I have some Zend Framework apps running and it’s time to add user access restrictions. I am a firm believer that you should try to avoid rolling your own security infrastructure whenever possible and so I have been trying to figure out how to use Zend_Auth and Zend_Acl to implement it, so far without success.
I have searched all over the net, and at least one book, and I can’t find an example of how to string all of the parts together. I found an example of authentication here, old examples of authorization / access control here and here, and proposals for the future here, here, and here, but I don’t understand ZF well enough to put it all together in the present.
What I need is this: a simple public example or tutorial that completely details [as downloadable and runnable code] how to use the current Zend Framework release (1.9.5, no “proposals” or “laboratories”) to manage the authentication/authorization/access control of three users (and their passwords) in three different roles (e.g. guest, member, administrator) to protect three different controllers in the default module. The example should use as much of the current ZF library as possible. And no, this isn’t homework; the stakes are higher than that 🙁
If it exists somewhere I haven’t found it. Any help appreciated. IMO this would be very helpful for newcomers to ZF.
Disclosure: I have a community wiki question on ZF here beause I’m trying to figure out if I’ll continue with it. But I really need to get my apps running now!
Pro Zend Framework Techniques, Chapter 8 has a nice treatment of this. Most of his approach is quite similar to what I use, with the exception of the preDispatch method. When authenticating I have preDispatch redirect instead of silently dispatching to another controller. I also preserve the Url that was requested for the use of the login action.
class SitePluginAuth extends Zend_Controller_Plugin_Abstract { private $_auth; private $_acl; private $_noauthPath = '/account/log-in/'; private $_noacl = array('module' => 'default', 'controller' => 'error', 'action' => 'denied'); public function __construct($auth, $acl) { $this->_auth = $auth; $this->_acl = $acl; } public function preDispatch($request) { $resource = $request->controller; if (!$this->_acl->has($resource)) return; $controller = $request->controller; $action = $request->action; $module = $request->module; if ($this->_auth->hasIdentity()) { $identity = $this->_auth->getIdentity(); $role = 'member'; } else { $role = 'guest'; } /* * Remember to URL encode the parameter value. Also, when you are processing the value of the * redirect URL, make sure that it is a URL on your site or a relative URL to avoid any security * attacks like a phishing scheme. Otherwise, a third party can target your site's login page and * then redirect back to their site and might have access to the user's secured session. * * The reason I don't use the session to store the URL, is that search engine spiders can end up * creating sessions as they hit links on your site that are secured and require login. Since they * have no credentials, the session is created only to timeout 30 minutes later. */ if (!$this->_acl->isAllowed($role, $resource, $action)) { if (!$this->_auth->hasIdentity()) { $requestedUrl = substr($request->getRequestUri(), strlen($request->getBaseUrl())); // relative url $loginUrl = $this->_noauthPath.'?requestedUrl='.urlencode($requestedUrl); $redirector = Zend_Controller_Action_HelperBroker::getStaticHelper('redirector'); $redirector->gotoUrl($loginUrl); } else { $request->setModuleName($this->_noacl['module']); $request->setControllerName($this->_noacl['controller']); $request->setActionName($this->_noacl['action']); } } } }