Почетна Преглед Помоћ
Пријавите се
boarspring
/
repo_zf1
огледало од https://github.com/bluescreen/zf1-php7.2.git
2
0
Креирај огранак 1
Датотеке Дискусије 0 Вики
Дрво: d7261155b6
Гране Ознаке
repo_zf1
/
documentation
/
manual
/
en
/
module_specs
/
Zend_Acl-Refining.xml

Zend_Acl-Refining.xml 6.2 KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 
  1. <?xml version="1.0" encoding="UTF-8"?>
    2. 

  2. <!-- Reviewed: no -->
    3. 

  3. <sect1 id="zend.acl.refining">
    4. 

  4.     <title>Refining Access Controls</title>
    5. 

  5. 

  6.     <sect2 id="zend.acl.refining.precise">
    7. 

  7.         <title>Precise Access Controls</title>
    8. 

  8. 

  9.         <para>
    10. 

  10.             The basic <acronym>ACL</acronym> as defined in the
    11. 

  11.             <link linkend="zend.acl.introduction">previous section</link> shows how various
    12. 

  12.             privileges may be allowed upon the entire <acronym>ACL</acronym> (all resources). In
    13. 

  13.             practice, however, access controls tend to have exceptions and varying degrees of
    14. 

  14.             complexity. <classname>Zend_Acl</classname> allows to you accomplish these refinements
    15. 

  15.             in a straightforward and flexible manner.
    16. 

  16.         </para>
    17. 

  17. 

  18.         <para>
    19. 

  19.             For the example <acronym>CMS</acronym>, it has been determined that whilst the 'staff'
    20. 

  20.             group covers the needs of the vast majority of users, there is a need for a new
    21. 

  21.             'marketing' group that requires access to the newsletter and latest news in the
    22. 

  22.             <acronym>CMS</acronym>. The group is fairly self-sufficient and will have the ability
    23. 

  23.             to publish and archive both newsletters and the latest news.
    24. 

  24.         </para>
    25. 

  25. 

  26.         <para>
    27. 

  27.             In addition, it has also been requested that the 'staff' group be allowed to view news
    28. 

  28.             stories but not to revise the latest news. Finally, it should be impossible for anyone
    29. 

  29.             (administrators included) to archive any 'announcement' news stories since they only
    30. 

  30.             have a lifespan of 1-2 days.
    31. 

  31.         </para>
    32. 

  32. 

  33.         <para>
    34. 

  34.             First we revise the role registry to reflect these changes. We have determined that the
    35. 

  35.             'marketing' group has the same basic permissions as 'staff', so we define 'marketing'
    36. 

  36.             in such a way that it inherits permissions from 'staff':
    37. 

  37.         </para>
    38. 

  38. 

  39.         <programlisting language="php"><![CDATA[
    40. 

  40. // The new marketing group inherits permissions from staff
    41. 

  41. $acl->addRole(new Zend_Acl_Role('marketing'), 'staff');
    42. 

  42. ]]></programlisting>
    43. 

  43. 

  44.         <para>
    45. 

  45.             Next, note that the above access controls refer to specific resources (e.g.,
    46. 

  46.             "newsletter", "latest news", "announcement news"). Now we add these resources:
    47. 

  47.         </para>
    48. 

  48. 

  49.         <programlisting language="php"><![CDATA[
    50. 

  50. // Create Resources for the rules
    51. 

  51. 

  52. // newsletter
    53. 

  53. $acl->addResource(new Zend_Acl_Resource('newsletter'));
    54. 

  54. 

  55. // news
    56. 

  56. $acl->addResource(new Zend_Acl_Resource('news'));
    57. 

  57. 

  58. // latest news
    59. 

  59. $acl->addResource(new Zend_Acl_Resource('latest'), 'news');
    60. 

  60. 

  61. // announcement news
    62. 

  62. $acl->addResource(new Zend_Acl_Resource('announcement'), 'news');
    63. 

  63. ]]></programlisting>
    64. 

  64. 

  65.         <para>
    66. 

  66.             Then it is simply a matter of defining these more specific rules on the target areas of
    67. 

  67.             the <acronym>ACL</acronym>:
    68. 

  68.         </para>
    69. 

  69. 

  70.         <programlisting language="php"><![CDATA[
    71. 

  71. // Marketing must be able to publish and archive newsletters and the
    72. 

  72. // latest news
    73. 

  73. $acl->allow('marketing',
    74. 

  74.             array('newsletter', 'latest'),
    75. 

  75.             array('publish', 'archive'));
    76. 

  76. 

  77. // Staff (and marketing, by inheritance), are denied permission to
    78. 

  78. // revise the latest news
    79. 

  79. $acl->deny('staff', 'latest', 'revise');
    80. 

  80. 

  81. // Everyone (including administrators) are denied permission to
    82. 

  82. // archive news announcements
    83. 

  83. $acl->deny(null, 'announcement', 'archive');
    84. 

  84. ]]></programlisting>
    85. 

