Structuring Zend_Acl and CRUD with Parent/Child Relationships
-
24-10-2019 - |
Question
I am wondering how should I structure my ACL for CRUD with Parent/Child Relations.
Eg. Projects have TodoLists. TodoLists have Todos
There are various controller actions for project
- /projects/add
- /projects/edit/{projId}
- /projects/delete/{projId}
- /todo-lists/add/{projId}
- /todo-lists/edit/{todoListId}
- ...
As you can see going down the hierarchy, some actions have ids that refer not to themselves (eg. todo-lists controller -> todo-list resource) but to their parent
So with with I have setup (generally), it looks like this
- ACL Controller Plugin (preDispatch)
- Set role to loggedin user or 'unauthenticated'
- Set resource to controller name
- Set privilege to action name
- if request param 'id' is set, get the actual entity (I am using Doctrine ORM) that implements
Zend_Acl_Resource_Interface
. Here is where the complication arises. I will usually get the resource from the controller name, but for eg. with/todo-lists/add
I must know to get the parent entity instead (Project). With this setup, I will have to chage the privilege to to something like 'addTodoList'. This way, the project acl assertion class will have to TodoLists stuff. There will also be a disconnect between Controller Actions & ACL Logic. Is that ok?
Maybe I should have addTodoListAction in ProjectsController instead of TodoListsController? This will simplify my ACL code, I won't need to check and modify resource/privileges? I can just take these directly from the request params (Controller & Action names).
How do you setup ACL's like this?
Solution
use Zend_Acl_Assertion , create your assertion for projectid and todoId. At the time of giving permission do
$myAcl->allow($role,'projects','edits',new My_Project_Assertion());
and you cannot use action "addTodoListAction" because of captial letters (or define your own dispatcher) addtodolistAction wd work;