Access control lists with Zend Framework in Delphi for PHP 2.0

Posted by on in Blogs
On the previous article, we dealed with authentication using Zend Framework components, but, what happens if you want to customize a page depending on the role or even the user is accessing?

Let's say, for example, you have a page for customer management, where there is information, not only about customer, but customer invoices, or even, reserved information and notes about each customer.

You will need to customize that page according the user is accessing that page, so let's say we have three roles:

  • Support people, able only to see customer information

  • People from finance, allowed to see customer information and customer invoices

  • Administration allowed to see everything, customer information, invoices and reserved information

User login

We need to expand valid users to allow more, so let's add more to the validusers.txt file used for authentication:


Remember this file lists user:realm:md5(user+realm+password), on this case, passwords are the same as the user, just for simplicity.

We need also to modify the login page, so the realm is also assigned to the ZAuth component, the code will look like this:

function btnLoginClick($sender, $params)
global $dmAuth;

$dmAuth->ZAuth->UserName = $this->edUser->Text;
$dmAuth->ZAuth->UserRealm = $this->edUser->Text;
$dmAuth->ZAuth->UserPassword = $this->edPassword->Text;


To make things simple, we are using also username as realm.

Content page

Let's take a look to our content page:


Three DBGrid, a ZACL component and a link for logout. You can logout from the application using this link:


This link will redirect to login.php page and destroy all session data.

Adding ACL rules

Access Control Lists can be implemented easily by adding a ZACL component and editing the rules property, we are going to add three of them:

Administrators access


On this rule, we set the role admin, is allowed to show the page we are working on, and also, with the Custom rule *::*, we are telling that this kind of user is allowed to access anything.

Finantial access


For the finantial access, we set the same basic rules, but we set this kind of user is not able to access the DBGrid for reserved information nor the label. On this editor, Class and Name are filled with updated information on the form, showing all controls and classes installed on the IDE, so you can easily filter the control you want.

Support access


And finally, support role is not allowed to see invoices nor reserved information. As you can see, is a very logical way to add rules to your app, there are also many possibilities, like setting custom type of resources, custom rights, etc.
Requiring login and setting ACL role

Now it's time to make the Page request login if the user is not authenticated and to set the information gathered from login to the ACL manager, so it can be used when matching ACL rules.

This is done before any code from the Page is executed, at the very top of the Page class:

global $dmAuth;

global $aclmanager;

//Class definition
class ZACLSample extends Page

So when the user is correctly authenticated, the Realm is going to be assigned to th ACLManager role and will be used to match existing rules.

Now, DBGrids will be shown to the user, only if they have the right role, all that writting minimal lines of code.


Check out more tips and tricks in this development video: