Class Acl

Summary

Fully Qualified Name: Zend\Permissions\Acl\Acl
Implements: AclInterface

Description

Methods

Name Description Defined By
addResource() Adds a Resource having an identifier unique to the ACL Acl
addRole() Adds a Role having an identifier unique to the registry Acl
allow() Adds an "allow" rule to the ACL Acl
deny() Adds a "deny" rule to the ACL Acl
getResource() Returns the identified Resource Acl
getResources() Acl
getRole() Returns the identified Role Acl
getRoles() Acl
hasResource() Returns true if and only if the Resource exists in the ACL Acl
hasRole() Returns true if and only if the Role exists in the registry Acl
inheritsResource() Returns true if and only if $resource inherits from $inherit Acl
inheritsRole() Returns true if and only if $role inherits from $inherit Acl
isAllowed() Returns true if and only if the Role has access to the Resource Acl
removeAllow() Removes "allow" permissions from the ACL Acl
removeDeny() Removes "deny" restrictions from the ACL Acl
removeResource() Removes a Resource and all of its children Acl
removeResourceAll() Removes all Resources Acl
removeRole() Removes the Role from the registry Acl
removeRoleAll() Removes all Roles from the registry Acl
setRule() Performs operations on ACL rules Acl

Method Details

addResource()

Adds a Resource having an identifier unique to the ACL

The $parent parameter may be a reference to, or the string identifier for, the existing Resource from which the newly added Resource will inherit.

Parameter Name Type Description
$resource \Resource\ResourceInterface|string
$parent \Resource\ResourceInterface|string

Returns: \Acl Provides a fluent interface

addRole()

Adds a Role having an identifier unique to the registry

The $parents parameter may be a reference to, or the string identifier for, a Role existing in the registry, or $parents may be passed as an array of these - mixing string identifiers and objects is ok - to indicate the Roles from which the newly added Role will directly inherit.

In order to resolve potential ambiguities with conflicting rules inherited from different parents, the most recently added parent takes precedence over parents that were previously added. In other words, the first parent added will have the least priority, and the last parent added will have the highest priority.

Parameter Name Type Description
$role \Role\RoleInterface|string
$parents \Role\RoleInterface|string|array

Returns: \Acl Provides a fluent interface

allow()

Adds an "allow" rule to the ACL

Parameter Name Type Description
$roles \Role\RoleInterface|string|array
$resources \Resource\ResourceInterface|string|array
$privileges string|array
$assert \Assertion\AssertionInterface

Returns: \Acl Provides a fluent interface

deny()

Adds a "deny" rule to the ACL

Parameter Name Type Description
$roles \Role\RoleInterface|string|array
$resources \Resource\ResourceInterface|string|array
$privileges string|array
$assert \Assertion\AssertionInterface

Returns: \Acl Provides a fluent interface

getResource()

Returns the identified Resource

The $resource parameter can either be a Resource or a Resource identifier.

Parameter Name Type Description
$resource \Resource\ResourceInterface|string

Returns: resource

getResources()

Returns: array of registered resources

getRole()

Returns the identified Role

The $role parameter can either be a Role or Role identifier.

Parameter Name Type Description
$role \Role\RoleInterface|string

Returns: \Role\RoleInterface

getRoles()

Returns: array of registered roles

hasResource()

Returns true if and only if the Resource exists in the ACL

The $resource parameter can either be a Resource or a Resource identifier.

Parameter Name Type Description
$resource \Resource\ResourceInterface|string

Returns: bool

hasRole()

Returns true if and only if the Role exists in the registry

The $role parameter can either be a Role or a Role identifier.

Parameter Name Type Description
$role \Role\RoleInterface|string

Returns: bool

inheritsResource()

Returns true if and only if $resource inherits from $inherit

Both parameters may be either a Resource or a Resource identifier. If $onlyParent is true, then $resource must inherit directly from $inherit in order to return true. By default, this method looks through the entire inheritance tree to determine whether $resource inherits from $inherit through its ancestor Resources.

Parameter Name Type Description
$resource \Resource\ResourceInterface|string
$ \Resource\ResourceInterface|string inherit
$onlyParent bool
$inherit

Returns: bool

inheritsRole()

Returns true if and only if $role inherits from $inherit

Both parameters may be either a Role or a Role identifier. If $onlyParents is true, then $role must inherit directly from $inherit in order to return true. By default, this method looks through the entire inheritance DAG to determine whether $role inherits from $inherit through its ancestor Roles.

