Slides from the Zend Webinar on 'Creating fast and dynamic ACLs in Zend Framework' (15 June 2011).Zend Framework's Access Control Layer system is simple and straight-forward; however, as the number of rules increase in size and complexity, maintenance and performance suffer. The solution: a dynamic, reflection-based ACL system, with built-in caching. Sound complicated?Don't worry, it's easy to setup and a lot easier to manage! Join this webinar to learn how!Presenter: Wim Godden
- 1. Creating fast, dynamic ACLs in Zend Framework Wim Godden
Cu.be Solutions
2. Who am I ?
3. Owner of Cu.be Solutions (http://cu.be) 4. PHP developer
since 1997 5. Developer of OpenX 6. Zend Certified Engineer 7. Zend
Framework Certified Engineer 8. MySQL Certified Developer 9.
Talking about...
Auditing
Authorization
10. Authorization
- Wikipedia : "the function of specifying access rights to
resources"
11. What's a resource ?
- Object (Article, Invoice, Document, )
12. Webpage 13. Database / table / row 14. ... 15. Standard
ACL
- Access toresourcesis defined inprivileges
16. Privileges are grouped together inroles 17. 2 types
ofroles:
18. Registered / Known 19. Within Zend Framework : Zend_Acl
20. Uses standard role, resource principles 21. Zend_Acl : the
good
- Recognizable -> easy to get started
22. No link to specific backend 23. Allow + deny 24. Proven,
tested 25. Zend_Acl : the bad & ugly
- Complexity of rules rises quickly
26. Performance issues 27. All rules are in-code 28. ->
maintainability becomes an issue 29. Evolution of a portal $acl
=newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' ));
$acl->addRole( newZend_Acl_Role( 'member' ),'guest' );
$acl->addRole( newZend_Acl_Role( 'admin' ),'member' );
$acl->addResource( newZend_Acl_Resource( 'cms' ));
$acl->addResource( newZend_Acl_Resource( 'report' ));
$acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin'
,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' );
$acl->allow( 'member' ,'report' ); 30. Evolution of a portal
$acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest'
)); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' );
$acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' );
$acl->addRole( newZend_Acl_Role( 'admin' ),'member' );
$acl->addResource( newZend_Acl_Resource( 'cms' ));
$acl->addResource( newZend_Acl_Resource( 'report' ));
$acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin'
,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' );
$acl->allow( 'departmentA' ,'report' ); 31. Evolution of a
portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role(
'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA'
),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB'
),'guest' ); $acl->addRole( newZend_Acl_Role(
'departmentC_senior_staff' ),'guest' ); $acl->addRole(
newZend_Acl_Role( 'departmentC_marketing' ),'guest' );
$acl->addRole( newZend_Acl_Role( 'admin' ),'member' );
$acl->addResource( newZend_Acl_Resource( 'cms' ));
$acl->addResource( newZend_Acl_Resource( 'report' ));
$acl->addResource( newZend_Acl_Resource( 'newsletter' ));
$acl->addResource( newZend_Acl_Resource( 'photo' ));
$acl->addResource( newZend_Acl_Resource( 'faq' ));
$acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin'
,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' );
$acl->allow( 'departmentA' ,'report' );
$acl->deny('departmentC_senior_staff', 'newsletter');
$acl->allow('departmentC_marketing', 'newsletter');
$acl->allow('member', 'photo', 'view');
$acl->allow('departmentC_marketing', 'photo', 'upload');
$acl->allow('admin', 'photo', 'delete'); $acl->allow('guest',
'faq', 'view'); $acl->allow('member', 'faq', 'comment');
$acl->allow('departmentA', 'faq', 'edit');
$acl->allow('departmentC_senior_staff', 'faq', 'edit');
$acl->allow('admin', 'faq', 'edit'); 32. Evolution of a portal
$acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest'
)); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' );
$acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' );
$acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff'
),'guest' ); $acl->addRole( newZend_Acl_Role(
'departmentC_marketing' ),'guest' ); $acl->addRole(
newZend_Acl_Role( 'cook' ),'guest' ); $acl->addRole(
newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource(
