Implementing Zend_Acl

[beanoefc]

Hey Guys,

I am working on a project which needs role privileges, for example:

*Guest
*Customer
*Admin

I have done the usual searches on the internet and forums. These are several of the articles i have found:

http://devzone.zend.com/article/3509
http://devzone.zend.com/article/3510
http://codeutopia.net/blog/2009/02/06/zend_acl-part-1-misconceptions-and-simple-acls/
http://codeutopia.net/blog/2009/02/11/zend_acl-part-2-different-roles-and-resources-more-on-access/
http://codeutopia.net/blog/2009/02/18/zend_acl-part-3-creating-and-storing-dynamic-acls/

I understand Zend_Acl, when i look at these articles and inspect the code i understand what is going on. What i don't understand is where to put the code =S I am just perplexed about how difficult it has been for me to get a simple example up and running. Please could someone provide me with some directions about where to put what code?

Much appreciated,
Regards,
-Ben

[beanoefc]

27 views and no replies either means no one knows the answer or i have asked a stupid question. I am sensing that its the latter.

I have found this post on stackoverflow http://stackoverflow.com/questions/2046608/practical-zend-acl-zend-auth-implementation-and-best-practices but again, i don't know where to put these files.

Please can someone help me?

Regards,
-Ben

[beanoefc]

Hey tedtiger,

Thank you very much, exactly the direction i needed =)

I have implemented the login process by having the login form on auth/login and the login logic on auth/authenticate. I noticed that you did your login logic in AccessControl.php. Is this correct? if so, Is this a better approach? and how did you have your login form forward to AccessControl.php to do the login?

Also, what is the purpose of the AuthAdapter.php? I can not see where it fits in.

Other than these questions you have helped me out no end =)

Regards,
-Ben

[beanoefc]

Sorry to pester, I have another question.

I have allowed specific actions for example auth/login, auth/logout and auth/authenticate, this will be nessasary in my application. What i have found is Zend_Acl denies all privileges by default. This is great, except when the user has directed to a non existent url. For example, auth/doesnotexist, instead of directing to error/error it will direct to error/noaccess. Do you know a work around for this, iam a bit confused?

Regards,
-Ben

[beanoefc]

Hey Thorsten,

Thank you very much for this, your right this is a much better approach for a login.

Please could you explain to me, in routeStartup() how i can access the $message/$this->_message variable from in the auth/login controller and view?

Thanks for your time,
Regards,
-Ben

[beanoefc]

Hmmm no joy

This is what i have. I have tinkered with a few things but it is essentially the same:
AccessControl.php

Code: Select all

<?php
class Application_Plugin_Auth_AccessControl extends Zend_Controller_Plugin_Abstract
{
   private $_auth;
   private $_acl;
   private $_message;
       
   public function __construct(Zend_Auth $auth, Zend_Acl $acl)
   {
      $this->_auth = $auth;
      $this->_acl = $acl;
   }
   
   public function routeStartup(Zend_Controller_Request_Abstract $request)
   {
      if (! $this->_auth->hasIdentity() && null !== $request->getPost('login_email') && null !== $request->getPost('login_password')) {
      
      $filter = new Zend_Filter_StripTags();
      $username = $filter->filter($request->getPost('login_email'));
      $password = $filter->filter($request->getPost('login_password'));
      if (empty($username)) {
         $message = 'Please enter username.';
      } elseif (empty($password)) {
         $message = 'Please enter password.';
      } else {
         $authAdapter = new Application_Plugin_Auth_AuthAdapter();
            $authAdapter->setIdentity($username);
            $authAdapter->setCredential($password);
            $ozf_AuthResult = $this->_auth->authenticate($authAdapter);
            switch ($ozf_AuthResult->getCode()) {
            case Zend_Auth_Result::SUCCESS :               
               $storage = $this->_auth->getStorage();
                     // save credentials to session but suppress password
                     $obj_authResult = $authAdapter->getResultRowObject(null, 'password');
                     $storage->write($obj_authResult);
                     Zend_Registry::set("userauth", Array("user_id" => $obj_authResult->user_id, "email" => $obj_authResult->email, "role" => $obj_authResult->role));
                     break;
                  case Zend_Auth_Result::FAILURE :
                     $message = "Unknown Error." . nl2br(print_r($ozf_AuthResult->getMessages(), true));
                     break;
                  case Zend_Auth_Result::FAILURE_IDENTITY_AMBIGUOUS :
                     $message = "Username ambigous.";
                     break;
                  case Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND :
                  case Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID :
                     $message = "Username and/or password invalid.";
                     break;
                  case Zend_Auth_Result::FAILURE_UNCATEGORIZED :
                     $message = "Uncategorized error.<br>" . nl2br(print_r($ozf_AuthResult->getMessages(), true));
                     break;
                  default :
                     $message = "Unknown error." . nl2br(print_r($ozf_AuthResult->getMessages(), true));
                     break;
               }
         }
         
