zend-framework - Zend_ACL 来宾角色覆盖管理员角色？

Question

我用三个角色创建了 Zend_ACL：' administrator，guest，* edito *r'。我希望访客在登录后无法访问 /album/index。管理员、编辑可以访问/album/index。所有人都可以访问所有其他页面。

我在帮助程序中使用 Acl.php 创建了下面的访问列表。

/library/My/Helper/Acl.php：

public function __construct() {

    $this->acl = new Zend_Acl();
}

public function setRoles() {

    $this->acl->addRole(new Zend_Acl_Role('guest'));
    $this->acl->addRole(new Zend_Acl_Role('editor'));
    $this->acl->addRole(new Zend_Acl_Role('administrator'));

}

public function setResource () {



    $this->acl->add(new Zend_Acl_Resource('album::index'));
    $this->acl->add(new Zend_Acl_Resource('album::add'));
    $this->acl->add(new Zend_Acl_Resource('album::edit'));
    $this->acl->add(new Zend_Acl_Resource('album::delete'));
    $this->acl->add(new Zend_Acl_Resource('auth::index'));
    $this->acl->add(new Zend_Acl_Resource('auth::logout'));
    $this->acl->add(new Zend_Acl_Resource('error::error'));

}

public function setPrivilages() {

    $allowEditorAdmin=array('administrator','editor');
    $allowAll=array('administrator','guest','editor');
    $this->acl->allow($allowEditorAdmin,'album::index');
    $this->acl->allow($allowAll,'album::add');
    $this->acl->allow($allowAll,'album::edit');
    $this->acl->allow($allowAll,'album::delete');
    $this->acl->allow($allowAll,'auth::index');
    $this->acl->allow($allowAll,'auth::logout');
    $this->acl->allow($allowAll,'error::error');

然后，我创建了一个插件Acl.php

public function preDispatch(Zend_Controller_Request_Abstract $request) {

    $acl1 = new My_Controller_Helper_Acl();

    $acl = Zend_Registry::get('acl');
    $userNs = new Zend_Session_Namespace('members');
    if($userNs->userType=='')
    {

        $roleName='guest';
    }
    else
        $roleName=$userNs->userType;


if(!$acl->isAllowed($roleName,$request->getControllerName()."::".$request->getActionname()))
            {

        echo $request->getControllerName()."::".$request->getActionName();
        $request->setControllerName('auth');
        $request->setActionName('index');
    }

    else
        echo "got authenticated";

}

• 问题是我的代码“允许”无法正常工作。'guest,editor,administrator' 认证成功后无法访问/album/index。他们重定向到 /auth/index

   if(!$acl->isAllowed($roleName,$request->getControllerName()."::".$request->getActionname()))
          {
  
      echo $request->getControllerName()."::".$request->getActionName();
      $request->setControllerName('auth');
      $request->setActionName('index');
  }
  
  else
      echo "got authenticated";       
  }
  

Answer 1

据我所知，您正在使用 2 个不同的 ACL 实例，并且从一开始就没有设置适当的 ACL。我可以分享一些我自己的代码，它几乎做同样的事情：

在 Bootstrap.php 中

    $this->_acl = new Model_AuthAcl();

    //Check for access rights
    $fc = Zend_Controller_Front::getInstance();
    $fc->registerPlugin(new App_Plugin_AccessCheck($this->_acl));

在App_Plugin_AccessCheck

class App_Plugin_AccessCheck extends Zend_Controller_Plugin_Abstract
{

    private $_acl = null;

    public function __construct(Zend_Acl $acl)
    {
        $this->_acl = $acl;
    }

    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {
        $module = $request->getModuleName();
        $resource = $request->getControllerName();
        $action = $request->getActionName();



        try {
            if (!$this->_acl->isAllowed(Zend_Registry::get('role'), $module . ':' . $resource, $action)) {

                $request->setControllerName('authentication')->setModuleName('default')
                    ->setActionName('login');
            }
        }
        catch (Exception $ex) {
            if (APPLICATION_ENV == "development") {
                var_dump($ex->getMessage());
            }
        }

    }

}

在Model_AuthAcl

class Model_AuthAcl extends Zend_Acl
{

    /**
     * Creates the resource, role trees
     */
    public function __construct ()
    {
        //Create roles
        $this->addRole(new Zend_Acl_Role('guest')); 
        $this->addRole(new Zend_Acl_Role('user'), 'guest'); 
        $this->addRole(new Zend_Acl_Role('admin'), 'user'); 


        //Create resources
        //Default module
        $this->addResource(new Zend_Acl_Resource('default'))
             ->addResource(new Zend_Acl_Resource('default:authentication'), 'default')
             ->addResource(new Zend_Acl_Resource('default:error'), 'default')

        //Admin module
             ->addResource(new Zend_Acl_Resource('admin'))
             ->addResource(new Zend_Acl_Resource('admin:index'), 'admin')





        //Guest permissions
        $this->deny('guest')
             ->allow('guest', 'default:authentication', array('index', 'login', 'logout', 'email', 'forgot'))
             ->allow('guest', 'default:error', array('error'))
             ->allow('guest', 'api:authentication', array('index', 'get', 'head', 'post', 'put', 'delete'))

            //Admin permissions
             ->deny('admin', 'admin:admins')

        ;
    }
}

可能不是最 OOP 的解决方案，打赌它肯定会奏效。

希望这可以帮助您设置梦想的 ACL :)