newZend_Acl_Resource( 'cms' )); $acl->addResource(
newZend_Acl_Resource( 'report' )); $acl->addResource(
newZend_Acl_Resource( 'newsletter' )); $acl->addResource(
newZend_Acl_Resource( 'photo' )); $acl->addResource(
newZend_Acl_Resource( 'faq' )); $acl->addResource(
newZend_Acl_Resource( 'invoicing' )); $acl->addResource(
newZend_Acl_Resource( 'stats' )); $acl->addResource(
newZend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest'
,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' );
$acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA'
,'report' ); $acl->deny('departmentC_senior_staff',
'newsletter'); $acl->allow('departmentC_marketing',
'newsletter'); $acl->allow('member', 'photo', 'view');
$acl->allow('departmentC_marketing', 'photo', 'upload');
$acl->allow('admin', 'photo', 'delete'); $acl->allow('guest',
'faq', 'view'); $acl->allow('member', 'faq', 'comment');
$acl->allow('departmentA', 'faq', 'edit');
$acl->allow('departmentC_senior_staff', 'faq', 'edit');
$acl->allow('admin', 'faq', 'edit'); $acl->allow('admin',
'photo', 'delete'); $acl->allow('guest', 'faq', 'view');
$acl->allow('member', 'faq', 'comment');
$acl->allow('departmentA', 'faq', 'edit');
$acl->allow('departmentC_senior_staff', 'faq', 'edit');
$acl->allow('admin', 'faq', 'edit'); $acl->allow('cook',
'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu',
'view'); $acl->allow('accounting', 'invoicing', 'edit');
$acl->allow('admin', 'invoicing', 'edit');
$acl->allow('departmentC_senior_staff', 'invoicing', 'report');
33. Evolution of a portal $acl =newZend_Acl(); $acl->addRole(
newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role(
'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role(
'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role(
'departmentC_senior_staff' ),'guest' ); $acl->addRole(
newZend_Acl_Role( 'departmentC_marketing' ),'guest' );
$acl->addRole( newZend_Acl_Role( 'cook' ),'guest' );
$acl->addRole( newZend_Acl_Role( 'admin' ),'member' );
$acl->addResource( newZend_Acl_Resource( 'cms' ));
$acl->addResource( newZend_Acl_Resource( 'report' ));
$acl->addResource( newZend_Acl_Resource( 'newsletter' ));
$acl->addResource( newZend_Acl_Resource( 'photo' ));
$acl->addResource( newZend_Acl_Resource( 'faq' ));
$acl->addResource( newZend_Acl_Resource( 'invoicing' ));
$acl->addResource( newZend_Acl_Resource( 'stats' ));
$acl->addResource( newZend_Acl_Resource( 'lunchmenu' ));
$acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin'
,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' );
$acl->allow( 'departmentA' ,'report' );
$acl->deny('departmentC_senior_staff', 'newsletter');
$acl->allow('departmentC_marketing', 'newsletter');
$acl->allow('member', 'photo', 'view');
$acl->allow('departmentC_marketing', 'photo', 'upload');
$acl->allow('admin', 'photo', 'delete'); $acl->allow('guest',
'faq', 'view'); $acl->allow('member', 'faq', 'comment');
$acl->allow('departmentA', 'faq', 'edit');
$acl->allow('departmentC_senior_staff', 'faq', 'edit');
$acl->allow('admin', 'faq', 'edit'); $acl->allow('admin',
'photo', 'delete'); $acl->allow('guest', 'faq', 'view');
$acl->allow('member', 'faq', 'comment');
$acl->allow('departmentA', 'faq', 'edit');
$acl->allow('departmentC_senior_staff', 'faq', 'edit');
$acl->allow('admin', 'faq', 'edit'); $acl->allow('cook',
'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu',
'view'); $acl->allow('accounting', 'invoicing', 'edit');
$acl->allow('admin', 'invoicing', 'edit');
$acl->allow('departmentC_senior_staff', 'invoicing', 'report');
34. Hard to ...
35. keep track of the rules 36. debug the rules 37. Possible
solution : database
- Extend Zend_Acl to database driven design
38. Good : no code changes required 39. Bad : more load on DB
40. A different approach
- NotTHEsolution, merelyAsolution
41. Uses database, but... 42. Additional caching layer 43. ZF
Conventional Modular Directory Structure 44. Backend interface for
easy management 45. Different resources
$acl->addResource( newZend_Acl_Resource( 'cms' ));
$acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin'
,'cms' ,'edit' );
46. Action : view / edit Why not integrate with the request
itself ? 47. Controller plugins 48. Zend_Acl as a controller
plugin