         if (isset($message)) {
            $this->_message = $message;
         } else {
            $this->_message = "";
         }
      }
   }
       
   public function preDispatch(Zend_Controller_Request_Abstract $request)
   {
      if ($this->_auth->hasIdentity() && is_object($this->_auth->getIdentity())) {
         $role = $this->_auth->getIdentity()->role;
         Zend_Registry::set("userauth", Array("user_id" => $this->_auth->getIdentity()->user_id, "email" => $this->_auth->getIdentity()->email, "role" => $this->_auth->getIdentity()->role));
      } else {
         $role = 'guest';
         Zend_Registry::set("userauth", Array("user_id" => 0, "email" => 'GuestEmail', "role" => $role));
      }

      $resource = $request->getControllerName();
      $privilage = $request->getActionName();
      if (!$this->_acl->has($resource)) {
         $resource = null;
      }
       
      if (!$this->_acl->isAllowed($role, $resource, $privilage)) {
         if ($this->_auth->hasIdentity()) {
                $request->setModuleName('default');
                $request->setControllerName('error');
                $request->setActionName('noaccess');
         } else {
            $request->setModuleName('default');
                $request->setControllerName('security');
                $request->setActionName('login');
                if ($this->_message != "") {
                     $request->setParam("errormsg", $this->_message);
               }
         }
      }
        $this->setRequest($request);
    }
}
?>


AuthController.php

Code: Select all

<?php

class AuthController extends Zend_Controller_Action
{
   
    public function init()
    {
      if ($this->getRequest()->getParam("errormsg") != "") {
         $this->view->message = $this->getRequest()->getParam("errormsg");
      }
    }

    public function indexAction()
    {
        // action body
    }
   
    public function registerAction()
    {
        // action body
    }

    public function loginAction()
    {
        // action body
    }

   public function logoutAction()
    {
        $this->_helper->viewRenderer->setNoRender(true);
         Zend_Auth::getInstance()->clearIdentity();
         Zend_Session::destroy();
         Zend_Registry::_unsetInstance();
         $this->_forward("index","index");
    }

}


Login.phtml

Code: Select all

<h3>Login</h3>

<form action="" method="post">
      <input name="login_email" type="text" value="Username" onfocus="if(this.value=='Username')this.value='';"  onblur="if(this.value=='')this.value='Username';" />
   <input name="login_password" type="password" value="Password" onfocus="if(this.value=='Password')this.value='';"  onblur="if(this.value=='')this.value='Password';"  />
    <input type="submit" name="submit" value="Login" class="submit" />
</form>
<?php echo "Message: " . $this->message; ?>


Regards,
-Ben

[beanoefc]

Hey Thorsten,

I have just worked out that if i take:

Code: Select all

if ($this->_message != "") {
     $request->setParam("errormsg", $this->_message);
}


out of preDispatch() and put it at the bottom of routeStartup() it works fine

I am still stuck on the throw a 404 error if the controller/action does not exist. Any ideas ? =)

Thanks again,
Regards,
-Ben

[beanoefc]

Hello Again Thorsten,

I have solved my 404 problem. It was just a silly typo on my end, whoops =P

Thank you very much for the time you have put into explaining this problem to me. I do greatly appreciate it.

Kind Regards,
-Ben

[beanoefc]

Hey Thorston,

I have implemented Zend_Navigation as well as Zend_Acl now. The problem i have is because the login process reroutes to the page the user is currently on, the updates privileges are not being displayed until i manually refresh the page. After the login has taken place, the user is still only greeted with "guests" privilages. I have to refresh the page in order to display the updated privileges.

Do you have any ideas around this?

Regards,
-Ben