Hello World

Practical programming... and stuff...

Zend_Acl and storing roles and resources in a DB

Tuesday, May 8, 2007 12:44:56 PM

,

Yet more Zend Framework -related material.

I've talked with a few people about using Zend_Acl and how to best approach the issue of resources, roles and users.

It isn't immediately obvious how one should do this:
- Create roles and resources in code?
- Load them from a database?


Creating roles/resources in code

The first of the above two, creating roles and resources in code is probably the best approach when the site in question is small and there aren't many roles or they don't change often. It's few SQL queries less and the database relations are simpler.


We simply define the resources and roles in code. Then, to see if an user has access to a resource we just check his role. This can be done by simply saving the user's role in the user database table as text so it will be loaded with the users other info.


Loading roles/resources from a DB

This approach is slightly more complicated.

For this you should create a custom Acl class inheriting from Zend_Acl. Have its constructor load the details from the DB.

For the database structure, you need three tables
Users
id
login
password
role_id
Resources
id
name
role_id
Roles
id
name
inherit_id


In the users table you need to store the ID of the user's role and in resources table the ID of the role required to access it. The inherit_id column in roles table should store the ID of the role that role inherits from, if any.

Example code

Here's an example Acl class for using with a database.

class ResAcl extends Zend_Acl
{
        public function __construct($db)
        {
                $sql = 'SELECT id,
                               name,
                               role_id
                        FROM resources';

                $resources = $db->GetAll($sql);


                $sql = 'SELECT roles.id,
                               roles.name,
                               inherits.name AS inherit_name
                        FROM roles
                        LEFT JOIN roles AS inherits ON inherits.id = roles.inherit_id
                        ORDER BY roles.inherit_id ASC';

                $roles = $db->GetAll($sql);


                //Loop roles and put them in an assoc array by ID
                $roleArray = array();
                foreach($roles as $r)
                {
                        $role = new Zend_Acl_Role($r['name']);

                        //If inherit_name isn't null, have the role
                        //inherit from that, otherwise no inheriting
                        if($r['inherit_name'] !== null)
                                $this->addRole($role,$r['inherit_name']);
                        else
                                $this->addRole($role);

                        $roleArray[$r['id']] = $role;
                }

                foreach($resources as $r)
                {
                        $resource = new Zend_Acl_Resource($r['name']);

                        $role = $roleArray[$r['role_id']];

                        $this->add($resource);
                        $this->allow($role,$resource);
                }
        }
}

This class uses ADODB. I also wrote an example ADODB class for using with Zend_Auth which can be used to load users to use with this code with some minor modifications.

The name column in the roles table isn't absolutely necessary: You could refer to the roles in Acl by just their ID column too, but if you're writing an admin panel it's probably much nicer to present users with a clear text name for the role instead of some weird ID number thingy.

For loading the users' roles, you will have to JOIN the roles.name column by the role_id in the users table.

MVC pattern pros and consTwo soundcards = Excess?

Comments

Anonymous Wednesday, May 9, 2007 1:36:59 PM

Anonymous writes: Hi. Nice tut. my problem is that I have to set the security on data level. for example: Only admin can change the user data, but every one should bee able to change he´s own data. Or you can only delete your own article.. what is you suggestion? regards //Arro

Janizomg Wednesday, May 9, 2007 9:10:38 PM

You need a slightly expanded database for storing specific deny rights.

You could for example have an additional table with columns id, resource_id, role_id, mode. The mode field would store either "allow" or "deny". If you need more specific action based roles, you could add similar tables for actions as we had for resources in the article.


For more specialized access checks with assertions you'll probably have to add them in your Acl class yourself. For your issue this is probably the case.

Have a look at ZF Manual's ACL assertions page. It should be a good place to start. I might write about this later, too.

Anonymous Tuesday, June 19, 2007 10:24:11 AM

Nicu writes: With this DB structure you have a major problem. You can not use the roles with multiple inheritance. This might be a 'quick and dirty' implementation but not for real serious applications.

Anonymous Saturday, July 14, 2007 5:38:25 PM

Anonymous writes: Nicu,.. Do you have any suggestion for the DB structure?

Anonymous Wednesday, September 5, 2007 12:39:41 PM

Michael Ziegler writes: Hi, grabbing your idea I've coded a full-featured class from scratch that creates the ACL from any database for which a Zend_Db_Adapter exists :) My class supports multiple inheritance between roles, inheritance between resources, and storing deny rules in the dbase. It is freely available at: http://www.phpclasses.org/browse/package/4100.html Kind regards, Michael

Janizomg Wednesday, September 5, 2007 10:52:45 PM

Sounds great. I need to try it sometime. But ugh, why do I need to subscribe to download it?

Anonymous Wednesday, September 19, 2007 3:02:22 PM

Anonymous writes: although you've gotta register for phpclasses, it's actually a pretty damn good resource for PHP and classes related stuff...Quite lucky considering their URL.

