Dynamic roles and permissions
it Happened to me this morning to write a dynamic system of roles and rights for the online store.
Because on the Internet nothing is needed except this a series of articles not found, decided to write it myself.
So, let's start.
To store information about roles, resources and access rights we will be in the database. The base has a structure like this:
acl_resources resources
acl_roles group usernames, they — roles
acl_cross — crossroads matching roles and resources:
id / role_id / res_id
1 1 1
2 1 2
3 1 3
* For the role with id=1 is available resources 1,2,3
In the file access control write code like this:
class Acl extends Zend_Acl
{
public function __construct()
{
$model = new User();
/**
* add resources
*/
// get resources
$resources = $model->getResources();
foreach($resources as $mod)
{
// if the resource is not already added
if(false == $this->has($mod['module'].'_'.$mod['controller']))
{
// add
$this->add(new Zend_Acl_Resource($mod['module'].'_'.$mod['controller']));
}
}
/**
* added user roles
* and immediately placing them permission
*/
// get the role
$roles = $model->getRoles();
// for each role
foreach($roles as $role)
{
// produced by adding
$this->addRole(new Zend_Acl_Role($role['name']));
// get available to the role resources
$permissions = $model->getRoleResources($role['id']);
// placing permissions on these resources
foreach($permissions as $perm)
{
$this- > allow( $role['name'],
$perm['module'].'_'.$perm['controller'],
$perm['action']);
}
}
}
}
Thus we process records from a database and create, in fact, ACL.
Then we pass control to the plugin. The plugin will process the access rights at the controller level. Well, that, naprimjer if a normal user has copied the moderator a link to the delete action of the product — that it was not allowed. Here is a sample code:
class Lord_Plugin_Acl extends Zend_Controller_Plugin_Abstract
{
private $_acl = null;
public function __construct(Zend_Acl $acl)
{
$this->_acl = $acl;
}
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
// Get the object Zend_Layout
$layout = Zend_Layout::getMvcInstance();
// Get the object
$view = $layout- > getView();
$auth = Zend_Auth::getInstance();
// if there is a user repository session
if ($auth- > hasIdentity() == true)
{
// get data for this user
$user = $auth- > getIdentity();
$userModel = new User();
$role = $userModel- > getRole($user->role);
$user- > roleName = $role->name;
}
else
{
$user->roleName = 'anon';
}
// put variable in the view to display
$view->user = $user;
/*--------------------------------------------------------------*/
$request = $this->getRequest();
$controller = $request->getControllerName();
$module = $request->getModuleName();
$action = $request->getActionName();
$acl = new Acl();
$isAllow = $acl- > allowed($user- > roleName, $module.'_'.$controller, $action);
if($isAllow == false)
{
$request- > setModuleName('user')
->setControllerName('login')
->setActionName('index');
}
$view->acl = $acl;
/*--------------------------------------------------------------*/
}
}
Now we need to hide and show the controls on the view level of the application. For this we will write a helper that would look over the access rights and showed or did not show a control:
class Lord_View_Helper_Acl
{
public function Acl($module = 'default'
$controller = 'index'
$action = 'index')
{
// Get the object Zend_Layout
$layout = Zend_Layout::getMvcInstance();
// Get the object
$view = $layout- > getView();
$acl = new Acl();
$isAllow = $acl- > allowed($view->user->roleName, $module.'_'.$controller, $action);
if($isAllow == false)
{
return false;
}
else
return true;
}
}
After writing the helper in the view script we have to write about this here is the code to hide or show a control:
<?if($this->acl('store', 'categories', 'add')==true):?>
<img src="<?=$this->imagesUrl?>icons/icon_add.png"
title = "<?=$this->translate('store_category_primary_add');?>">
<?endif;?>
The result is a system which webinterface can assign rights to any group on any module/controller/action.
