Public Member Functions | Data Fields | Protected Member Functions | Protected Attributes

Zend_Acl Class Reference

Public Member Functions

 addRole ($role, $parents=null)
 getRole ($role)
 hasRole ($role)
 inheritsRole ($role, $inherit, $onlyParents=false)
 removeRole ($role)
 removeRoleAll ()
 addResource ($resource, $parent=null)
 add (Zend_Acl_Resource_Interface $resource, $parent=null)
 get ($resource)
 has ($resource)
 inherits ($resource, $inherit, $onlyParent=false)
 remove ($resource)
 removeAll ()
 allow ($roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
 deny ($roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
 removeAllow ($roles=null, $resources=null, $privileges=null)
 removeDeny ($roles=null, $resources=null, $privileges=null)
 setRule ($operation, $type, $roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
 isAllowed ($role=null, $resource=null, $privilege=null)
 getRegisteredRoles ()

Data Fields

const TYPE_ALLOW = 'TYPE_ALLOW'
const TYPE_DENY = 'TYPE_DENY'
const OP_ADD = 'OP_ADD'
const OP_REMOVE = 'OP_REMOVE'

Protected Member Functions

 _getRoleRegistry ()
 _roleDFSAllPrivileges (Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null)
 _roleDFSVisitAllPrivileges (Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, &$dfs=null)
 _roleDFSOnePrivilege (Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, $privilege=null)
 _roleDFSVisitOnePrivilege (Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, $privilege=null, &$dfs=null)
 _getRuleType (Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $privilege=null)
_getRules (Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $create=false)

Protected Attributes

 $_roleRegistry = null
 $_resources = array()
 $_isAllowedRole = null
 $_isAllowedResource = null
 $_rules

Detailed Description

Definition at line 47 of file Acl.php.


Member Function Documentation

_getRoleRegistry (  ) [protected]

Returns the Role registry for this ACL

If no Role registry has been created yet, a new default Role registry is created and returned.

Returns:
Zend_Acl_Role_Registry

Definition at line 811 of file Acl.php.

& _getRules ( Zend_Acl_Resource_Interface $  resource = null,
Zend_Acl_Role_Interface $  role = null,
create = false 
) [protected]

Returns the rules associated with a Resource and a Role, or null if no such rules exist

If either $resource or $role is null, this means that the rules returned are for all Resources or all Roles, respectively. Both can be null to return the default rule set for all Resources and all Roles.

If the $create parameter is true, then a rule set is first created and then returned to the caller.

Parameters:
Zend_Acl_Resource_Interface$resource
Zend_Acl_Role_Interface$role
boolean$create
Returns:
array|null

Definition at line 1065 of file Acl.php.

_getRuleType ( Zend_Acl_Resource_Interface $  resource = null,
Zend_Acl_Role_Interface $  role = null,
privilege = null 
) [protected]

Returns the rule type associated with the specified Resource, Role, and privilege combination.

If a rule does not exist or its attached assertion fails, which means that the rule is not applicable, then this method returns null. Otherwise, the rule type applies and is returned as either TYPE_ALLOW or TYPE_DENY.

If $resource or $role is null, then this means that the rule must apply to all Resources or Roles, respectively.

If $privilege is null, then the rule must apply to all privileges.

If all three parameters are null, then the default ACL rule type is returned, based on whether its assertion method passes.

Parameters:
Zend_Acl_Resource_Interface$resource
Zend_Acl_Role_Interface$role
string$privilege
Returns:
string|null

Definition at line 1009 of file Acl.php.

_roleDFSAllPrivileges ( Zend_Acl_Role_Interface $  role,
Zend_Acl_Resource_Interface $  resource = null 
) [protected]

Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule allowing/denying $role access to all privileges upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

Parameters:
Zend_Acl_Role_Interface$role
Zend_Acl_Resource_Interface$resource
Returns:
boolean|null

Definition at line 830 of file Acl.php.

