Home/ Questions/Q 6377717
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T01:54:37+00:00

I often come across clients that are asking for control-level permissions in web applications.

  • 0

I often come across clients that are asking for control-level permissions in web applications. So, one role can “Create” and “Update” and other role can only “Update”. Now, this is not a real security problem, most of web security frameworks use filters and can control different actions in a web application. Since each button triggers different action, you can prevent user from invoking the action he is not supposed to perform.

The real problem is on the visual level. As long as the wrong button is visible, he will be getting “Unauthorized operation” message. I need to show different subset of controls to different user depending on his permissions. Now, I generally create separate page for separate profile, but this implies a lot of duplication. Are there any web frameworks (no matter the technology) that resolve this issue?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I also had the problem and I’ve solved it by using the Zend Framework. You do not have to use the complete Framework itself, but may rely upon Zend_Acl – the authorization part of the framework.

    You basically define your role hierarchy and permitted/denied actions per role as you might already know from other frameworks:

    $acl = new Zend_Acl();

// two roles
$acl->addRole(new Zend_Acl_Role('moderator'))
    ->addRole(new Zend_Acl_Role('member'));

// a Resource is something you can map actions to
$acl->addResource(new Zend_Acl_Resource('database'))
    ->addResource(new Zend_Acl_Resource('database'), 'update');

// now for the acls itself
$acl->allow('moderator', 'database', 'update')
    ->deny('member', 'database', 'update');

    If you know want to show or hide an action depending on the role, it’s as simple as using the isAllowed()-method in your code:

    // show button?
if ($acl->isAllowed($user->role, 'database', 'update')
    echo '<input type="button" value="update" />';
else
    echo '<input type="button" value="update" disabled="disabled" />';

    The manual page provides some better insight on Zend_ACL() and Zend_Auth() – the latter provides the authentication part. If you also want to some more automatism in the generation of menupoints according to roles, check out Zend_Navigation as well.

    • 0