如何组织和管理ACL? [英] How to organize and manage an ACL?

问题描述

以 Zend_ACL 为例，我想知道如何这应该针对一个项目进行组织.当然，这个例子很好看又很整洁，但是实际站点要复杂得多.

Taking the Zend_ACL as my example, I'm wondering how this should be organized for a project. Sure the example is all nice and neat, but a real site is much more complex.

$acl = new Zend_Acl();

$acl->addRole(new Zend_Acl_Role('guest'));
$acl->addRole(new Zend_Acl_Role('member'));
$acl->addRole(new Zend_Acl_Role('admin'));

$parents = array('guest', 'member', 'admin');

$acl->addRole(new Zend_Acl_Role('someUser'), $parents);

$acl->add(new Zend_Acl_Resource('someResource'));
$acl->deny('guest', 'someResource');
$acl->allow('member', 'someResource');

echo ($acl->isAllowed('guest', 'someResource') ? 'allowed' : 'denied');

鉴于我站点上的每个控制器/页面都将进行某种访问检查，因此我需要规则在全球范围内可用.这是否意味着我需要创建一个庞大的配置文件或类来设置加载时的所有规则?那不会浪费很多内存吗?

Given that each controller/page on my site will have some kind of access checking I need the rules to be globally available. Does this mean that I need to create a massive config file or class to setup all the rules on load? Wouldn't that waste a lot of memory?

但是，如果我仅设置每个控制器所需的规则，这些规则将违反ACL的目的，对吗?使用ACL的主要原因是为了避免这样的权限分散在整个代码库中:

Yet if I only setup the rules needed for each controller that would defeat the purpose of the ACL right? The main reason for using a ACL is to avoid having permissions spread throughout the codebase like this:

Admin_Controller
{
    public function action()
    {
        if($user->role !== 'admin')
        {
            die('not allowed');
        }
    }
}

那变化呢?如果ACL规则存储在管理员可以轻松更改权限的数据库中，该怎么办.是否应该在每个页面请求中都下载它们?那样会给系统带来沉重负担吗?

What about changes? What if the ACL rules are stored in a database where an administrator can easily change permissions. Should they all be downloaded each page request? Wouldn't that put a large burden on the system?

简而言之，ACL在大型站点上如何工作?发生什么问题?层叠权限如何处理?

推荐答案

您可以将角色存储在数据库中，并使用memcache将对象缓存在内存中，这样，您只需在添加新角色时查询数据库，或者改变了.就实现ACL而言，由于将在系统范围内使用它，因此您可以在Bootstrap.php文件中对其进行初始化，然后将该对象存储在Zend_Registry中，以便整个应用程序都可以访问它.

You could store the roles in a database and cache the object in memory using memcache so that you'd only have to query the db when new roles are added or changed. As far as implementing the ACL, since it'll be used system-wide, you can initialize it in your Bootstrap.php file and then store the object in Zend_Registry so that it is accessible to your whole app.

应用这些规则可能会发生在不同的地方.您可能要在自定义路由器中或在控制器级别的更高级别上应用路由.如果扩展Zend_Controller_Action，则可以将ACL规则放在此主控制器中，从该主控制器中派生出其他所有控制器.您可以在_init()方法中检查ACL权限.系统中可能还有其他地方需要ACL或要对其进行检查，这取决于构建它的方式和方式(这就是将ACL存储在注册表中的原因).

Applying these rules can happen at various points. You may want to apply the routes in a custom router or perhaps at a higher level at the controller level. If you extend Zend_Controller_Action, you can put your ACL rules in this master controller from which every other controller is derived. You can check ACL permissions in the _init() method. There maybe other points in the system where you need the ACL or would want to check it, depending on what and how you're building it (that's why you're storing the ACL in the registry).

这篇关于如何组织和管理ACL?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！