_roleDFSOnePrivilege ( Zend_Acl_Role_Interface $  role,
Zend_Acl_Resource_Interface $  resource = null,
privilege = null 
) [protected]

Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule allowing/denying $role access to a $privilege upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

Parameters:
Zend_Acl_Role_Interface$role
Zend_Acl_Resource_Interface$resource
string$privilege
Returns:
boolean|null
Exceptions:
Zend_Acl_Exception

See also:
Zend_Acl_Exception

Definition at line 909 of file Acl.php.

_roleDFSVisitAllPrivileges ( Zend_Acl_Role_Interface $  role,
Zend_Acl_Resource_Interface $  resource = null,
&$  dfs = null 
) [protected]

Visits an $role in order to look for a rule allowing/denying $role access to all privileges upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

This method is used by the internal depth-first search algorithm and may modify the DFS data structure.

Parameters:
Zend_Acl_Role_Interface$role
Zend_Acl_Resource_Interface$resource
array$dfs
Returns:
boolean|null
Exceptions:
Zend_Acl_Exception

See also:
Zend_Acl_Exception

Definition at line 866 of file Acl.php.

_roleDFSVisitOnePrivilege ( Zend_Acl_Role_Interface $  role,
Zend_Acl_Resource_Interface $  resource = null,
privilege = null,
&$  dfs = null 
) [protected]

Visits an $role in order to look for a rule allowing/denying $role access to a $privilege upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

This method is used by the internal depth-first search algorithm and may modify the DFS data structure.

Parameters:
Zend_Acl_Role_Interface$role
Zend_Acl_Resource_Interface$resource
string$privilege
array$dfs
Returns:
boolean|null
Exceptions:
Zend_Acl_Exception

See also:
Zend_Acl_Exception
Zend_Acl_Exception

Definition at line 955 of file Acl.php.

add ( Zend_Acl_Resource_Interface $  resource,
parent = null 
)

Adds a Resource having an identifier unique to the ACL

The $parent parameter may be a reference to, or the string identifier for, the existing Resource from which the newly added Resource will inherit.

Deprecated:
in version 1.9.1 and will be available till 2.0. New code should use addResource() instead.
Parameters:
Zend_Acl_Resource_Interface$resource
Zend_Acl_Resource_Interface | string$parent
Exceptions:
Zend_Acl_Exception
Returns:
Zend_Acl Provides a fluent interface

Definition at line 323 of file Acl.php.

addResource ( resource,
parent = null 
)

Adds a Resource having an identifier unique to the ACL

The $parent parameter may be a reference to, or the string identifier for, the existing Resource from which the newly added Resource will inherit.

Parameters:
Zend_Acl_Resource_Interface | string$resource
Zend_Acl_Resource_Interface | string$parent
Exceptions:
Zend_Acl_Exception
Returns:
Zend_Acl Provides a fluent interface

Definition at line 266 of file Acl.php.

addRole ( role,
parents = null 
)

Adds a Role having an identifier unique to the registry

The $parents parameter may be a reference to, or the string identifier for, a Role existing in the registry, or $parents may be passed as an array of these - mixing string identifiers and objects is ok - to indicate the Roles from which the newly added Role will directly inherit.

In order to resolve potential ambiguities with conflicting rules inherited from different parents, the most recently added parent takes precedence over parents that were previously added. In other words, the first parent added will have the least priority, and the last parent added will have the highest priority.

Parameters:
Zend_Acl_Role_Interface$role
Zend_Acl_Role_Interface | string | array$parentsZend_Acl_Role_Registry::add()
Returns:
Zend_Acl Provides a fluent interface

Definition at line 131 of file Acl.php.

allow ( roles = null,
resources = null,
privileges = null,
Zend_Acl_Assert_Interface $  assert = null 
)

Adds an "allow" rule to the ACL

Parameters:
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privileges
Zend_Acl_Assert_Interface$assertZend_Acl::setRule()
Returns:
Zend_Acl Provides a fluent interface

Definition at line 486 of file Acl.php.

deny ( roles = null,
resources = null,
privileges = null,
Zend_Acl_Assert_Interface $  assert = null 
)

Adds a "deny" rule to the ACL

Parameters:
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privileges
Zend_Acl_Assert_Interface$assertZend_Acl::setRule()
Returns:
Zend_Acl Provides a fluent interface

Definition at line 501 of file Acl.php.

get ( resource )

Returns the identified Resource

The $resource parameter can either be a Resource or a Resource identifier.

