array $_resources = array() (line 82)

Resource tree

• access: protected

array $_rules = array(
'allResources' => array(
'allRoles' => array(
'allPrivileges' => array(
'type' => self::TYPE_DENY,
'assert' => null
),'byPrivilegeId'=>array()),'byRoleId'=>array()),'byResourceId'=>array()) (line 89)

ACL rules; whitelist (deny everything to all) by default

• access: protected

addRole (line 122)

Adds a Role having an identifier unique to the registry

The $parents parameter may be a reference to, or the string identifier for, a Role existing in the registry, or $parents may be passed as an array of these - mixing string identifiers and objects is ok - to indicate the Roles from which the newly added Role will directly inherit.

In order to resolve potential ambiguities with conflicting rules inherited from different parents, the most recently added parent takes precedence over parents that were previously added. In other words, the first parent added will have the least priority, and the last parent added will have the highest priority.

• return: Provides a fluent interface
• access: public
• uses: Zend_Acl_Role_Registry::add()

• Zend_Acl_Role_Interface $role
• Zend_Acl_Role_Interface|string|array $parents

deny (line 452)

Adds a "deny" rule to the ACL

• return: Provides a fluent interface
• access: public
• uses: Zend_Acl::setRule()

• Zend_Acl_Role_Interface|string|array $roles
• Zend_Acl_Resource_Interface|string|array $resources
• string|array $privileges
• Zend_Acl_Assert_Interface $assert

getRole (line 138)

Returns the identified Role

The $role parameter can either be a Role or Role identifier.

• access: public
• uses: Zend_Acl_Role_Registry::get()

• Zend_Acl_Role_Interface|string $role

hasRole (line 152)

Returns true if and only if the Role exists in the registry

The $role parameter can either be a Role or a Role identifier.

• access: public
• uses: Zend_Acl_Role_Registry::has()

• Zend_Acl_Role_Interface|string $role

inheritsRole (line 172)

Returns true if and only if $role inherits from $inherit

Both parameters may be either a Role or a Role identifier. If $onlyParents is true, then $role must inherit directly from $inherit in order to return true. By default, this method looks through the entire inheritance DAG to determine whether $role inherits from $inherit through its ancestor Roles.

• access: public
• uses: Zend_Acl_Role_Registry::inherits()

• Zend_Acl_Role_Interface|string $role
• Zend_Acl_Role_Interface|string $inherit
• boolean $onlyParents

remove (line 377)

Removes a Resource and all of its children

The $resource parameter can either be a Resource or a Resource identifier.

• return: Provides a fluent interface
• throws: Zend_Acl_Exception
• access: public

• Zend_Acl_Resource_Interface|string $resource

removeAllow (line 466)

Removes "allow" permissions from the ACL

• return: Provides a fluent interface
• access: public
• uses: Zend_Acl::setRule()

• Zend_Acl_Role_Interface|string|array $roles
• Zend_Acl_Resource_Interface|string|array $resources
• string|array $privileges

removeRole (line 186)

Removes the Role from the registry

The $role parameter can either be a Role or a Role identifier.

• return: Provides a fluent interface
• access: public
• uses: Zend_Acl_Role_Registry::remove()

• Zend_Acl_Role_Interface|string $role

setRule (line 537)

Performs operations on ACL rules

The $operation parameter may be either OP_ADD or OP_REMOVE, depending on whether the user wants to add or remove a rule, respectively:

OP_ADD specifics:

A rule is added that would allow one or more Roles access to [certain $privileges upon] the specified Resource(s).

OP_REMOVE specifics:

The rule is removed only in the context of the given Roles, Resources, and privileges. Existing rules to which the remove operation does not apply would remain in the ACL.

The $type parameter may be either TYPE_ALLOW or TYPE_DENY, depending on whether the rule is intended to allow or deny permission, respectively.

The $roles and $resources parameters may be references to, or the string identifiers for, existing Resources/Roles, or they may be passed as arrays of these - mixing string identifiers and objects is ok - to indicate the Resources and Roles to which the rule applies. If either $roles or $resources is null, then the rule applies to all Roles or all Resources, respectively. Both may be null in order to work with the default rule of the ACL.

The $privileges parameter may be used to further specify that the rule applies only to certain privileges upon the Resource(s) in question. This may be specified to be a single privilege with a string, and multiple privileges may be specified as an array of strings.

If $assert is provided, then its assert() method must return true in order for the rule to apply. If $assert is provided with $roles, $resources, and $privileges all equal to null, then a rule having a type of:

TYPE_ALLOW will imply a type of TYPE_DENY, and

TYPE_DENY will imply a type of TYPE_ALLOW

when the rule's assertion fails. This is because the ACL needs to provide expected behavior when an assertion upon the default ACL rule fails.

• return: Provides a fluent interface
• throws: Zend_Acl_Exception
• access: public
• usedby: Zend_Acl::removeAllow()
• usedby: Zend_Acl::removeDeny()
• usedby: Zend_Acl::deny()
• usedby: Zend_Acl::allow()
• uses: Zend_Acl::get()
• uses: Zend_Acl_Role_Registry::get()

• string $operation
• string $type
• Zend_Acl_Role_Interface|string|array $roles
• Zend_Acl_Resource_Interface|string|array $resources
• string|array $privileges
• Zend_Acl_Assert_Interface $assert

_getRules (line 957)

Returns the rules associated with a Resource and a Role, or null if no such rules exist

If either $resource or $role is null, this means that the rules returned are for all Resources or all Roles, respectively. Both can be null to return the default rule set for all Resources and all Roles.

If the $create parameter is true, then a rule set is first created and then returned to the caller.

• access: protected

• Zend_Acl_Resource_Interface $resource
• Zend_Acl_Role_Interface $role
• boolean $create

_roleDFSAllPrivileges (line 768)

Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule allowing/denying $role access to all privileges upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

• access: protected

• Zend_Acl_Role_Interface $role
• Zend_Acl_Resource_Interface $resource

_roleDFSVisitAllPrivileges (line 803)

Visits an $role in order to look for a rule allowing/denying $role access to all privileges upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

This method is used by the internal depth-first search algorithm and may modify the DFS data structure.

• access: protected

• Zend_Acl_Role_Interface $role
• Zend_Acl_Resource_Interface $resource
• array $dfs
• &$dfs

OP_ADD = 'OP_ADD' (line 63)

Rule operation: add

TYPE_ALLOW = 'TYPE_ALLOW' (line 53)

Rule type: allow