I had a look at the Zend ACL last night but the documentation isn’t the best in the world.
Yep, they miss some important pieces. IMO they document the ACL well, but they don’t show complete examples using the session and database user/roles. However, for simple sites all you’d need is the username of the authenticated user from the session. See this line from the previous example:
$acl->addRole(new Zend_Acl_Role('someUser'), $parents);
‘someUser’ is assigned an array of roles in $parents.
How would you store the roles? You coulpdn’t have them being added every time a user visits page.
Well using the simplest setup, you’d have the roles/resources defined in one script (probably within a library) and added whenever a user is visits a page that requires authorization. So you could add your custom ACL wrapper library to the constructor of every controller that requires authorization. Then in each controller, you’d only have to do your tests like:
if ($this->acl->isAllowed($_SESSION['username'], 'someResource'))
// do something
There’s no mention of how you’d store them in the database and then pull them. No mention of linking them to a user.
This is where the documentation doesn’t go far enough. If you have roles stored in the database you’d want something more than the example above provides.
In my database I’d have a user table and a user_role table. Of course the user table has username and password and that is used for authentication. Once the user is authenticated, I’d load that user’s role(s) from the user_role table into the session. Then you’d check the ACL using the user’s role from the session. Now, if a user has an array of roles in the session, of course you’d have to iterate over them. This could be automated in a method of your custom ACL library.
If you want to take it a step further and totally build your ACL from the database, there are some examples out there.
In the documentation they query the roles, but use the role names. Why would you want to do this? I’d want to query with the username to see if they have access. Why did I have to choose such a complicated application :(
See the example above where a username is treated like a role and it is assigned roles.