Parameter Name Type Description
$role \Role\RoleInterface|string
$inherit \Role\RoleInterface|string
$onlyParents bool

Returns: bool

isAllowed()

Returns true if and only if the Role has access to the Resource

The $role and $resource parameters may be references to, or the string identifiers for, an existing Resource and Role combination.

If either $role or $resource is null, then the query applies to all Roles or all Resources, respectively. Both may be null to query whether the ACL has a "blacklist" rule (allow everything to all). By default, Zend\Permissions\Acl creates a "whitelist" rule (deny everything to all), and this method would return false unless this default has been overridden (i.e., by executing $acl->allow()).

If a $privilege is not provided, then this method returns false if and only if the Role is denied access to at least one privilege upon the Resource. In other words, this method returns true if and only if the Role is allowed all privileges on the Resource.

This method checks Role inheritance using a depth-first traversal of the Role registry. The highest priority parent (i.e., the parent most recently added) is checked first, and its respective parents are checked similarly before the lower-priority parents of the Role are checked.

Parameter Name Type Description
$role \Role\RoleInterface|string
$resource \Resource\ResourceInterface|string
$privilege string

Returns: bool

removeAllow()

Removes "allow" permissions from the ACL

Parameter Name Type Description
$roles \Role\RoleInterface|string|array
$resources \Resource\ResourceInterface|string|array
$privileges string|array

Returns: \Acl Provides a fluent interface

removeDeny()

Removes "deny" restrictions from the ACL

Parameter Name Type Description
$roles \Role\RoleInterface|string|array
$resources \Resource\ResourceInterface|string|array
$privileges string|array

Returns: \Acl Provides a fluent interface

removeResource()

Removes a Resource and all of its children

The $resource parameter can either be a Resource or a Resource identifier.

Parameter Name Type Description
$resource \Resource\ResourceInterface|string

Returns: \Acl Provides a fluent interface

removeResourceAll()

Removes all Resources

Returns: \Acl Provides a fluent interface

removeRole()

Removes the Role from the registry

The $role parameter can either be a Role or a Role identifier.

Parameter Name Type Description
$role \Role\RoleInterface|string

Returns: \Acl Provides a fluent interface

removeRoleAll()

Removes all Roles from the registry

Returns: \Acl Provides a fluent interface

setRule()

Performs operations on ACL rules

The $operation parameter may be either OP_ADD or OP_REMOVE, depending on whether the user wants to add or remove a rule, respectively:

OP_ADD specifics:

 A rule is added that would allow one or more Roles access to [certain $privileges
 upon] the specified Resource(s).

OP_REMOVE specifics:

 The rule is removed only in the context of the given Roles, Resources, and privileges.
 Existing rules to which the remove operation does not apply would remain in the
 ACL.

The $type parameter may be either TYPE_ALLOW or TYPE_DENY, depending on whether the rule is intended to allow or deny permission, respectively.

The $roles and $resources parameters may be references to, or the string identifiers for, existing Resources/Roles, or they may be passed as arrays of these - mixing string identifiers and objects is ok - to indicate the Resources and Roles to which the rule applies. If either $roles or $resources is null, then the rule applies to all Roles or all Resources, respectively. Both may be null in order to work with the default rule of the ACL.

The $privileges parameter may be used to further specify that the rule applies only to certain privileges upon the Resource(s) in question. This may be specified to be a single privilege with a string, and multiple privileges may be specified as an array of strings.

If $assert is provided, then its assert() method must return true in order for the rule to apply. If $assert is provided with $roles, $resources, and $privileges all equal to null, then a rule having a type of:

 TYPE_ALLOW will imply a type of TYPE_DENY, and

 TYPE_DENY will imply a type of TYPE_ALLOW

when the rule's assertion fails. This is because the ACL needs to provide expected behavior when an assertion upon the default ACL rule fails.

Parameter Name Type Description
$operation string
$type string
$roles \Role\RoleInterface|string|array
$resources \Resource\ResourceInterface|string|array
$privileges string|array
$assert \Assertion\AssertionInterface

Returns: \Acl Provides a fluent interface

Top