Manage resources and rules in separate registries

As roles are already managed in a registry, resources and rules should be as well. This allows easy swapping of them for things like persistent storage. The acl should still act as facade to keep things consistent.

Multiple resource inheritance

I did never understand why resources may only inherit from one other resource. Although I don't have a use case at my fingertips this might be useful for someone.

Implementation

As at least PHP 5.3.0 will be required this component should make great use of the SPL (stack and queue). See http://pastebin.com/f4e9a7db5 for an excerpt from my implementation (used arrays to keep things backwards compatible).

Some time has passed since I've written this thing and I'm currently not up-to-date on implementations (hopefully will have more time from now/soon on) so I will note other small things as soon as I updated myself.

I concur on multiple inheritance for a resource. We need to do workarounds so the ACL work without them...

A user belonging to multiple roles is a common implementation of RBAC. I think we can modify Zend_Acl_Role_Interface to have the method getRoleIds() instead of having getRole() method.

And then we could iterate each role to check if access is allowed.