0

Ok so I have my zf application with a user login system that directs the person to a restricted area if the credentials are in the database. However I want the same login form to check if the users role is admin(in the DB) and if it is direct them to the admin section... I am struggling to get my head round how to do this using Zend_Acl. Also the only use for ACL is to allow users with the role admin into the admin section, I am fairly new to ZF so I am not sure what the best approach is.. Here is my current code for the AuthController

http://codepaste.net/6hzydv

Thanks

Rik89
  • 157
  • 4
  • 22

2 Answers2

2

You can create a controller plugin which will decide if a user has privileges to access controller/view based on his role. Something like:

class My_Controller_Plugin_Auth extends Zend_Controller_Plugin_Abstract
{
    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {
        $auth = Zend_Registry::getInstance()->get('auth');
        $acl = new Zend_Acl();

        // for default module
        if ($request->getModuleName() == 'default') {

            // access resources (controllers)
            // usually there will be more access resources
            $acl->add(new Zend_Acl_Resource('index'));
            $acl->add(new Zend_Acl_Resource('error'));

            // access roles
            $acl->addRole(new Zend_Acl_Role('guest'));
            $acl->addRole(new Zend_Acl_Role('user'));
            $acl->addRole(new Zend_Acl_Role('administrator'));

            // access rules
            $acl->allow('guest'); // allow guests everywhere
            $acl->allow('user'); // allow users everywhere
            $acl->allow('administrator'); // allow administrators everywhere

            $role = ($auth->getIdentity() && $auth->getIdentity()->status = 'approved')
            ? $auth->getIdentity()->role : 'guest';
            $controller = $request->getControllerName();
            $action = $request->getActionName();

            if (!$acl->isAllowed($role, $controller, $action)) {
                $redirector = Zend_Controller_Action_HelperBroker::getStaticHelper('Redirector');
                $redirector->gotoUrlAndExit('error/denied');
            }

        }
        // for member module
        else if ($request->getModuleName() == 'member') {

            // access resources (controllers)
            // usually there will be more access resources
            $acl->add(new Zend_Acl_Resource('index'));
            $acl->add(new Zend_Acl_Resource('error'));

            // access roles
            $acl->addRole(new Zend_Acl_Role('guest'));
            $acl->addRole(new Zend_Acl_Role('user'));
            $acl->addRole(new Zend_Acl_Role('administrator'));

            // access rules
            $acl->allow('user'); // allow users everywhere
            $acl->allow('administrator'); // allow administrators everywhere

            $role = ($auth->getIdentity() && $auth->getIdentity()->status = 'approved')
            ? $auth->getIdentity()->role : 'guest';
            $controller = $request->getControllerName();
            $action = $request->getActionName();

            if (!$acl->isAllowed($role, $controller, $action)) {
                $redirector = Zend_Controller_Action_HelperBroker::getStaticHelper('Redirector');
                $redirector->gotoUrlAndExit('error/denied');
            }

        }
        // for admin module
        else if ($request->getModuleName() == 'admin') {

            // access resources (controllers)
            // usually there will be more access resources
            $acl->add(new Zend_Acl_Resource('index'));
            $acl->add(new Zend_Acl_Resource('error'));

            // access roles
            $acl->addRole(new Zend_Acl_Role('guest'));
            $acl->addRole(new Zend_Acl_Role('user'));
            $acl->addRole(new Zend_Acl_Role('administrator'));

            // access rules
            $acl->allow('administrator'); // allow administrators everywhere

            $role = ($auth->getIdentity() && $auth->getIdentity()->status = 'approved')
            ? $auth->getIdentity()->role : 'guest';
            $controller = $request->getControllerName();
            $action = $request->getActionName();

            if (!$acl->isAllowed($role, $controller, $action)) {
                $redirector = Zend_Controller_Action_HelperBroker::getStaticHelper('Redirector');
                $redirector->gotoUrlAndExit('error/denied');
            }

        }
    }
}

You can see step by step tutorial here: http://blog.richardknop.com/2009/06/user-login-and-authentication-with-zend_auth-and-zend_acl/

Richard Knop
  • 81,041
  • 149
  • 392
  • 552
  • I have seen this blog post, but my knowledge of the framework is too little to understand where each file is going I would need something with the view controllers as well and more in depth explanations.. – Rik89 Apr 10 '12 at 20:05
  • check out `Zend_Controller_Plugin_Acl` – Alex Apr 11 '12 at 04:12
0

Read docs on Zend Acl and understand how to give permissions and inherit them by user type. Then check out this fairly simple Zend tutorial on Zend Acl & MVC.

Basically you just have to do the following:

  1. setup ACL rules somewhere in your bootstrap
  2. crate error/denied.phtml (or whatever ext you are using)
  3. let Zend_Controller_Plugin_Acl to do dirty work for you
Alex
  • 6,441
  • 2
  • 25
  • 26