Parameters:
Zend_Acl_Resource_Interface | string$resource
Exceptions:
Zend_Acl_Exception
Returns:
Zend_Acl_Resource_Interface

Definition at line 337 of file Acl.php.

getRegisteredRoles (  )
Returns:
array of registered roles

Definition at line 1114 of file Acl.php.

getRole ( role )

Returns the identified Role

The $role parameter can either be a Role or Role identifier.

Parameters:
Zend_Acl_Role_Interface | string$roleZend_Acl_Role_Registry::get()
Returns:
Zend_Acl_Role_Interface

Definition at line 157 of file Acl.php.

has ( resource )

Returns true if and only if the Resource exists in the ACL

The $resource parameter can either be a Resource or a Resource identifier.

Parameters:
Zend_Acl_Resource_Interface | string$resource
Returns:
boolean

Definition at line 361 of file Acl.php.

hasRole ( role )

Returns true if and only if the Role exists in the registry

The $role parameter can either be a Role or a Role identifier.

Parameters:
Zend_Acl_Role_Interface | string$roleZend_Acl_Role_Registry::has()
Returns:
boolean

Definition at line 171 of file Acl.php.

inherits ( resource,
inherit,
onlyParent = false 
)

Returns true if and only if $resource inherits from $inherit

Both parameters may be either a Resource or a Resource identifier. If $onlyParent is true, then $resource must inherit directly from $inherit in order to return true. By default, this method looks through the entire inheritance tree to determine whether $resource inherits from $inherit through its ancestor Resources.

Parameters:
Zend_Acl_Resource_Interface | string$resource
Zend_Acl_Resource_Interface | string$inherit
boolean$onlyParent
Exceptions:
Zend_Acl_Resource_Registry_Exception
Returns:
boolean

Definition at line 387 of file Acl.php.

inheritsRole ( role,
inherit,
onlyParents = false 
)

Returns true if and only if $role inherits from $inherit

Both parameters may be either a Role or a Role identifier. If $onlyParents is true, then $role must inherit directly from $inherit in order to return true. By default, this method looks through the entire inheritance DAG to determine whether $role inherits from $inherit through its ancestor Roles.

Parameters:
Zend_Acl_Role_Interface | string$role
Zend_Acl_Role_Interface | string$inherit
boolean$onlyParentsZend_Acl_Role_Registry::inherits()
Returns:
boolean

Definition at line 191 of file Acl.php.

isAllowed ( role = null,
resource = null,
privilege = null 
)

Returns true if and only if the Role has access to the Resource

The $role and $resource parameters may be references to, or the string identifiers for, an existing Resource and Role combination.

If either $role or $resource is null, then the query applies to all Roles or all Resources, respectively. Both may be null to query whether the ACL has a "blacklist" rule (allow everything to all). By default, Zend_Acl creates a "whitelist" rule (deny everything to all), and this method would return false unless this default has been overridden (i.e., by executing $acl->allow()).

If a $privilege is not provided, then this method returns false if and only if the Role is denied access to at least one privilege upon the Resource. In other words, this method returns true if and only if the Role is allowed all privileges on the Resource.

This method checks Role inheritance using a depth-first traversal of the Role registry. The highest priority parent (i.e., the parent most recently added) is checked first, and its respective parents are checked similarly before the lower-priority parents of the Role are checked.

Parameters:
Zend_Acl_Role_Interface | string$role
Zend_Acl_Resource_Interface | string$resource
string$privilegeZend_Acl::get() Zend_Acl_Role_Registry::get()
Returns:
boolean

Definition at line 734 of file Acl.php.

remove ( resource )

Removes a Resource and all of its children

The $resource parameter can either be a Resource or a Resource identifier.