Anonymous Sunday, April 20, 2008 4:44:58 PM

Troy writes: Great class from Michael Ziegler it only need one more thing. It needs to separate the group roles as in "Admin, User, Editor' and the user roles instate of adding each user to the acl_roles table. Then in the class he should only pull the acl_inheritance from the db that applies to the authenticated user at hand not all users.

Anonymous Monday, May 5, 2008 8:30:15 PM

madxray writes: @Troy Generalized groups make sense as most access is granted on group membership. But how would you manage user specific rights. For instance: *groups: guests, users, managers, admin *manager Adam is new, so he should not access the sensitive data (other managers are allowed) other example: users are not allowed to delete or modify entries, beside they are the owner/creator Ok, last example you could solve by checking if creator == editor but I think you understand the need of some finer granularity. My idea is to keep all roles in one table and make use of inheritance. Actually I'm thinking on some tree structure to make the inheritance search faster. "Trees in SQL" by Joe Celko is a candidate but in my opinion inserts and updates are hard to handle. Ideas welcome

Anonymous Wednesday, May 14, 2008 8:27:54 AM

Mike van Riel writes: Parent roles must be inserted before their clients are, this is defined by the Role Registry of Zend Acl. If this rule is not met, an exception is thrown and the role is not inserted into the Registry. If I look at your code you do no checking whether a parent already exists. That would mean that once you inherit a role from another which was added later, the application would end in an exception. I am still working out a way to solve this issue thus I cannot contribute the solution to this at current. (inserting a placeholder and later removing it and adding the real deal is not possible, it will decouple all inheritances which were related) Have fun!

Janizomg Wednesday, May 14, 2008 12:23:42 PM

The roles would need to be sorted before adding them to the zend_acl instance.

Anonymous Monday, September 8, 2008 2:06:58 PM

valugi writes: From what I see you are combining resources with a default permission which I think limits the effectiveness of the ACL system, for example when you are trying to deny some access somewhere.

Anonymous Wednesday, February 17, 2010 11:49:15 AM

saurabh writes: Great article. Implemented it, works perfectly fine. Previously I used to hard code the resources and access in ACl, but this makes the whole process lot cleaner, easier to understand and manage.

Anonymous Wednesday, February 24, 2010 4:50:09 AM

ÐнонÑмний writes: I would like to to say that an experienced essay writing service supposes to be a light on the path of persuasive term paper creating. Thence, students should use it anytime they need buy essay writing.

Anonymous Thursday, December 2, 2010 5:07:00 PM

Anonymous writes: What if one user has multiple roles? First member and admin Second admin Third Member Fourth Member and admin .....

Anonymous Friday, May 6, 2011 4:52:18 AM

Anonymous writes: When I originally commented I clicked the -Notify me when new comments are added- checkbox and now every time a remark is added I get 4 emails with the same comment. Is there any manner you can take away me from that service? Thanks! Sony Ericsson HBH-PV712 Bluetooth Headset

Anonymous Monday, May 9, 2011 11:20:57 PM

Anonymous writes: you might have a great blog right here! would you like to make some invite posts on my blog? Samsung WEP750 Bluetooth Headset

Anonymous Thursday, July 7, 2011 12:36:15 PM

Анонімний writes: I think that to get the credit loans from creditors you ought to present a great motivation. However, once I have got a bank loan, because I was willing to buy a house.

How to use Quote function:

  1. Select some text
  2. Click on the Quote link

Write a comment

Comment
(BBcode and HTML is turned off for anonymous user comments.)

If you can't read the words, press the small reload icon.


Smilies

Me

CodeUtopia blog

  • Zend Framework components as separate zips fro ...

    Did you ever want to use just a single component from Zend Framework, but couldn’t figure out which files you needed? Well, here’s a solution: Zend Framework packageizer script! Just pick the class you want, and you’ll get it and all its dependencies in a nice zip file for you ...

  • Making a PDF generator class using Zend_Pdf

    There are some expensive libraries that you can use to generate PDF files… but why bother with them, when there are good free alternatives like Zend_Pdf? In three steps, you can generate a fancy report: Create a PDF template Insert data to template with Zend_Pdf Profit $$$ Since this is ...

  • Let’s Rickroll MTV Europe Music Awards 2008!

    Okay so this is totally off the usual topics I guess, but this is too awesome to let it fail! Rick Astley has somehow managed to get into MTV Europe’s Music Awards 2008 gala in the category Best Act Ever. I suspect /b/ had something to do with this, but… I urge everyone to vote for R ...

  • Windows Remote Desktop + Live FolderShare = Ul ...

    I’m a frequent user of Windows’ remote desktop feature. It’s a stellar remote control solution: It’s incredibly fast, almost like sitting on the remote PC, and has features like bringing over the clipboard and even sounds from the controlled computer. Much better than VNC ...

  • Sharing authentication over multiple sites / S ...

    At The Group, we’re developing some web applications that needed to use the same user database. The applications were originally being developed with separate login for each, but I decided it would be better to share the login code across them. I investigated some ways to achieve sharing a ...