Zend Framework

Zend_Acl : debug for inheritance of rules : get source from used rule

Details

  • Type: Community Driven Feature Community Driven Feature
  • Status: Open Open
  • Priority: Trivial Trivial
  • Resolution: Unresolved
  • Affects Version/s: 0.8.0
  • Fix Version/s: Next Minor Release
  • Component/s: Zend_Acl
  • Labels:
    None
  • Fix Version Priority:
    Nice to Have

Description

hello,

The Zend_Acl inheritance system of to be applied rules is powerful because it does allow inheriting rules from multiple parents.
The drawback of this mechanic is that the Acl is like a black box returning the 'last inserted' rule.

When debugging an application, or even during normal usage, it can be very informative for the users to get informed what rules have been applied.
Following a previous discussion with Darby Felton :
Consider the following code:

<?php
require_once 'Zend/Acl.php';
$acl = new Zend_Acl();

require_once 'Zend/Acl/Role.php';
$acl->addRole(new Zend_Acl_Role('guest'))
->addRole(new Zend_Acl_Role('member'))
->addRole(new Zend_Acl_Role('admin'));

$parents = array('guest', 'member', 'admin');
$acl->addRole(new Zend_Acl_Role('someUser'), $parents);

require_once 'Zend/Acl/Resource.php';
$acl->add(new Zend_Acl_Resource('someResource'));

$acl->deny('guest', 'someResource');
$acl->allow('member', someResource');

echo $acl->isAllowed('guest', 'someResource') ? 'allowed' : 'denied';
?>

So, the printed result should be 'Allowed' since the rules are checked as
admin => no rule
member =>allowed
===>exit (guest is not processed)

The problem is then to know that the 'allowed' result actually comes from the 'member' Role, not from 'Guest' nor 'Admin'
My suggestion is then to allow a debug output (or whatever its name) that could return an array as:

0]function isAllowed on 'guest' 'someResource': check for specific rule: none
[1]function isAllowed on 'guest' 'someResource': check for rule on parent 'admin' : none
[2]function isAllowed on 'guest' 'someResource': check for rule on parent 'member' : 'allowed' returning this value
[3]end of processing
this would be very very helpful when debugging an application!!

The developers will benefit from this because they will be able to follow the complete logical commands operating their application
The users will benefit because they can be informed why a resource is not available, and react accordingly (ask privileges to the admins, change the access rules, etc)

I belive this would be quite simple to achieve as this only reflects the way Acl did the processing (inside some kinds of loops,I guess)

Your comments are welcome.

Vincent

Attachments

  1. File
    acl.diff
    02/Dec/09 4:58 AM
    5 kB
    Daniel Fullarton
  2. File
    logtest.php
    06/Oct/09 11:33 PM
    0.9 kB
    Daniel Fullarton

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Darby Felton added a comment -

I really like this idea! How better to illustrate the way inheritance works in Zend_Acl than by providing dynamic feedback from working with your own data? I also think it would be quite simple to build this into Zend_Acl.

Thanks, Vincent, for the suggestions!

Show
Darby Felton added a comment - I really like this idea! How better to illustrate the way inheritance works in Zend_Acl than by providing dynamic feedback from working with your own data? I also think it would be quite simple to build this into Zend_Acl. Thanks, Vincent, for the suggestions!
Hide
Permalink
Wil Sinclair added a comment -

This doesn't appear to have been fixed in 1.5.0. Please update if this is not correct.

Show
Wil Sinclair added a comment - This doesn't appear to have been fixed in 1.5.0. Please update if this is not correct.
Hide
Permalink
Wil Sinclair added a comment -

Assigning to Ralph to get closure on this issues.

Show
Wil Sinclair added a comment - Assigning to Ralph to get closure on this issues.
Hide
Permalink
Ralph Schindler added a comment -

If we are to support this, it should be done by adding a Zend_Log instance to the $acl object.

I would support this if the API include a setLogger(Zend_Log $logger); method. And then if internal methods used a INFO level log to output about information within the ACL.

Thoughts?

Show
Ralph Schindler added a comment - If we are to support this, it should be done by adding a Zend_Log instance to the $acl object. I would support this if the API include a setLogger(Zend_Log $logger); method. And then if internal methods used a INFO level log to output about information within the ACL. Thoughts?
Hide
Permalink
Torio Farazdagi added a comment -

Ralph,
Nice idea. That would create a cleaner and understandable API. Having attached logger instead of "debug" method should be a preferred solution.

Show
Torio Farazdagi added a comment - Ralph, Nice idea. That would create a cleaner and understandable API. Having attached logger instead of "debug" method should be a preferred solution.
Hide
Permalink
Ralph Schindler added a comment -

While this is a worthwhile feature, the ZF team will not develop this feature, but if a community member would like to pick up and develop it, they may make an assignment of it.

Show
Ralph Schindler added a comment - While this is a worthwhile feature, the ZF team will not develop this feature, but if a community member would like to pick up and develop it, they may make an assignment of it.
Hide
Permalink
Daniel Fullarton added a comment -

This sounded like a great idea, so i whipped something up today.
Following ralph's suggestion this adds a setLogger public method and changes the DFS searches to log to it.

See logtest.php for a quick demonstration.

Show
Daniel Fullarton added a comment - This sounded like a great idea, so i whipped something up today. Following ralph's suggestion this adds a setLogger public method and changes the DFS searches to log to it. See logtest.php for a quick demonstration.
Hide
Permalink
Torio Farazdagi added a comment -

Daniel,
You provided Zend_Log - in place I suppose of Zend_Acl (that would actually send messages to assigned Zend_Log) instance. Or am I missing something?

Show
Torio Farazdagi added a comment - Daniel, You provided Zend_Log - in place I suppose of Zend_Acl (that would actually send messages to assigned Zend_Log) instance. Or am I missing something?
Hide
Permalink
Daniel Fullarton added a comment -

Sorry about that Torio, wasn't paying enough attention last night. Here's the Acl.php that you actually need.

Show
Daniel Fullarton added a comment - Sorry about that Torio, wasn't paying enough attention last night. Here's the Acl.php that you actually need.
Hide
Permalink
Daniel Fullarton added a comment -

added a svn diff for the change.

Show
Daniel Fullarton added a comment - added a svn diff for the change.
Hide
Permalink
gratuit12 added a comment -

I harmonise with your conclusions and will thirstily look forward to your next updates. Just saying thanks will not just be enough, for the exceptional clarity in your writing. I will directly grab your rss feed to stay privy of any updates. Solid work and much success in your business endeavors!
<a href="http://www.mirti.com">Annuaire Referencement gratuit</a>

Show
gratuit12 added a comment - I harmonise with your conclusions and will thirstily look forward to your next updates. Just saying thanks will not just be enough, for the exceptional clarity in your writing. I will directly grab your rss feed to stay privy of any updates. Solid work and much success in your business endeavors! <a href="http://www.mirti.com">Annuaire Referencement gratuit</a>

People

Vote (6)
Watch (7)

Dates

  • Created:
    Updated:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.