Jeremy Knope dot com

So I decided to write a bit about my experience and implementation of the Zend_Acl component, it’s a bit rough but I hope it gives an idea of how to possibly implement Zend_Acl. Let me know if there’s anything not very clear, I’m no english major so there’s bound to be some awful sections.



Background

So where I work, at RainStorm Consulting, we have a large web application system that drives parts of client’s websites. It currently does not have a public facing site that I could provide for more information, but it’s something that’s evolved over time to facilitate common needs among clients, eventually turning into a central service-providing administration site that clients can go to one place for to administer various dynamic content. It’s also a multi-tenant system, currently only with basic privileges, super administrator, site administrator, and a basic user that can only edit their ‘profile’ for a couple applications. There’s now a client with desire for more fine-grained permissions so Zend_Acl fit the bill.

Implementation

After brainstorming a bit, what exactly we needed for permission control and much frustration wrapping my head around the idea of ACL, taking it’s full capabilities into my head and getting confused. I basically ended up at the end with an ACL implementation that is similar to Drupal’s. I didn’t go into a full implementation of the hierarchy that Zend_Acl offers for both resources and roles. Our system has modules(separate applications) which will map directly to a resource, so say NewsStorm will have a resource by the same name. A role will then have various resource & permission words mapped to it, with a flag for allow or deny. The basic schema is sketched out roughly in this diagram:

I still haven’t finalized the best way for providing possible permissions from a module, but possibly a central module file that al modules will have, possibly containing a class. Currently it’s stored in the modules table in the database, modules create a record there on installation. A simple field right now has a csv of permissions, for example NewsStorm might have “manage categories, new post, edit post, delete post, publish post” which are provided in the permission management, which is modeled after drupal’s.

Shot of the client’s version of this permission management tool:

The actual setup so permissions can be checked happens in the core class in setupAcl(), it pulls everything from the database and builds the ACL tree. We have 2 core roles, Administrator which is just hard-coded and Site Administrator which exists in the database and is meant for almost full control over every module for a site. We fetch all the roles and add them, along with resources.

$acl = new Zend_Acl();

$roles = Siteturbine_Acl_Role::find('all', array('parent_id is null'));
foreach($roles as $role) {
	$acl->addRole($role);
}
$resources = Siteturbine_Acl_Resource::find('all', array('parent_id is null'));
foreach($resources as $resource) {
	$acl->add($resource);
}
$acl->allow('Administrator', null, null);

foreach($roles as $role) {
	$query = "SELECT ro.name as role,re.name as resource,GROUP_CONCAT(rr.permission SEPARATOR ',') as perm
  FROM acl_roles ro
  LEFT OUTER JOIN acl_resources_roles rr ON rr.role_id = ro.id
  LEFT OUTER JOIN acl_resources re ON re.id = rr.resource_id
  WHERE ro.id = ? AND rr.allow = 1
  GROUP BY rr.resource_id";
	$allows = Siteturbine_Acl_Resource::findBySql(array($query, $role->id));
	$has_allow = false;
	foreach($allows as $a) {
		$has_allow = true;
		$acl->allow($role, $a->resource, explode(',', $a->perm));
	}
	if($has_allow) {
		$acl->allow($role, $a->resource, null);
		$acl->allow($role, $a->resource, 'view');
	}

	$query = "SELECT ro.name as role,re.name as resource,GROUP_CONCAT(rr.permission SEPARATOR ',') as perm
  FROM acl_roles ro
  LEFT OUTER JOIN acl_resources_roles rr ON rr.role_id = ro.id
  LEFT OUTER JOIN acl_resources re ON re.id = rr.resource_id
  WHERE ro.id = ? AND rr.deny = 1
  GROUP BY rr.resource_id";
	$allows = Siteturbine_Acl_Resource::findBySql(array($query, $role->id));
	foreach($allows as $a) {
		$acl->deny($role, $a->resource, explode(',', $a->perm));
	}
}

So tons of stuff going on in here I suppose, basically I query out the resource-permission maps into separate rows that I can loop through and call $acl->allow() or $acl->deny() as appropriate. If a role has any allow permission at all, I also set a hard-coded allow to the ‘view’ permission, which I use as a way to see if someone has ANY module permission at all, used in navigation.

After all that, I can call a helper type function I have for checking if the current user has permission for a specific area or task. This function takes care of automatically getting the current user and also the module if one isn’t specified.

	function isAllowed($permission, $module=null)

so $this->isAllowed(’new post’) might return true if the current user has a role that allows the ‘new post’ permission on the current module.

This was a pretty rough post, but I’m not so great at writing but I hope it might be useful. Let me know if it could use more clarification, I probably glossed over a lot.

Technorati Tags: php, framework, zend

So Zend Core recently released an update which has the PDO extension so I can now use it since all my applications run off of PDO for data access. Problem is I’m trying this on Mac OS X which currently has a problem with building PDO separately for PHP. So I had to wait for Zend Core to integrate the core PDO extension to even use it.

