Restricting display of links to non-authorized pages in view scripts?

bytte · #1 (**permalink**) 08-29-2008, 09:02 PM

I managed to set up authentication through Zend_Auth and access control through Zend_Acl. This works without any problem. However, I'd like to take things one step further.

My view scripts sometimes display links to pages that are not accessible by the logged in user, because that user does not have the proper rights to view that page. Think of an "edit" link next to a blog article. If only the author of the article is allowed (via Zend_Acl) to edit the article, then it makes no sense to display the "edit" link to other users as well, as clicking on the link will only send them to a "not authorised" page.

Is there a convenient way of dealing with this problem? I'm sure it's a common request so I was hoping someone could help me with it.

Thanks in advance.

jweber · #2 (**permalink**) 09-02-2008, 04:08 AM

Create a custom plugin class that creates these links, injecting your Zend_Acl object into that class so it can decide which functionality to provide to any given request.

Personally I like to keep as much access control outside the action controllers themselves. Such a plugin would allow you to do so.

bytte · #3 (**permalink**) 09-02-2008, 10:26 AM

That's interesting. Could you, in plain words, describe what the logic for that plugin would look like in your eyes? I think I don't fully get what you mean.

Here was my temporary and not-so-good solution: I thought of creating a view helper that checks whether a url is permitted to the user. If it is, then I can display whatever information in an IF clause in my view script.

It works but is kinda clumsy in my view script because of all the IF/ELSE clauses. Here's the code of my view helper:

PHP Code:


			
<?php
class Zend_View_Helper_IsAllowedUrl extends Zend_View_Helper_Abstract
{
    
    public function isAllowedUrl(array $url)
    {
        if(Zend_Auth::getInstance()->hasIdentity()) {
            $role = Zend_Auth::getInstance()->getStorage()->read()->role;
            
            $acl = new Acl();
        
            if(!$acl->isAllowed($role,$url['controller'],$url['action'])) {
                return false;
            } else {
                return true;
            }
        } 
    }

}

Then in the view:

PHP Code:


			
(...)
<?php if($this->isAllowedUrl(array('controller'=>'firmas','action'=>'add'))) { ?>
        <a href="<?php echo $this->url(array('controller'=>'firmas','action'=>'add')); ?>"><img class="additem" src="<?php echo $this->baseUrl(); ?>/img/add-item.png" alt="Add a new item" width="229" height="35" /></a>
        <?php } ?>
(...)

mission 10 · #4 (**permalink**) 10-15-2008, 01:04 AM

**bump**

I'd like to know the right way to do this.

Arjuna · #5 (**permalink**) 11-14-2008, 11:24 PM

I'm looking for the same thing, can you tell us how to do?

bytte · #6 (**permalink**) 11-15-2008, 02:01 PM

I have posted the same question on the official zend framework mailing list and so far this came up: Nabble - Zend Framework - Restricting display of links to non-authorized pages in view scripts- how to?
It's basicallly the same kind of hack as the one provided in my message above.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode