc: "Simon Mundy" <[hidden email]>
>> Sent: Thursday, December 14, 2006 6:30 PM
>> Subject: [fw-auth] new Zend_Acl
>>
>>
>>> Hi all,
>>>
>>> As you may have seen from framework SVN history, the development branch
>>> of Zend_Acl on which I had been working is now merged to the previous
>>> version contained in the incubator.
>>>
>>> There is certainly room for improvement in this latest version, and I
>>> would encourage review and welcome feedback to help us focus on the
>>> areas most in need of attention.
>>>
>>> I would like to extend a very special thanks to Simon Mundy for his
>>> excellent work on the first version of Zend_Acl, on which this new
>>> design is based. Also, thanks to everyone who has had a hand in the
>>> design discussions, implementation, testing, and feedback along the way!
>>>
>>> Best regards,
>>> Darby
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Darby Felton
Ralph Schindler wrote:
> -1 on Target.  To me the api should read as close to english as
> possible.  For example, if you use words like requester and target, you
> then have to explain what relationship requesters have to targets.

Yes, I would prefer to think of it as a "Requester" requests access to a
"Resource." The Requester is the ARO, and the Resource is the ACO.

> I prefer more natural words, even though its not a list in the technical
> sense, whats wrong with Zend_Acl_List?  To me, in the ACL world, without
> knowing much about ACL, I inherently understand how the List and the
> Requester might interact with one another.
>
> Another option simply could be stick closer to the words that make up
> the ACL (pattern):
> Zend_Acl_ControlList
> Zend_Acl_Accessor
>
> Together, you can jump to the conclusion, without knowing much about
> ACL, how they interrelate.

Hmm. I think that Zend_Acl is the access control list class, and naming
the ACO ControlList does little to say what it is - a component to which
access is managed by the ACL. An ACO represents the "Resource" (or
"access target") of the Requester.

Best regards,
Darby


>
> Darby Felton wrote:
>> Hi Matt,
>>
>> Yes, I also agree that these names, though somewhat descriptive, are
>> likely confusing. The problem with renaming is that it is hard to do for
>> these classes, but I think we have a solution now. Read on. :)
>>
>> For example, an ACO need not be an operation, action, or ability. In
>> fact the "privileges" support upon ACOs is likely more strongly
>> correlated to such terms. We need something more generic.
>>
>> Tony Brady's suggestion of ACO --> Zend_Acl_Target is the best
>> suggestion I've heard so far, and I'm tempted to go with this in the
>> absence of other suggestions. Thanks, Tony!
>>
>> For ARO, again, we need a more generic name. Not all AROs represent
>> users (e.g., roles, groups), but "entity" is too generic.
>>
>> What about *Zend_Acl_Requester*?
>>
>> I intend to rename these ARO and ACO entities for clarity, and it is a
>> trivial matter for users to do this, too. Just write class names that
>> makes sense to you:
>>
>> class AccessRequester extends Zend_Acl_Aro
>> class User implements Zend_Acl_Aro_Interface
>>
>> class AccessTarget extends Zend_Acl_Aco
>> class Building implements Zend_Acl_Aco_Interface
>>
>> Others' thoughts?
>>
>> Best regards,
>> Darby
>>
>> Matthew Ratzloff wrote:
>>> Good work, Darby!
>>>
>>> Although I know that ACO, ARO, etc. are somewhat standard names, I can't
>>> help but think that there may be more natural, descriptive names for
>>> these concepts.
>>>
>>> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
>>> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>>>
>>> Are these set in stone?
>>>
>>> -Matt
>>>
>>> ----- Original Message ----- From: "Darby Felton" <[hidden email]>
>>> To: "Zend Auth List" <[hidden email]>
>>> Cc: "Simon Mundy" <[hidden email]>
>>> Sent: Thursday, December 14, 2006 6:30 PM
>>> Subject: [fw-auth] new Zend_Acl
>>>
>>>
>>>> Hi all,
>>>>
>>>> As you may have seen from framework SVN history, the development branch
>>>> of Zend_Acl on which I had been working is now merged to the previous
>>>> version contained in the incubator.
>>>>
>>>> There is certainly room for improvement in this latest version, and I
>>>> would encourage review and welcome feedback to help us focus on the
>>>> areas most in need of attention.
>>>>
>>>> I would like to extend a very special thanks to Simon Mundy for his
>>>> excellent work on the first version of Zend_Acl, on which this new
>>>> design is based. Also, thanks to everyone who has had a hand in the
>>>> design discussions, implementation, testing, and feedback along the
>>>> way!
>>>>
>>>> Best regards,
>>>> Darby
>>>
>>
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Shekar C Reddy
In reply to this post by Darby Felton
I second:
 
User, Role (or Group)
 


 
On 12/15/06, Darby Felton <[hidden email]> wrote:
What about "Resource" as a substitute for "ACO"?

