有人可以指导我典型的ACL实现示例。就像'admin'可以访问'admin'模块一样,'user'可以访问'user module',而guest可以访问'open'页面。
答案 0 :(得分:27)
我可以粘贴你的ACL。它由三个元素组成:acl.ini,ACL控制器插件(My_Controller_Plugin_Acl)和My_Acl类,以及USER表。但它不涉及模块,而是处理控制器和操作。不过它可能会给你一些关于ACL的一般概念。我对ACL的使用基于一本名为“Zend Framework in Action”的书。
USER表(特权字段用于ACL):
CREATE TABLE IF NOT EXISTS `USER` (
`user_id` INT UNSIGNED NOT NULL AUTO_INCREMENT ,
`email` VARCHAR(85) NOT NULL ,
`password` CHAR(32) NOT NULL,
`phone` VARCHAR(45) NULL ,
`phone_public` TINYINT(1) NULL DEFAULT 0 ,
`first_name` VARCHAR(45) NULL ,
`last_name` VARCHAR(45) NULL ,
`last_name_public` TINYINT(1) NULL DEFAULT 1 ,
`is_enabled` TINYINT(1) NOT NULL DEFAULT 1 ,
`created` TIMESTAMP NOT NULL,
`privilage` ENUM('BASIC','PREMIUM','ADMIN') NOT NULL DEFAULT 'BASIC' ,
PRIMARY KEY (`user_id`) ,
UNIQUE INDEX `email_UNIQUE` (`email` ASC) )
ENGINE = InnoDB;
acl.ini (我有四个权限,基本继承自来宾,高级继承表格基本和管理员保费):
; roles
acl.roles.guest = null
acl.roles.basic = guest
acl.roles.premium = basic
acl.roles.administrator = premium
; resources
acl.resources.deny.all.all = guest
acl.resources.allow.index.all = guest
acl.resources.allow.error.all = guest
acl.resources.allow.user.login = guest
acl.resources.allow.user.logout = guest
acl.resources.allow.user.create = guest
acl.resources.allow.user.index = basic
acl.resources.allow.user.success = basic
My_Acl类(根据ini文件创建ACL角色和资源):
class My_Acl extends Zend_Acl {
public function __construct() {
$aclConfig = Zend_Registry::get('acl');
$roles = $aclConfig->acl->roles;
$resources = $aclConfig->acl->resources;
$this->_addRoles($roles);
$this->_addResources($resources);
}
protected function _addRoles($roles) {
foreach ($roles as $name => $parents) {
if (!$this->hasRole($name)) {
if (empty($parents)) {
$parents = null;
} else {
$parents = explode(',', $parents);
}
$this->addRole(new Zend_Acl_Role($name), $parents);
}
}
}
protected function _addResources($resources) {
foreach ($resources as $permissions => $controllers) {
foreach ($controllers as $controller => $actions) {
if ($controller == 'all') {
$controller = null;
} else {
if (!$this->has($controller)) {
$this->add(new Zend_Acl_Resource($controller));
}
}
foreach ($actions as $action => $role) {
if ($action == 'all') {
$action = null;
}
if ($permissions == 'allow') {
$this->allow($role, $controller, $action);
}
if ($permissions == 'deny') {
$this->deny($role, $controller, $action);
}
}
}
}
}
}
<强> My_Controller_Plugin_Acl :
class My_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract {
/**
*
* @var Zend_Auth
*/
protected $_auth;
protected $_acl;
protected $_action;
protected $_controller;
protected $_currentRole;
public function __construct(Zend_Acl $acl, array $options = array()) {
$this->_auth = Zend_Auth::getInstance();
$this->_acl = $acl;
}
public function preDispatch(Zend_Controller_Request_Abstract $request) {
$this->_init($request);
// if the current user role is not allowed to do something
if (!$this->_acl->isAllowed($this->_currentRole, $this->_controller, $this->_action)) {
if ('guest' == $this->_currentRole) {
$request->setControllerName('user');
$request->setActionName('login');
} else {
$request->setControllerName('error');
$request->setActionName('noauth');
}
}
}
protected function _init($request) {
$this->_action = $request->getActionName();
$this->_controller = $request->getControllerName();
