$ENTRADA_ACLobject is available throughout Elentra for any logged in users, and it's as easy to use as this:
$aclobject calling it, the
$resourcethe permission applies to, and the
$privilegebeing queried. This allows you to create arbitrary code to check virtually anything about the resource or the role the permission applies to. For example, you are able to create an assertion to check if a role representing a user is the director of a course, or if the role has permission to view this user's photo based on the owner's privacy setting. Passing the appropriate information to the assertion can be complicated, but once the assertion and accompanying classes are written, one-line permission checks can be used everywhere else in the code that relies on the same logic.
assertmethod signature is this:
assertwill never be passed an actual string as role or resource, because the ACL converts a string to a basic Zend_Acl_Role or Zend_Acl_Resource object before passing them to the assertion. However, these classes only have one method that returns the role's or resource's identifier, and no other functionality. Within the assertion, the role's or resource's string identifier
getResourceIdmethod (which is required by the interface) would return something like "course5".
$organisation_id, which can be accessed cleanly and then are used in the actual assertion.
amIAllowed($role, $resource, $privilege);method. For convenience's sake, an
amIAllowed($resource, $privilege);method has been written to do the permissions query using the currently authenticated user as the role. It is also permissions-mask aware, so it can be called anywhere in the application to do a permissions query for the user viewing the page.
resourceorganisation1(representing them), but not give any permissions to Postgraduate Medicine. In combination with the ResourceOrganisationAssertion, this effectively means students within Undergraduate Medicine can "read" resources belonging to Undergraduate Medicine, and users in Postgraduate Medicine cannot.
amIAllowedmethod. If the resource object has an
$resource->organisation_idmember, the assertion will use this. It can also accept resources with
$resource->event_iddefined, however if this is all the information it's given, it must perform a query to grab the organisation_id, which can become expensive. It is recommended to pass the ResourceOrganisationAssertion a resource with
$roleto perform the
$privilegeon the resourceorganisation resource representing the organisation of the original resource. An example: A user from Postgraduate Medicine queries the ACL asking if it can read one of Undergraduate Medicine's courses. There is a rule in the database that says "everyone can read courses as long as they pass the ResourceOrganisationAssertion". In the database, this would look like this:
organisation1(representing Undergraduate Medicine). This query returns false because Undergraduate Medicine hasn't granted anyone other than its own users read on its resourceorganisation resource, so the assertion returns false, the rule doesn't apply, and the user is denied access.