ACL Example

ACL rules are defined in acl.conf.php. You define what a group of users can do and vice-versa.

# Allow member to access all actions in Sns and Blog resource.
$acl['member']['allow'] = array(
				'SnsController'=>'*', 
				'BlogController'=>'*', 
			);
			
			

# Allow anonymous visitors for Blog index only.
$acl['anonymous']['allow'] = array(
				'BlogController'=>'index', 
			);
			
			
			
# Deny member from banUser, showVipHome, etc.
$acl['member']['deny'] = array(
				'SnsController'=>array('banUser', 'showVipHome'), 
				'BlogController' =>array('deleteComment', 'writePost')
			);


			
# Deny member from all Sns resources and Blog writePost
$acl['member']['deny'] = array(
				'SnsController', 
				'BlogController' =>array('writePost')
			);

			

# Admin can access all except Sns showVipHome
$acl['admin']['allow'] = '*';
$acl['admin']['deny'] = array(
				'SnsController'=>array('showVipHome')
			);
						

						
# If member is denied, reroute to the following routes.
$acl['member']['failRoute'] = array(
				//if not found this will be used
				'_default'=>'/error/member',	
				
				//if denied from sns banUser
				'SnsController/banUser'=>'/error/member/sns/notAdmin', 
				
				'SnsController/showVipHome'=>'/error/member/sns/notVip', 
				'BlogController'=>'/error/member/blog/notAdmin' 
			);

			
        

You have to assign the rules to DooAcl in bootstrap.

Doo::acl()->rules = $acl;

# The default route to be reroute to when resource is denied. If not set, 404 error will be displayed.
Doo::acl()->defaultFailedRoute = '/error';
		

ACL methods

You can check against the ACL rules whenever you need. Both isAllowed and isDenied return true or false so that you can use both methods to do your auth logic.

# Check if allowed.
$this->acl()->isAllowed($role, $resource, $action);
Doo::acl()->isAllowed($role, $resource, $action);

# Check if denied.
$this->acl()->isDenied($role, $resource, $action);
Doo::acl()->isDenied($role, $resource, $action);
		

If you want the framework to automatically reroute the denied request, use process(). It will return the failRoute defined in acl.conf.php. Then, you can do this in methods you wish to authenticate.

# Get $role from Session.
if($rs = $this->acl()->process($role, 'resourceName', 'actionName' )){
	echo $role .' is not allowed for resourceName actionName';
	return $rs;
}

# Example usage in a method.
class SnsController extends DooController{
	
	function banUser(){
		if($rs = $this->acl()->process($role, __CLASS__, __METHOD__ )){
			return $rs;
		}	
		
		//if is admin then continue to ban user.
	}
	
}
		

If you don't wish to check in every method, you can perform the check in beforeRun(). The method needs to have 2 parameters, $resource and $action.

# Example usage in a method.
class SnsController extends DooController{
	
	function beforeRun( $resource, $action ){
		//Get role from Sessions
		if($rs = $this->acl()->process($role, $resource, $action )){
			return $rs;
		}
	}
	
	function banUser(){		
		//if is admin then continue to ban user.
	}
	
}
		

Go ahead and download the code to learn more!

BACK TO TOP