phpaclzend-acl

How to pass custom data to a Zend Acl custom Assertion


The Zend Acl docs show an example on using a custom assertion:

$acl->allow(null, null, null, new MyCustomAssertion());

The problem is that the above code is executed while creating the rules not while checking them. In my controller I can only do something like:

 $acl->isAllowed('someUser', 'someResource') 

Unlike Zend Rbac the assertion class is already instantiated and I cannot pass it a user ID and post ID to check if the user has access to that post in particular.

Is checking if a user has access to a post from a controller achievable (in a maintainable way) with Zend Acl?

Note 1: I'm not using the Zend framework for this, just the Zend Acl component. Note 2: The reason I'm not using Rbac is because I need the "deny" feature that Acl has and Rbac doesn't.


Solution

  • One way is to create your own implementation of a role and a resource:

    class MyCustomAssertion implements Zend\Permissions\Acl\Assertion\AssertionInterface
    {
        public function assert(Zend\Permissions\Acl\Acl $acl,
            Zend\Permissions\Acl\Role\RoleInterface $role = null,
            Zend\Permissions\Acl\Resource\ResourceInterface $resource = null,
            $privilege = null)
        {
            if(is_a($role, UserRole::class) && is_a($resource, PostResource::class)) {
                $post_id = $resource->getResourceId();
                $user_id = $role->getId();
                // find out if the user has access to this post id(eg with a database query)
                // return true or false.
                return true;
            }
    
            return true;
        }
    
    }
    
    class PostResource implements Zend\Permissions\Acl\Resource\ResourceInterface
    {
        private $post_id;
    
        public function __construct($post_id)
        {
            $this->post_id = $post_id;
        }
    
        public function getId()
        {
            return$this->post_id;
        }
        public function getResourceId()
        {
            return 'post';
        }
    }
    
    class UserRole implements Zend\Permissions\Acl\Role\RoleInterface
    {
    
        private $id;
    
        public function __construct($id)
        {
            $this->id = $id;
        }
    
        public function getId()
        {
            return $this->id;
        }
        public function getRoleId()
        {
            return 'user';
        }
    }
    
    
    use Zend\Permissions\Acl\Acl;
    use Zend\Permissions\Acl\Role\GenericRole as Role;
    use Zend\Permissions\Acl\Resource\GenericResource as Resource;
    
    $acl = new Acl();
    
    $acl->addRole(new Role('user'));
    
    $acl->addResource(new Resource('post'));
    
    $acl->allow(null, null, null, new MyCustomAssertion());
    
    // lets check if user with id 11 has access to post with id 5.
    $acl->isAllowed(new UserRole(11), new PostResource(5));
    

    Yes, this way you can add this check in a controller using the last line above.