A bit of code to download:
— Base
— ViewHelper
— ACL
Article based on information from habrahabr.ru
Because on the Internet nothing is needed except this a series of articles not found, decided to write it myself.
So, let's start.
Base
To store information about roles, resources and access rights we will be in the database. The base has a structure like this:
acl_resources resources
acl_roles group usernames, they — roles
acl_cross — crossroads matching roles and resources:
id / role_id / res_id
1 1 1
2 1 2
3 1 3
* For the role with id=1 is available resources 1,2,3
ACL
In the file access control write code like this:
class Acl extends Zend_Acl
{
public function __construct()
{
$model = new User();
/**
* add resources
*/
// get resources
$resources = $model->getResources();
foreach($resources as $mod)
{
// if the resource is not already added
if(false == $this->has($mod['module'].'_'.$mod['controller']))
{
// add
$this->add(new Zend_Acl_Resource($mod['module'].'_'.$mod['controller']));
}
}
/**
* added user roles
* and immediately placing them permission
*/
// get the role
$roles = $model->getRoles();
// for each role
foreach($roles as $role)
{
// produced by adding
$this->addRole(new Zend_Acl_Role($role['name']));
// get available to the role resources
$permissions = $model->getRoleResources($role['id']);
// placing permissions on these resources
foreach($permissions as $perm)
{
$this- > allow( $role['name'],
$perm['module'].'_'.$perm['controller'],
$perm['action']);
}
}
}
}
Thus we process records from a database and create, in fact, ACL.
Plugin
Then we pass control to the plugin. The plugin will process the access rights at the controller level. Well, that, naprimjer if a normal user has copied the moderator a link to the delete action of the product — that it was not allowed. Here is a sample code:
class Lord_Plugin_Acl extends Zend_Controller_Plugin_Abstract
{
private $_acl = null;
public function __construct(Zend_Acl $acl)
{
$this->_acl = $acl;
}
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
// Get the object Zend_Layout
$layout = Zend_Layout::getMvcInstance();
// Get the object
$view = $layout- > getView();
$auth = Zend_Auth::getInstance();
// if there is a user repository session
if ($auth- > hasIdentity() == true)
{
// get data for this user
$user = $auth- > getIdentity();
$userModel = new User();
$role = $userModel- > getRole($user->role);
$user- > roleName = $role->name;
}
else
{
$user->roleName = 'anon';
}
// put variable in the view to display
$view->user = $user;
/*--------------------------------------------------------------*/
$request = $this->getRequest();
$controller = $request->getControllerName();
$module = $request->getModuleName();
$action = $request->getActionName();
$acl = new Acl();
$isAllow = $acl- > allowed($user- > roleName, $module.'_'.$controller, $action);
if($isAllow == false)
{
$request- > setModuleName('user')
->setControllerName('login')
->setActionName('index');
}
$view->acl = $acl;
/*--------------------------------------------------------------*/
}
}
ViewHelper
Now we need to hide and show the controls on the view level of the application. For this we will write a helper that would look over the access rights and showed or did not show a control:
class Lord_View_Helper_Acl
{
public function Acl($module = 'default'
$controller = 'index'
$action = 'index')
{
// Get the object Zend_Layout
$layout = Zend_Layout::getMvcInstance();
// Get the object
$view = $layout- > getView();
$acl = new Acl();
$isAllow = $acl- > allowed($view->user->roleName, $module.'_'.$controller, $action);
if($isAllow == false)
{
return false;
}
else
return true;
}
}
After writing the helper in the view script we have to write about this here is the code to hide or show a control:
<?if($this->acl('store', 'categories', 'add')==true):?>
<img src="<?=$this->imagesUrl?>icons/icon_add.png"
title = "<?=$this->translate('store_category_primary_add');?>">
<?endif;?>
The result is a system which webinterface can assign rights to any group on any module/controller/action.
A bit of code to download:
— Base
— ViewHelper
— ACL
Комментарии
Отправить комментарий