What about "Role" as a substitute for "ARO"?

I'm a bit unsure of "Role," since an ARO would very often represent a
user, and it might be confusing to equate a user with a role, since,
depending on your situation, you might consider a user to be able to
assume various roles and/or to be a member of various groups. But maybe
that's not confusing in terms of using Zend_Acl, I'm not sure.

(Thanks to Andi for the suggestions!)

What does everyone think?

Best regards,
Darby

Darby Felton wrote:

> Hi Matt,
>
> Yes, I also agree that these names, though somewhat descriptive, are
> likely confusing. The problem with renaming is that it is hard to do for
> these classes, but I think we have a solution now. Read on. :)
>
> For example, an ACO need not be an operation, action, or ability. In
> fact the "privileges" support upon ACOs is likely more strongly
> correlated to such terms. We need something more generic.
>
> Tony Brady's suggestion of ACO --> Zend_Acl_Target is the best
> suggestion I've heard so far, and I'm tempted to go with this in the
> absence of other suggestions. Thanks, Tony!
>
> For ARO, again, we need a more generic name. Not all AROs represent
> users (e.g., roles, groups), but "entity" is too generic.
>
> What about *Zend_Acl_Requester*?

>
> I intend to rename these ARO and ACO entities for clarity, and it is a
> trivial matter for users to do this, too. Just write class names that
> makes sense to you:
>
> class AccessRequester extends Zend_Acl_Aro
> class User implements Zend_Acl_Aro_Interface
>
> class AccessTarget extends Zend_Acl_Aco
> class Building implements Zend_Acl_Aco_Interface
>
> Others' thoughts?
>
> Best regards,
> Darby
>
> Matthew Ratzloff wrote:
>> Good work, Darby!
>>
>> Although I know that ACO, ARO, etc. are somewhat standard names, I can't
>> help but think that there may be more natural, descriptive names for
>> these concepts.
>>
>> Zend_Acl_Aco: Zend_Acl_Operation, Zend_Acl_Action, Zend_Acl_Ability
>> Zend_Acl_Aro: Zend_Acl_User, Zend_Acl_Entity
>>
>> Are these set in stone?
>>
>> -Matt
>>
>> ----- Original Message ----- From: "Darby Felton" <[hidden email]>
>> To: "Zend Auth List" <[hidden email]>
>> Cc: "Simon Mundy" <[hidden email]>
>> Sent: Thursday, December 14, 2006 6:30 PM
>> Subject: [fw-auth] new Zend_Acl
>>
>>
>>> Hi all,
>>>
>>> As you may have seen from framework SVN history, the development branch
>>> of Zend_Acl on which I had been working is now merged to the previous
>>> version contained in the incubator.
>>>
>>> There is certainly room for improvement in this latest version, and I
>>> would encourage review and welcome feedback to help us focus on the
>>> areas most in need of attention.
>>>
>>> I would like to extend a very special thanks to Simon Mundy for his
>>> excellent work on the first version of Zend_Acl, on which this new
>>> design is based. Also, thanks to everyone who has had a hand in the
>>> design discussions, implementation, testing, and feedback along the way!
>>>
>>> Best regards,
>>> Darby
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Ralph Schindler
In reply to this post by Darby Felton
After scanning the code, I understand what you are saying.  I am +1 on
"Resource" and "Requester".

Other notes: are the fluent interfaces gone now?  I do not see magic
methods to be able to do like the docs suggest:

echo $acl->newsletter->pending->valid($aro->guest, 'view') ?
      "allowed" : "denied"; // allowed

as an example?

-ralph


Darby Felton wrote:

> Ralph Schindler wrote:
>> -1 on Target.  To me the api should read as close to english as
>> possible.  For example, if you use words like requester and target, you
>> then have to explain what relationship requesters have to targets.
>
> Yes, I would prefer to think of it as a "Requester" requests access to a
> "Resource." The Requester is the ARO, and the Resource is the ACO.
>
>> I prefer more natural words, even though its not a list in the technical
>> sense, whats wrong with Zend_Acl_List?  To me, in the ACL world, without
>> knowing much about ACL, I inherently understand how the List and the
>> Requester might interact with one another.
>>
>> Another option simply could be stick closer to the words that make up
>> the ACL (pattern):
>> Zend_Acl_ControlList
>> Zend_Acl_Accessor
>>
>> Together, you can jump to the conclusion, without knowing much about
>> ACL, how they interrelate.
>
> Hmm. I think that Zend_Acl is the access control list class, and naming
> the ACO ControlList does little to say what it is - a component to which
> access is managed by the ACL. An ACO represents the "Resource" (or
> "access target") of the Requester.
>
> Best regards,
> Darby
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Darby Felton
Hi Ralph,

I think I'll go with "Resource" and "Role," since "Role" is shorter and
probably is not too confusing... though little is set in stone at this
point, I suspect.

