Examples¶
The following is a list of common use-case examples for Zend\Permission\Rbac.
Roles¶
Extending and adding roles via instantiation.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | <?php
use Zend\Permissions\Rbac\Rbac;
use Zend\Permissions\Rbac\AbstractRole;
class MyRole extends AbstractRole
{
// .. implementation
}
// Creating roles manually
$foo = new MyRole('foo');
$rbac = new Rbac();
$rbac->addRole($foo);
var_dump($rbac->hasRole('foo')); // true
|
Adding roles directly to RBAC with the default Zend\Permission\Rbac\Role.
1 2 3 4 5 6 7 | <?php
use Zend\Permissions\Rbac\Rbac;
$rbac = new Rbac();
$rbac->addRole('foo');
var_dump($rbac->hasRole('foo')); // true
|
Handling roles with children.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | <?php
use Zend\Permissions\Rbac\Rbac;
use Zend\Permissions\Rbac\Role;
$rbac = new Rbac();
$foo = new Role('foo');
$bar = new Role('bar');
// 1 - Add a role with child role directly with instantiated classes.
$foo->addChild($bar);
$rbac->addRole($foo);
// 2 - Same as one, only via rbac container.
$rbac->addRole('boo', 'baz'); // baz is a parent of boo
$rbac->addRole('baz', array('out', 'of', 'roles')); // create several parents of baz
|
Permissions¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | <?php
use Zend\Permissions\Rbac\Rbac;
use Zend\Permissions\Rbac\Role;
$rbac = new Rbac();
$foo = new Role('foo');
$foo->addPermission('bar');
var_dump($foo->hasPermission('bar')); // true
$rbac->addRole($foo);
$rbac->isGranted('foo', 'bar'); // true
$rbac->isGranted('foo', 'baz'); // false
$rbac->getRole('foo')->addPermission('baz');
$rbac->isGranted('foo', 'baz'); // true
|
Dynamic Assertions¶
Checking permission using isGranted() with a class implementing Zend\Permissions\Rbac\AssertionInterface.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | <?php
use Zend\Permissions\Rbac\AssertionInterface;
use Zend\Permissions\Rbac\Rbac;
class AssertUserIdMatches implements AssertionInterface
{
protected $userId;
protected $article;
public function __construct($userId)
{
$this->userId = $userId;
}
public function setArticle($article)
{
$this->article = $article;
}
public function assert(Rbac $rbac)
{
if (!$this->article) {
return false;
}
return $this->userId == $article->getUserId();
}
}
// User is assigned the foo role with id 5
// News article belongs to userId 5
// Jazz article belongs to userId 6
$rbac = new Rbac();
$user = $mySessionObject->getUser();
$news = $articleService->getArticle(5);
$jazz = $articleService->getArticle(6);
$rbac->addRole($user->getRole());
$rbac->getRole($user->getRole())->addPermission('edit.article');
$assertion = new AssertUserIdMatches($user->getId());
$assertion->setArticle($news);
// true always - bad!
if ($rbac->isGranted($user->getRole(), 'edit.article')) {
// hacks another user's article
}
// true for user id 5, because he belongs to write group and user id matches
if ($rbac->isGranted($user->getRole(), 'edit.article', $assertion)) {
// edits his own article
}
$assertion->setArticle($jazz);
// false for user id 5
if ($rbac->isGranted($user->getRole(), 'edit.article', $assertion)) {
// can not edit another user's article
}
|
Performing the same as above with a Closure.
1 2 3 4 5 6 7 8 9 10 11 | <?php
// assume same variables from previous example
$assertion = function($rbac) use ($user, $news) {
return $user->getId() == $news->getUserId();
};
// true
if ($rbac->isGranted($user->getRole(), 'edit.article', $assertion)) {
// edits his own article
}
|