$this->_currentRole = $this->_getCurrentUserRole();
}
protected function _getCurrentUserRole() {
if ($this->_auth->hasIdentity()) {
$authData = $this->_auth->getIdentity();
$role = isset($authData->property->privilage)?strtolower($authData->property->privilage): 'guest';
} else {
$role = 'guest';
}
return $role;
}
}
最后是Bootstrap.php的一部分,其中所有内容都已初始化:
protected function _initLoadAclIni() {
$config = new Zend_Config_Ini(APPLICATION_PATH . '/configs/acl.ini');
Zend_Registry::set('acl', $config);
}
protected function _initAclControllerPlugin() {
$this->bootstrap('frontcontroller');
$this->bootstrap('loadAclIni');
$front = Zend_Controller_Front::getInstance();
$aclPlugin = new My_Controller_Plugin_Acl(new My_Acl());
$front->registerPlugin($aclPlugin);
}
答案 1 :(得分:4)
我有一个可能符合您需求的简单示例
class Dagho_Acl_Main extends Zend_Acl {
public function __construct() {
$anonymous = new Zend_Acl_Role("anonymous");
$customer = new Zend_Acl_Role("customer");
$admin = new Zend_Acl_Role("admin");
$anonymousResource = new Zend_Acl_Resource("acl");
$defaultResource = new Zend_Acl_Resource("default");
$customerResource = new Zend_Acl_Resource("user");
$adminResource = new Zend_Acl_Resource("manage");
$this->addRole($anonymous)
->addRole($customer)
->addRole($admin);
$this->addResource($anonymousResource)
->addResource($defaultResource)
->addResource($customerResource)
->addResource($adminResource);
$this->allow($anonymous, $anonymousResource);
$this->allow($anonymous, $defaultResource);
$this->deny($anonymous, $customerResource);
$this->deny($anonymous, $adminResource);
$this->allow($customer, $anonymousResource);
$this->allow($customer, $defaultResource);
$this->allow($customer, $customerResource);
$this->deny($customer, $adminResource);
$this->allow($admin, $defaultResource);
$this->allow($admin, $anonymousResource);
$this->allow($admin, $adminResource);
$this->deny($admin, $customerResource);
return $this ;
}
}
这是我的插件:
<?php
class Dagho_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract {
public function preDispatch(Zend_Controller_Request_Abstract $request) {
$module = $request->getModuleName();
$controller = $request->getControllerName();
$action = $request->getActionName();
$doctrineAuth = new Dagho_Auth_Doctrine();
$logged = $doctrineAuth->checklogin();
$identity = $doctrineAuth->getIdentity();
Zend_Registry::set("identity", $identity);
if ($logged && $identity["role"] !== "anonymous") {
/// user had an identity let's check the ACL
$acl = new Dagho_Acl_Main();
$isAllowed = $acl->isAllowed($identity["role"], $module);
if (!$isAllowed) {
return $request->setModuleName("acl")->setControllerName("index")
->setActionName("denied")->setDispatched(true);
} else {
/// user has identity and he is allowed to access it
return;
}
} elseif ($logged === false || ($logged && $identity["role"] === "anonymous" )) {
//// user not logged on > login.php or its his first visit
$identity = $doctrineAuth->getStorage()->write(array('name' => 'anonymous', 'role' => "anonymous",));
Zend_Registry::set("identity", $identity);
return $request->setModuleName("acl")->setControllerName("index")
->setActionName("login")->setDispatched(true);
} else {
return $request->setModuleName("acl")->setControllerName("index")
->setActionName("denied")->setDispatched(true);
}
parent::preDispatch($request);
}
}