Indeed, the fluent interfaces as you show below are gone in this new
version. Though it looks nice to write:

$acl->newsletter->pending->valid($aro->guest, 'view')

I think it might not be best practice to dynamically code such queries.

The above may now be written:

$acl->isAllowed('guest', 'pending', 'view');
$acl->isAllowed('guest', 'newsletter/pending', 'view');

Depending on how you want to identify your Resources (e.g., pending
newsletters).

By the way, there is new documentation for Zend_Acl in the incubator for
this new version; please update your working copy or just visit:

http://framework.zend.com/wiki/display/ZFDOC/Zend_Acl

The sections are out of order here (i.e., Advanced Use is supposed to be
last), but this is a known issue for the wikification of the docbook
sources.

Otherwise, it appears that the wiki version has been fixed since I
announced its previous outdated state. :)

Best regards,
Darby

Ralph Schindler wrote:

> After scanning the code, I understand what you are saying.  I am +1 on
> "Resource" and "Requester".
>
> Other notes: are the fluent interfaces gone now?  I do not see magic
> methods to be able to do like the docs suggest:
>
> echo $acl->newsletter->pending->valid($aro->guest, 'view') ?
>      "allowed" : "denied"; // allowed
>
> as an example?
>
> -ralph
>
>
> Darby Felton wrote:
>> Ralph Schindler wrote:
>>> -1 on Target.  To me the api should read as close to english as
>>> possible.  For example, if you use words like requester and target, you
>>> then have to explain what relationship requesters have to targets.
>>
>> Yes, I would prefer to think of it as a "Requester" requests access to a
>> "Resource." The Requester is the ARO, and the Resource is the ACO.
>>
>>> I prefer more natural words, even though its not a list in the technical
>>> sense, whats wrong with Zend_Acl_List?  To me, in the ACL world, without
>>> knowing much about ACL, I inherently understand how the List and the
>>> Requester might interact with one another.
>>>
>>> Another option simply could be stick closer to the words that make up
>>> the ACL (pattern):
>>> Zend_Acl_ControlList
>>> Zend_Acl_Accessor
>>>
>>> Together, you can jump to the conclusion, without knowing much about
>>> ACL, how they interrelate.
>>
>> Hmm. I think that Zend_Acl is the access control list class, and naming
>> the ACO ControlList does little to say what it is - a component to which
>> access is managed by the ACL. An ACO represents the "Resource" (or
>> "access target") of the Requester.
>>
>> Best regards,
>> Darby
>
>
Reply | Threaded
Open this post in threaded view
|

Re: new Zend_Acl

Darby Felton
Oh I forgot to mention that if we should get overwhelming desire from
the user community to support such fluent interfaces, it should not be
difficult to provide it.

Thanks again for your support!

Best regards,
Darby

Darby Felton wrote:

> Hi Ralph,
>
> I think I'll go with "Resource" and "Role," since "Role" is shorter and
> probably is not too confusing... though little is set in stone at this
> point, I suspect.
>
> Indeed, the fluent interfaces as you show below are gone in this new
> version. Though it looks nice to write:
>
> $acl->newsletter->pending->valid($aro->guest, 'view')
>
> I think it might not be best practice to dynamically code such queries.
>
> The above may now be written:
>
> $acl->isAllowed('guest', 'pending', 'view');
> $acl->isAllowed('guest', 'newsletter/pending', 'view');
>
> Depending on how you want to identify your Resources (e.g., pending
> newsletters).
>
> By the way, there is new documentation for Zend_Acl in the incubator for
> this new version; please update your working copy or just visit:
>
> http://framework.zend.com/wiki/display/ZFDOC/Zend_Acl
>
> The sections are out of order here (i.e., Advanced Use is supposed to be
> last), but this is a known issue for the wikification of the docbook
> sources.
>
> Otherwise, it appears that the wiki version has been fixed since I
> announced its previous outdated state. :)
>
> Best regards,
> Darby
>
> Ralph Schindler wrote:
>> After scanning the code, I understand what you are saying.  I am +1 on
>> "Resource" and "Requester".
>>
>> Other notes: are the fluent interfaces gone now?  I do not see magic
>> methods to be able to do like the docs suggest:
>>
>> echo $acl->newsletter->pending->valid($aro->guest, 'view') ?
>>      "allowed" : "denied"; // allowed
>>
>> as an example?
>>
>> -ralph
>>
>>
>> Darby Felton wrote:
>>> Ralph Schindler wrote:
>>>> -1 on Target.  To me the api should read as close to english as
>>>> possible.  For example, if you use words like requester and target, you
>>>> then have to explain what relationship requesters have to targets.
>>> Yes, I would prefer to think of it as a "Requester" requests access to a
>>> "Resource." The Requester is the ARO, and the Resource is the ACO.
>>>
>>>> I prefer more natural words, even though its not a list in the technical
>>>> sense, whats wrong with Zend_Acl_List?  To me, in the ACL world, without
>>>> knowing much about ACL, I inherently understand how the List and the
>>>> Requester might interact with one another.
>>>>
>>>> Another option simply could be stick closer to the words that make up
>>>> the ACL (pattern):
>>>> Zend_Acl_ControlList
>>>> Zend_Acl_Accessor
>>>>
>>>> Together, you can jump to the conclusion, without knowing much about
>>>> ACL, how they interrelate.
>>> Hmm. I think that Zend_Acl is the access control list class, and naming
>>> the ACO ControlList does little to say what it is - a component to which
>>> access is managed by the ACL. An ACO represents the "Resource" (or
>>> "access target") of the Requester.
>>>
>>> Best regards,
>>> Darby
>>
>
Reply | Threaded
Open this post in threaded view
|

