Zend_Acl was designed in such a way that it does not require any particular backend technology such as a database or cache server for storage of the ACL data. Its complete PHP implementation enables customized administration tools to be built upon Zend_Acl with relative ease and flexibility. Many situations require some form of interactive maintenance of the ACL, and Zend_Acl provides methods for traversing the structure and for determining the access controls with respect to AROs or ACOs.
Storage of ACL data is therefore left as a task for the developer, since use cases are expected to vary widely for various situations. Because Zend_Acl is serializable, ACL objects may be serialized with PHP's serialize()
function, and the results may be stored anywhere the developer should desire, such as a file, database, or caching mechanism.
To retrieve an array of all child nodes of an ACO, you may simply iterate through the results of the getChildren()
method. For each child object returned, you may also retrieve the 'allow' and 'deny' permissions as separate objects for inspection. These are returned as associative arrays, with the keys representing the defined AROs and the values containing an array of defined contexts:
// Retrieve default ACL permissions from the root ACO foreach ($acl->getAllow() as $aro => $permissions) { echo "Allow: $aro = " . join(', ', $permissions) . "\n"; } foreach ($acl->getDeny() as $aro => $permissions) { echo "Deny: $aro = " . join(', ', $permissions) . "\n"; } // Retrieve all 1st-level children ACOs and list permissions specific to each child ACO echo "\n"; foreach ($acl->getChildren() as $aco) { echo "Path: " . $aco->getPath(). "\n"; foreach ($aco->getAllow() as $aro => $permissions) { echo "Allow: $aro = " . join(', ', $permissions) . "\n"; } foreach ($aco->getDeny() as $aro => $permissions) { echo "Deny: $aro = " . join(', ', $permissions) . "\n"; } echo "\n"; }
You can also call getParent()
to access each ACO's parent for traversing up to the root of the ACL.
You may also retrieve an inclusive subset of an ACL by calling the getValidAco()
method upon an ARO. This method traverses the ACL starting from the provided ACO and returns a new Zend_ACL object. This feature limits the amount of data in the returned ACL to that which pertains to the ARO in question.
// Fetch the ACL as it pertains to the marketing ARO from the root $aclMarketing = $aro->marketing->getValidAco($acl); // Same as above, but limiting the view to the newsletter and its descendants $aclMarketingNewsletter = $aro->marketing->getValidAco($acl->newsletter);
An array of ARO instances can also be returned for each ACO node in the ACL. The getValidAro()
method available for ACOs returns a list of all AROs that have access to the ACO, whether through specific or inherited permissions. To limit the search to particular AROs, simply supply either a single ARO identifier or an array of ARO identifiers.
// Returns array of 'staff', 'editor', 'marketing', and 'administrator' $aroList = $acl->news->getValidAro(); // Returns array containing only 'staff' $aroList = $aro->news->getValidAro(array($aro->guest, $aro->staff));