Zend_Acl with User Specific Permissions
There are many articles around explaining Zend_Acl and how to use it within a CMS like system where generic roles apply - i.e. an admin can do anything, a guest can leave a comment and an author can write articles. But I was having a hard time figuring out how to elegantly enforce user specific permissions in addition to generic permissions For example, an author can save a new article, but can only update or delete an article that they “own”. I was trying to use assertions, but the role object in the assertion was turned into a generic Zend_Acl_Role object, even though I was using my own role object that implemented Zend_Acl_Role_Interface. Therefore, I couldn’t check the userId of the role in the assertion and was trying to pass responsibility back onto the object that was checking the acl.
It looks like this has all been fixed in 1.9.1, and Ralph does a good job of explaining the details. I have yet to try the improvements, but looking forward to refactoring my code to use the new and improved assertions.
August 23rd, 2009 at 1:33 pm
[…] There are many articles around explaining Zend_Acl and how to use it within a CMS like system where generic roles apply - i.e. an admin can do anything, a guest can leave a comment and an author can write articles. But I was having a hard time figuring out how to elegantly enforce user specific permissions in addition to generic permissions For example, an author can save a new article, but can only update or delete an article that they “own”. Read more from the original source: Zend_Acl with User Specific Permissions […]