Access control lists with Zend Framework in Delphi for PHP 2.0

Posted by on in Blogs
On the previous article, we dealed with authentication using Zend Framework components, but, what happens if you want to customize a page depending on the role or even the user is accessing?

Let's say, for example, you have a page for customer management, where there is information, not only about customer, but customer invoices, or even, reserved information and notes about each customer.

You will need to customize that page according the user is accessing that page, so let's say we have three roles:

  • Support people, able only to see customer information

  • People from finance, allowed to see customer information and customer invoices

  • Administration allowed to see everything, customer information, invoices and reserved information


User login

We need to expand valid users to allow more, so let's add more to the validusers.txt file used for authentication:

admin:admin:26b7f9a787bf6a491f4ea6483c79eebe
financial:financial:2e7e501f335cc8f3718a20699ae6ed72
support:support:98139c234c37a8bb30758ea31adc2097


Remember this file lists user:realm:md5(user+realm+password), on this case, passwords are the same as the user, just for simplicity.

We need also to modify the login page, so the realm is also assigned to the ZAuth component, the code will look like this:

function btnLoginClick($sender, $params)
{
global $dmAuth;

$dmAuth->ZAuth->UserName = $this->edUser->Text;
$dmAuth->ZAuth->UserRealm = $this->edUser->Text;
$dmAuth->ZAuth->UserPassword = $this->edPassword->Text;

redirect("zaclsample.php");
}

To make things simple, we are using also username as realm.

Content page

Let's take a look to our content page:

acl_387.png

Three DBGrid, a ZACL component and a link for logout. You can logout from the application using this link:

login.php?restore_session=1

This link will redirect to login.php page and destroy all session data.

Adding ACL rules

Access Control Lists can be implemented easily by adding a ZACL component and editing the rules property, we are going to add three of them:

Administrators access

admin_389.png

On this rule, we set the role admin, is allowed to show the page we are working on, and also, with the Custom rule *::*, we are telling that this kind of user is allowed to access anything.

Finantial access

finantial_391.png

For the finantial access, we set the same basic rules, but we set this kind of user is not able to access the DBGrid for reserved information nor the label. On this editor, Class and Name are filled with updated information on the form, showing all controls and classes installed on the IDE, so you can easily filter the control you want.

Support access

support_393.png

And finally, support role is not allowed to see invoices nor reserved information. As you can see, is a very logical way to add rules to your app, there are also many possibilities, like setting custom type of resources, custom rights, etc.
Requiring login and setting ACL role

Now it's time to make the Page request login if the user is not authenticated and to set the information gathered from login to the ACL manager, so it can be used when matching ACL rules.

This is done before any code from the Page is executed, at the very top of the Page class:


global $dmAuth;
$dmAuth->ZAuth->Execute();



global $aclmanager;
$aclmanager->Role=$dmAuth->ZAuth->UserRealm;



//Class definition
class ZACLSample extends Page
{


So when the user is correctly authenticated, the Realm is going to be assigned to th ACLManager role and will be used to match existing rules.

Now, DBGrids will be shown to the user, only if they have the right role, all that writting minimal lines of code.


Comments

Check out more tips and tricks in this development video: