Structuring Zend_Acl and CRUD with Parent/Child Relationships

Question

I am wondering how should I structure my ACL for CRUD with Parent/Child Relations.

Eg. Projects have TodoLists. TodoLists have Todos

There are various controller actions for project

• /projects/add
• /projects/edit/{projId}
• /projects/delete/{projId}
• /todo-lists/add/{projId}
• /todo-lists/edit/{todoListId}
• ...

As you can see going down the hierarchy, some actions have ids that refer not to themselves (eg. todo-lists controller -> todo-list resource) but to their parent

So with with I have setup (generally), it looks like this

• ACL Controller Plugin (preDispatch)
  • Set role to loggedin user or 'unauthenticated'
  • Set resource to controller name
  • Set privilege to action name
  • if request param 'id' is set, get the actual entity (I am using Doctrine ORM) that implements Zend_Acl_Resource_Interface. Here is where the complication arises. I will usually get the resource from the controller name, but for eg. with /todo-lists/add I must know to get the parent entity instead (Project). With this setup, I will have to chage the privilege to to something like 'addTodoList'. This way, the project acl assertion class will have to TodoLists stuff. There will also be a disconnect between Controller Actions & ACL Logic. Is that ok?

Maybe I should have addTodoListAction in ProjectsController instead of TodoListsController? This will simplify my ACL code, I won't need to check and modify resource/privileges? I can just take these directly from the request params (Controller & Action names).

How do you setup ACL's like this?

Answer 1

use Zend_Acl_Assertion , create your assertion for projectid and todoId. At the time of giving permission do

$myAcl->allow($role,'projects','edits',new My_Project_Assertion());

and you cannot use action "addTodoListAction" because of captial letters (or define your own dispatcher) addtodolistAction wd work;