14.3. Controlling Access with ACLs and Asserts

Access Control Lists (ACLs) define resources, which are objects for which access is controlled, and privileges, which are actions that can be taken on a given resource. Once these are defined, roles are assigned privileges to control access. To determine whether a role has permission to access a resource/privilege, you query the ACL. ACLs are almost always defined by the module.ini configuration file.

14.3.1. Asserts

An assert helps with querying an ACL when the permission required to access a resource depends on additional factors, such as a resource that is only accessible during certain hours of the day. Asserts are rarely required. To define an assert, create a class that is named according to the privilege being checked. For asserts that validate a privilege to perform an action, precede the name with "Can", for example CanEdit or CanDelete. For asserts that test the current state, precede the name with "Is", for example IsOwner or IsThursday.

Assert classes must be located in the module folder, using the following structure:


Here is the skeleton of an assert CanFoo for the Bar module:

 * Assert description
 * @copyright   copyright info.
 * @license     license info.
 * @version     version info.
class Bar_Acl_Assert_CanFoo implements Zend_Acl_Assert_Interface
     * Checks if the active user can 'foo' the given content resource.
     * @param  Zend_Acl                    $acl         the acl instance
     * @param  Zend_Acl_Role_Interface     $role        the role to check access for
     * @param  Zend_Acl_Resource_Interface $resource    the resource
     * @param  string                      $privilege   the privilege
     * @return boolean  true if the given role can 'foo' the given resource,
     *                  false if not allowed
    public function assert(
        Zend_Acl $acl,
        Zend_Acl_Role_Interface $role = null,
        Zend_Acl_Resource_Interface $resource = null,
        $privilege = null)

For details, refer to the Zend Framework documentation.

Perforce Chronicle - Release: 2012.2/486814