0

I use a simple ACL inspired by this video tutorial. The acl.global.php has a structure like

return [
    'acl' => [
        'roles' => [
            'guest' => null,
            'member' => 'guest',
            'admin' => 'member'
        ],
        'resources' => [
            'allow' => [
                'Application\Controller\Index' => ['all' => 'member'],
                'Application\Controller\Error' => ['all' => 'member'],
                'Item\Controller\Process' => [
                    'index' => 'member',
                    'create' => 'member',
                    'showItem' => 'member', // website.tld/item/:id
                    'showList' => 'member' // website.tld/list-items
                ]
            ]
        ],
        'redirect_route' => [
            'params' => [],
            'options' => ['name' => 'error403']
        ]
    ]
];

There is an Authorization\Acl\Acl class, that extends Zend\Permissions\Acl\Acl and adds to it functionality for the setup an object using the data from the config file above.

The third and last actor is the Authorization\Module class. There an ACL processing is added as route event listener and in this listener method if (! $acl->isAllowed($role, $controller, $action)), the user gets a 403 HTTP status code and the according view.

Now I want additionally to restrict the users' access to items (articles, orders, comments etc.). The user should only be able to see a detailed view of an item (showItemAction), if he is its owner/author. How to integrate such logic into the ACL?

Wilt
  • 41,477
  • 12
  • 152
  • 203
automatix
  • 14,018
  • 26
  • 105
  • 230
  • You should read the documentation regarding ACL ['Assertions'](http://framework.zend.com/manual/current/en/modules/zend.permissions.acl.advanced.html#writing-conditional-acl-rules-with-assertions) as these offer you the ability to test if the role has access based on runtime criteria. – AlexP May 18 '16 at 09:40
  • I've read it, but I don't understand, how to couple assertions with this "endpoint-driven" ACL logic. – automatix May 18 '16 at 09:41
  • @AlexP [This solution](http://stackoverflow.com/questions/37298894/how-to-build-an-acl-assertion-for-a-variable-value-in-zend-framework-2/37301924#37301924) works. But it's verbose and I'm not really happy with it. – automatix May 18 '16 at 14:05

0 Answers0