RE: new Zend_Acl

Andi Gutmans
I think we're probably better off sticking to the API you're currently
using. I'm not convinced that a fluent interface for Acl would be natural.

Andi

> -----Original Message-----
> From: Darby Felton [mailto:[hidden email]]
> Sent: Friday, December 15, 2006 11:55 AM
> To: Ralph Schindler
> Cc: Zend Auth List
> Subject: Re: [fw-auth] new Zend_Acl
>
> Oh I forgot to mention that if we should get overwhelming
> desire from the user community to support such fluent
> interfaces, it should not be difficult to provide it.
>
> Thanks again for your support!
>
> Best regards,
> Darby
>
> Darby Felton wrote:
> > Hi Ralph,
> >
> > I think I'll go with "Resource" and "Role," since "Role" is shorter
> > and probably is not too confusing... though little is set
> in stone at
> > this point, I suspect.
> >
> > Indeed, the fluent interfaces as you show below are gone in
> this new
> > version. Though it looks nice to write:
> >
> > $acl->newsletter->pending->valid($aro->guest, 'view')
> >
> > I think it might not be best practice to dynamically code
> such queries.
> >
> > The above may now be written:
> >
> > $acl->isAllowed('guest', 'pending', 'view');
> $acl->isAllowed('guest',
> > 'newsletter/pending', 'view');
> >
> > Depending on how you want to identify your Resources (e.g., pending
> > newsletters).
> >
> > By the way, there is new documentation for Zend_Acl in the
> incubator
> > for this new version; please update your working copy or just visit:
> >
> > http://framework.zend.com/wiki/display/ZFDOC/Zend_Acl
> >
> > The sections are out of order here (i.e., Advanced Use is
> supposed to
> > be last), but this is a known issue for the wikification of the
> > docbook sources.
> >
> > Otherwise, it appears that the wiki version has been fixed since I
> > announced its previous outdated state. :)
> >
> > Best regards,
> > Darby
> >
> > Ralph Schindler wrote:
> >> After scanning the code, I understand what you are saying.
>  I am +1
> >> on "Resource" and "Requester".
> >>
> >> Other notes: are the fluent interfaces gone now?  I do not
> see magic
> >> methods to be able to do like the docs suggest:
> >>
> >> echo $acl->newsletter->pending->valid($aro->guest, 'view') ?
> >>      "allowed" : "denied"; // allowed
> >>
> >> as an example?
> >>
> >> -ralph
> >>
> >>
> >> Darby Felton wrote:
> >>> Ralph Schindler wrote:
> >>>> -1 on Target.  To me the api should read as close to english as
> >>>> possible.  For example, if you use words like requester
> and target,
> >>>> you then have to explain what relationship requesters
> have to targets.
> >>> Yes, I would prefer to think of it as a "Requester"
> requests access
> >>> to a "Resource." The Requester is the ARO, and the
> Resource is the ACO.
> >>>
> >>>> I prefer more natural words, even though its not a list in the
> >>>> technical sense, whats wrong with Zend_Acl_List?  To me,
> in the ACL
> >>>> world, without knowing much about ACL, I inherently
> understand how
> >>>> the List and the Requester might interact with one another.
> >>>>
> >>>> Another option simply could be stick closer to the words
> that make
> >>>> up the ACL (pattern):
> >>>> Zend_Acl_ControlList
> >>>> Zend_Acl_Accessor
> >>>>
> >>>> Together, you can jump to the conclusion, without knowing much
> >>>> about ACL, how they interrelate.
> >>> Hmm. I think that Zend_Acl is the access control list class, and
> >>> naming the ACO ControlList does little to say what it is - a
> >>> component to which access is managed by the ACL. An ACO
> represents
> >>> the "Resource" (or "access target") of the Requester.
> >>>
> >>> Best regards,
> >>> Darby
> >>
> >
>