Zend Core offers a simple installation and management suite for a PHP installation. It installs PHP and it’s components along with some optional components (like phpMyAdmin and the likes and even Apache 2) and gives you a web interface for managing your php configuration, seeing general status of Apache, benchmark (ap), and grab updates automatically or manually for Zend Core. It’s also free to use it seems, you pay if you want support.

My favorite part of this is probably the offline searchable PHP manual it also includes and the easy to use php.ini editor that lets you edit settings & load extensions easily. Check out some screenshots.

Technorati Tags:
php, programming, zend, review

So I just recently updated my Script Logger app, a small PHP web app meant to drop in and log various errors and warnings generated by a larger PHP web application, including pages that might take too long. This was made in response to liking the ability to see what problems may have occurred on a server via Zend Platform that I tried out. So I decided to make a simple one using PHP’s functions for setting error and exception handlers. This isn’t the perfect solution compared to Zend Platform since it’s done with PHP code, and with the handlers, they can’t catch fatal errors. Maybe some day someone, or me if I ever learned how, could write a simple extension for catching all the various errors including the ones unable to be caught within PHP for logging. I’m thinking Xdebug is a good resource for this since it catches all the errors etc, and it would be a good companion to someone with a Xdebug PHP setup to have a free Zend Platform like alternative.

My Script Logger requires PHP 5.1 or better, the PDO extension to be installed (which it often is by default, at least if you build PHP), and sqlite2 or sqlite driver for PDO installed. You can possibly install these via pear/pecl too if you don’t already have them. To install just drop it on your web site, edit config.php to see if the error settings are to your liking, make db folder writable, and you should be good to go.

Script Logger

Technorati Tags: php, programming, software, xdebug, zend

I’m starting to wonder what the future of Zend Studio is due to disappointing updates and the new PHP IDE Project backed by Zend. I’m quite disappointed that the java based cross-platform application that is Zend Studio isn’t a native application to OS X Intel. Supposedly this should work through rosetta, but come on, it’s java, it shouldn’t have to be specific to PowerPC, and shouldn’t be hard to fix this at least for the primary program. I believe my first attempt to actually install Zend Studio on my MacBook Pro was met in similar failure to the friend that warned me that it has issues on OS X intel. I seemed to have installed 5.5 beta just fine and it so far seems fine. But it’s still severly limited since you can’t use the Zend Debugger, Profiler, or Platform features since that requires the Zend extensions which are PowerPC and you can run PowerPC applications but not load shared libraries like those into intel applications. So basically it’s not a 100% package on OS X intel.

The other issue is that I have an expired Zend Studio 5.1, meaning it’s still valid to use but no free updates, so $200 to get 5.2 or 5.5 when it’s out. And for what? Nothing special at all, there’s some cool stuff, like Zend Platform integration is actually something nicer in 5.5 compared to the initial stuff in 5.2. I’m not sure I like the subscription style upgrade program, it benefits you at times like when a huge release comes out like say if 6.0 was coming out when you still had the support/updates. Mine happened to expire before 5.2 or 5.5 so neither are free, I definitely said no to paying to renew and get 5.2 since there was barely anything at all new, and 5.5 isn’t much better either. Not worth it until maybe 6.0.

Also, is Zend Studio going to be continued or is the PHP IDE Project slated to eventually be Zend/PHP’s preferred IDE of choice. Doesn’t seem like it, but the fact that Zend is helping with what would be competition for Zend Studio seems kinda odd. That and the lack of intel support for Zend Studio and Zend Platform makes it kinda uncertain if it’s worth spending money for an upgrade, at least not until there’s a better looking update that provides something more worthwhile. In the meantime I’m seriously looking at Komodo Professional to see if it’s at all a better deal, specially with all the languages it’s capable of handling, including code suggestion for more than just PHP, but for other languages and also CSS and XSL too. The biggest concerns for that IDE so far are performance/snapiness and limited PHP code suggestion. I don’t know if PHP IDE Eclipse project will be good, at least not yet, but Eclipse has been incredibly slow on linux and OS X. We’ll see how things progress with it.

Technorati Tags: php, programming, development, software, tools, zend

So I’m now definitely Zend Certified now that I got my framed certificate, seems kinda silly but kinda cool at the same time.

Check it out:

I just made a ’sidebar’ plugin for the Typo blog engine to display the ZCE logo stating I’m a Zend Certified Engineer, I couldn’t resist adding it to the site ‘properly’ so I made the plugin with 2 config fields that take the candidate ID and registration ID. Yeah it’s simple and kind of pathetic but wanted to be ‘cool’ and show that I passed

Yay I passed the Zend PHP Certification exam, wonder when I’ll show up in the directory

p. *Update:* When I do show up in the directory it should be here: “PHP Professionals in Maine”:http://zend.com/store/education/certification/yellow-pages.php?cid=1&sid=ME&submit=search&orderby=ID&form_name=Zend_VUE_Search_Form