By default, returning false in an assertion denies access even when the acl rules allow it. What I want to do is the other way round - i.e. return true in an assertion to allow access when the acl rules deny it.
For example:
class TestAssert implements Zend_Acl_Assert_Interface
{
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null,
$privilege = null)
{
return true;
}
}
$acl = new Zend_Acl;
$acl->addResource('page');
$acl->addRole('user');
$acl->allow('user', 'page', 'read', new TestAssert);
$acl->isAllowed('user', 'page', 'write');
The above isAllowed() will return false because the privilege I am asking about is not allowed in the acl rules, therefore it isn't getting as far as the assertion.
Is what I want possible?
The reason I want to do this is that a user may have certain privileges for all pages and then a different set of privileges for pages they have created - when querying for a privilege I want to be able to tell if the page is theirs and if it is, apply the rules for "own-page" rather than "page". Obviously in the real app, user and page objects are passed instead of strings.
UPDATE: I have managed to do what I want by subclassing Zend_Acl.
This class allows callbacks to be added for specific role and resource combinations. When isAllowed() is invoked, the callback, if it exists, is run. It is passed in the same parameters as an assertion (as well as the result of parent::isAllowed()). The return value of this callback is return from isAllowed(), unless it is null, in which case the normal return value is used.
class Acl extends Zend_Acl
{
protected $_callbacks = array();
/**
* Takes into account the callback to determine whether the role is allowed access
*
* @param Zend_Acl_Role_Interface $role
* @param Zend_Acl_Resource_Interface $resourc开发者_运维技巧e
* @param string $privilege
* @return bool
*/
public function isAllowed($role = null, $resource = null, $privilege = null)
{
$result = parent::isAllowed($role, $resource, $privilege);
$role = $this->getRole($role)->getRoleId();
$resource = $this->get($resource)->getResourceId();
if(isset($this->_callbacks[$role][$resource]))
{
$callbackResult = call_user_func($this->_callbacks[$role][$resource], $this, $role, $resource, $privilege, $result);
}
return isset($callbackResult) ? $callbackResult : $result;
}
/**
* Add a callback for a specific role and resource combination.
* If the callback returns a value, this is used as the return value for isAllowed().
* Otherwise, if the callback returns null, the normal result of isAllowed() will be used.
*
* @param Zend_Acl_Role_Interface $role
* @param Zend_Acl_Resource_Interface $resource
* @param callback $callback
*/
public function addCallback($role, $resource, $callback)
{
$role = $this->getRole($role)->getRoleId();
$resource = $this->get($resource)->getResourceId();
$this->_callbacks[$role][$resource] = $callback;
}
}
Usage:
$acl = new Acl;
$acl->addResource('page');
$acl->addRole('user');
$acl->addCallback('user', 'page', function($acl, $role, $resource, $privilege, $result)
{
return true;
});
$acl->allow('user', 'page', array('read'));
$acl->isAllowed('user', 'page', 'edit'); //returns true even though 'edit' is not allowed.
Sounds like you want something along the lines of:
class WriteAssert implements Zend_Acl_Assert_Interface
{
public function assert(Zend_Acl $acl,
Zend_Acl_Role_Interface $role = null,
Zend_Acl_Resource_Interface $resource = null,
$privilege = null)
{
// return whether the user owns the page
}
}
$acl = new Zend_Acl;
$acl->addResource('page');
$acl->addRole('user');
$acl->allow('user', 'page', 'read');
$acl->allow('user', 'page', 'write', new WriteAssert);
$acl->isAllowed('user', 'page', 'write');
Here you would expect the user to be able to read any page but only write to their own pages.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论