  85. 

  86.         <para>
    87. 

  87.             We can now query the <acronym>ACL</acronym> with respect to the latest changes:
    88. 

  88.         </para>
    89. 

  89. 

  90.         <programlisting language="php"><![CDATA[
    91. 

  91. echo $acl->isAllowed('staff', 'newsletter', 'publish') ?
    92. 

  92.      "allowed" : "denied";
    93. 

  93. // denied
    94. 

  94. 

  95. echo $acl->isAllowed('marketing', 'newsletter', 'publish') ?
    96. 

  96.      "allowed" : "denied";
    97. 

  97. // allowed
    98. 

  98. 

  99. echo $acl->isAllowed('staff', 'latest', 'publish') ?
    100. 

  100.      "allowed" : "denied";
    101. 

  101. // denied
    102. 

  102. 

  103. echo $acl->isAllowed('marketing', 'latest', 'publish') ?
    104. 

  104.      "allowed" : "denied";
    105. 

  105. // allowed
    106. 

  106. 

  107. echo $acl->isAllowed('marketing', 'latest', 'archive') ?
    108. 

  108.      "allowed" : "denied";
    109. 

  109. // allowed
    110. 

  110. 

  111. echo $acl->isAllowed('marketing', 'latest', 'revise') ?
    112. 

  112.      "allowed" : "denied";
    113. 

  113. // denied
    114. 

  114. 

  115. echo $acl->isAllowed('editor', 'announcement', 'archive') ?
    116. 

  116.      "allowed" : "denied";
    117. 

  117. // denied
    118. 

  118. 

  119. echo $acl->isAllowed('administrator', 'announcement', 'archive') ?
    120. 

  120.      "allowed" : "denied";
    121. 

  121. // denied
    122. 

  122. ]]></programlisting>
    123. 

  123.     </sect2>
    124. 

  124. 

  125.     <sect2 id="zend.acl.refining.removing">
    126. 

  126.         <title>Removing Access Controls</title>
    127. 

  127. 

  128.         <para>
    129. 

  129.             To remove one or more access rules from the <acronym>ACL</acronym>, simply use the
    130. 

  130.             available <methodname>removeAllow()</methodname> or
    131. 

  131.             <methodname>removeDeny()</methodname> methods. As with <methodname>allow()</methodname>
    132. 

  132.             and <methodname>deny()</methodname>, you may provide a <constant>NULL</constant> value
    133. 

  133.             to indicate application to all roles, resources, and/or privileges:
    134. 

  134.         </para>
    135. 

  135. 

  136.         <programlisting language="php"><![CDATA[
    137. 

  137. // Remove the denial of revising latest news to staff (and marketing,
    138. 

  138. // by inheritance)
    139. 

  139. $acl->removeDeny('staff', 'latest', 'revise');
    140. 

  140. 

  141. echo $acl->isAllowed('marketing', 'latest', 'revise') ?
    142. 

  142.      "allowed" : "denied";
    143. 

  143. // allowed
    144. 

  144. 

  145. // Remove the allowance of publishing and archiving newsletters to
    146. 

  146. // marketing
    147. 

  147. $acl->removeAllow('marketing',
    148. 

  148.                   'newsletter',
    149. 

  149.                   array('publish', 'archive'));
    150. 

  150. 

  151. echo $acl->isAllowed('marketing', 'newsletter', 'publish') ?
    152. 

  152.      "allowed" : "denied";
    153. 

  153. // denied
    154. 

  154. 

  155. echo $acl->isAllowed('marketing', 'newsletter', 'archive') ?
    156. 

  156.      "allowed" : "denied";
    157. 

  157. // denied
    158. 

  158. ]]></programlisting>
    159. 

  159. 

  160.         <para>
    161. 

  161.             Privileges may be modified incrementally as indicated above, but a
    162. 

  162.             <constant>NULL</constant> value for the privileges overrides such incremental changes:
    163. 

  163.         </para>
    164. 

  164. 

  165.         <programlisting language="php"><![CDATA[
    166. 

  166. // Allow marketing all permissions upon the latest news
    167. 

  167. $acl->allow('marketing', 'latest');
    168. 

  168. 

  169. echo $acl->isAllowed('marketing', 'latest', 'publish') ?
    170. 

  170.      "allowed" : "denied";
    171. 

  171. // allowed
    172. 

  172. 

  173. echo $acl->isAllowed('marketing', 'latest', 'archive') ?
    174. 

  174.      "allowed" : "denied";
    175. 

  175. // allowed
    176. 

  176. 

  177. echo $acl->isAllowed('marketing', 'latest', 'anything') ?
    178. 

  178.      "allowed" : "denied";
    179. 

  179. // allowed
    180. 

  180. ]]></programlisting>
    181. 

  181.     </sect2>
    182. 

  182. </sect1>
    183. 

  183. <!--
    184. 

  184. vim:se ts=4 sw=4 et:
    185. 

  185. -->
    186.