I am currently working on an application suite based on ZF. The plan is to have core set of functions to provide ACL, Auth, Installation, and Template functions.

I am new to ACL, and have been trying to find the best way the handle creating a easy system to manage it. My idea is this. I will use a database to store roles, resources, permissions, and access rules. Once all the information is in the database, I will have a function to built and access list. This access list will then be cached. I hope the cache will make it so that I will not have to recreate the access list on every call to the suite. As far as updateing the cache, that will only need to be done when new information is added.

I am not sure if the is a viable concept. I was hoping to get some ideas on this concept. Be gentle, as I program as a hobby and sometimes I find the worst way to get something to work.

Regards,
Troy

That sounds like a good approach to me. Exactly the approach I am taking (probably why it sounds good). From reading the ZF Docs, that seems the logical way to go about it.

I can provide the code I am using to build the ACL from the database if you would like. It's not exactly refined as yet, but I think it works.

Though, it is the first time I've used the Zend ACL, so if anyone with any actual working experience has any input, I would also be interested to hear it.

[php]
class App_Acl extends Zend_Acl{

/**
* Construct
*
*/
public function __construct() {
$roles = new Roles();
$resources = new Resources();
$permissions = new Permissions();

// Handle roles
foreach ($roles->fetchAll() as $role) {
// Handle inherited roles
if ($role->parent_id) {
$this->addRole(new Zend_Acl_Role($role->name), new Zend_Acl_Role($role->findParentRow('Roles')->name));
} else {
$this->addRole(new Zend_Acl_Role($role->name));
}
}

// Handle resources
foreach ($resources->fetchAll() as $resource) {
// Handle inherited resources
if ($resource->parent_id) {
$this->add(new Zend_Acl_Resource($resource->name), new Zend_Acl_Resource($resource->findParentRow('Resources')->name));
} else {
$this->add(new Zend_Acl_Resource($resource->name));
}
}

// Handle permissions
foreach ($permissions->fetchAll() as $permission) {
if (strcasecmp($permission->access, 'allow') == 0) {
$this->allow($permission->findParentRow('Roles')->name, $permission->findParentRow('Resources')->name);
} else { // Deny by default
$this->deny($permission->findParentRow('Roles')->name, $permission->findParentRow('Resources')->name);
}
}

// Hard-coded acls
// Layout Controller
$this->add(new Zend_Acl_Resource('Default_Layout'));
$this->allow(null, 'Default_Layout');
$this->add(new Zend_Acl_Resource('Auth_Index'));
$this->allow(null, 'Auth_Index');
}
}
[/php]

__________________
Zym Framework - A Zend Framework extension library w/ demo app

SpotSec Blog:
http://spotsec.com/blog

Your code doesn't handle multiple parents and will throw an exception if a child row is processed before a parent row because the parent doesn't exist (haven't tested this but seems logical for me after taking a look at Zend_Acl_Role_Registry::add/get).

Here's an example setting up roles:

[PHP] class Roles extends Zend_Db_Table_Abstract
{
protected $_name = 'roles';
protected $_dependentTables = array('RolesParents');
}

class RolesParents extends Zend_Db_Table_Abstract
{
protected $_name = 'roles_parents';
protected $_referenceMap = array('Child' => array('columns' => 'name',
'refTableClass' => 'Roles',
'refColumns' => 'name'),
'Parent' => array('columns' => 'parent_name',
'refTableClass' => 'Roles',
'refColumns' => 'name'));
}

function addRole(&$acl, $role)
{
if (!$acl->hasRole($_role = new Zend_Acl_Role($role->name))) {
$parents = array();

foreach($role->findManyToManyRowset('Roles', 'RolesParents', 'Child', 'Parent') as $parent) {
$parents[] = addRole($acl, $parent);
}

$acl->addRole($_role, $parents);
}

return $_role;
}

$acl = new Zend_Acl();
$roles = new Roles();

foreach ($roles->fetchAll() as $role) {
addRole($acl, $role);
}[/PHP]

Should work. Tested it a bit.