Parameters:
Zend_Acl_Resource_Interface | string$resource
Exceptions:
Zend_Acl_Exception
Returns:
Zend_Acl Provides a fluent interface

Definition at line 426 of file Acl.php.

removeAll (  )

Removes all Resources

Returns:
Zend_Acl Provides a fluent interface

Definition at line 461 of file Acl.php.

removeAllow ( roles = null,
resources = null,
privileges = null 
)

Removes "allow" permissions from the ACL

Parameters:
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privilegesZend_Acl::setRule()
Returns:
Zend_Acl Provides a fluent interface

Definition at line 515 of file Acl.php.

removeDeny ( roles = null,
resources = null,
privileges = null 
)

Removes "deny" restrictions from the ACL

Parameters:
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privilegesZend_Acl::setRule()
Returns:
Zend_Acl Provides a fluent interface

Definition at line 529 of file Acl.php.

removeRole ( role )

Removes the Role from the registry

The $role parameter can either be a Role or a Role identifier.

Parameters:
Zend_Acl_Role_Interface | string$roleZend_Acl_Role_Registry::remove()
Returns:
Zend_Acl Provides a fluent interface

Definition at line 205 of file Acl.php.

removeRoleAll (  )

Removes all Roles from the registry

Zend_Acl_Role_Registry::removeAll()

Returns:
Zend_Acl Provides a fluent interface

Definition at line 239 of file Acl.php.

setRule ( operation,
type,
roles = null,
resources = null,
privileges = null,
Zend_Acl_Assert_Interface $  assert = null 
)

Performs operations on ACL rules

The $operation parameter may be either OP_ADD or OP_REMOVE, depending on whether the user wants to add or remove a rule, respectively:

OP_ADD specifics:

A rule is added that would allow one or more Roles access to [certain $privileges upon] the specified Resource(s).

OP_REMOVE specifics:

The rule is removed only in the context of the given Roles, Resources, and privileges. Existing rules to which the remove operation does not apply would remain in the ACL.

The $type parameter may be either TYPE_ALLOW or TYPE_DENY, depending on whether the rule is intended to allow or deny permission, respectively.

The $roles and $resources parameters may be references to, or the string identifiers for, existing Resources/Roles, or they may be passed as arrays of these - mixing string identifiers and objects is ok - to indicate the Resources and Roles to which the rule applies. If either $roles or $resources is null, then the rule applies to all Roles or all Resources, respectively. Both may be null in order to work with the default rule of the ACL.

The $privileges parameter may be used to further specify that the rule applies only to certain privileges upon the Resource(s) in question. This may be specified to be a single privilege with a string, and multiple privileges may be specified as an array of strings.

If $assert is provided, then its assert() method must return true in order for the rule to apply. If $assert is provided with $roles, $resources, and $privileges all equal to null, then a rule having a type of:

TYPE_ALLOW will imply a type of TYPE_DENY, and

TYPE_DENY will imply a type of TYPE_ALLOW

when the rule's assertion fails. This is because the ACL needs to provide expected behavior when an assertion upon the default ACL rule fails.

Parameters:
string$operation
string$type
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privileges
Zend_Acl_Assert_Interface$assert
Exceptions:
Zend_Acl_ExceptionZend_Acl_Role_Registry::get() Zend_Acl::get()
Returns:
Zend_Acl Provides a fluent interface

Definition at line 586 of file Acl.php.


Field Documentation

$_rules [protected]
Initial value:
 array(
        'allResources' => array(
            'allRoles' => array(
                'allPrivileges' => array(
                    'type'   => self::TYPE_DENY,
                    'assert' => null
                    ),
                'byPrivilegeId' => array()
                ),
            'byRoleId' => array()
            ),
        'byResourceId' => array()
        )

Definition at line 98 of file Acl.php.

const OP_ADD = 'OP_ADD'

Rule operation: add

Definition at line 62 of file Acl.php.

const OP_REMOVE = 'OP_REMOVE'

Rule operation: remove

Definition at line 67 of file Acl.php.

Rule type: allow

Definition at line 52 of file Acl.php.

const TYPE_DENY = 'TYPE_DENY'

Rule type: deny

Definition at line 57 of file Acl.php.


The documentation for this class was generated from the following file: