ZF-984: Zend_Acl : debug for inheritance of rules : get source from used rule
The Zend_Acl inheritance system of to be applied rules is powerful because it does allow inheriting rules from multiple parents. The drawback of this mechanic is that the Acl is like a black box returning the 'last inserted' rule.
When debugging an application, or even during normal usage, it can be very informative for the users to get informed what rules have been applied. Following a previous discussion with Darby Felton : Consider the following code:<?php require_once 'Zend/Acl.php'; $acl = new Zend_Acl(); require_once 'Zend/Acl/Role.php'; $acl->addRole(new Zend_Acl_Role('guest')) ->addRole(new Zend_Acl_Role('member')) ->addRole(new Zend_Acl_Role('admin')); $parents = array('guest', 'member', 'admin'); $acl->addRole(new Zend_Acl_Role('someUser'), $parents); require_once 'Zend/Acl/Resource.php'; $acl->add(new Zend_Acl_Resource('someResource')); $acl->deny('guest', 'someResource'); $acl->allow('member', someResource'); echo $acl->isAllowed('guest', 'someResource') ? 'allowed' : 'denied'; ?>
So, the printed result should be 'Allowed' since the rules are checked as admin => no rule member =>allowed ===>exit (guest is not processed)
The problem is then to know that the 'allowed' result actually comes from the 'member' Role, not from 'Guest' nor 'Admin' My suggestion is then to allow a debug output (or whatever its name) that could return an array as:
0]function isAllowed on 'guest' 'someResource': check for specific rule: none function isAllowed on 'guest' 'someResource': check for rule on parent 'admin' : none function isAllowed on 'guest' 'someResource': check for rule on parent 'member' : 'allowed' returning this value end of processing this would be very very helpful when debugging an application!!
The developers will benefit from this because they will be able to follow the complete logical commands operating their application The users will benefit because they can be informed why a resource is not available, and react accordingly (ask privileges to the admins, change the access rules, etc)
I belive this would be quite simple to achieve as this only reflects the way Acl did the processing (inside some kinds of loops,I guess)
Your comments are welcome.