From 226eb50a79ba08771feeb81534cb05111a56cc0a Mon Sep 17 00:00:00 2001 From: Tom H Anderson Date: Tue, 27 Mar 2018 16:14:06 -0600 Subject: [PATCH 1/2] Refactor of LIFO/FILO role parents --- docs/book/usage.md | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/docs/book/usage.md b/docs/book/usage.md index 90fa4ea..ade4de2 100644 --- a/docs/book/usage.md +++ b/docs/book/usage.md @@ -103,10 +103,26 @@ having inherited conflicting rules from different parent roles. rule that is directly applicable to the query. In this case, since the "member" role is examined before the "guest" role, the example code would print "allowed". -> #### LIFO Order for role queries -> -> When specifying multiple parents for a role, keep in mind that the last parent listed is the first -> one searched for rules applicable to an authorization query. + +### LIFO/FILO order for Role parents + +When specifying multiple parents for a role the last parent listed is the first +one searched for rules applicable to an authorization query. This Last-In-First-Out +(aka First-In-Last-Out) strategy is represented with this example. +Here the `first` role is the highest order: + +``` +$acl->addRole(new Role('first'), ['last', 'third', 'second']); +``` + +Less-permissioned roles will be first in the parents array. For instance, where a`guest` +role is unauthenticated, a `user` role is authenticated, and an `admin` role has the highest +permissions, adding the `admin` role is as follows: + +``` +$acl->addRole(new Role('admin'), ['guest', 'user']); +``` + ## Creating the Access Control List From 9adcae0dfbf81072f802f89a012b5886197aa2fc Mon Sep 17 00:00:00 2001 From: Tom H Anderson Date: Tue, 1 May 2018 22:48:07 -0600 Subject: [PATCH 2/2] Changes as requested per mwop --- docs/book/usage.md | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/docs/book/usage.md b/docs/book/usage.md index ade4de2..30ef8fb 100644 --- a/docs/book/usage.md +++ b/docs/book/usage.md @@ -104,22 +104,38 @@ rule that is directly applicable to the query. In this case, since the "member" before the "guest" role, the example code would print "allowed". -### LIFO/FILO order for Role parents +### LIFO order for Role parents When specifying multiple parents for a role the last parent listed is the first -one searched for rules applicable to an authorization query. This Last-In-First-Out -(aka First-In-Last-Out) strategy is represented with this example. -Here the `first` role is the highest order: +one searched for rules applicable to an authorization query. This Last-In-First-Out strategy is represented with this example. +Here the `first` role inherits from `second`, `third`, and `last` and is the most permissioned role: +```php +use Zend\Permissions\Acl\Acl; +use Zend\Permissions\Acl\Role\GenericRole as Role; +use Zend\Permissions\Acl\Resource\GenericResource as Resource; + +$acl = new Acl(); + +$acl->addRole(new Role('last')) + ->addRole(new Role('third')) + ->addRole(new Role('second')); -``` $acl->addRole(new Role('first'), ['last', 'third', 'second']); + +$acl->addResource(new Resource('someResource')); + +$acl->deny('last', 'someResource'); +$acl->allow('third', 'someResource'); + +// allowed +echo $acl->isAllowed('first', 'someResource') ? 'allowed' : 'denied'; ``` -Less-permissioned roles will be first in the parents array. For instance, where a`guest` +Less-permissioned roles will be first in the parents array. For instance, where a`guest` role is unauthenticated, a `user` role is authenticated, and an `admin` role has the highest -permissions, adding the `admin` role is as follows: +permissions. As soon as any ACL query returns false evaluation of `isAllowed` is terminated and false is returned. For this reason your least permissioned roles come first in the parents array. Adding the `admin` role is as follows: -``` +```php $acl->addRole(new Role('admin'), ['guest', 'user']); ```