Implementing Zend_Acl in a modular structured application with identical controller names

Question

I'm pretty new to Zend Framework. I started learning it during a project I'm still working on for school. I'm a bit stuck on how to tackle an ACL coupled with my modular structure (which I really like), and researching on the internet didn't seem to yield the information I need. It is probably because I'm not very experienced with the framework yet, though, but I still thought I'd ask here. Thanks in advance!

At the moment, following most best practices I researched into, I created a modular structure, like so:

application/
  modules/
    admin/
    default/

I use a plugin to control my ACL, like so (for sake of simplicity/readability I only added a fraction):

$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('guest'))
    ->addRole(new Zend_Acl_Role('member'), 'guest');
    ->addRole(new Zend_Acl_Role('admin'), 'member');
$acl->addResource(new Zend_Acl_Resource('index'));
    ->addResource(new Zend_Acl_Resource('admin:index'));
$acl->allow('guest', 'index', array('index'));
    ->allow('member', 'index', array('userpanel'));
    ->allow('admin');

Anyway, the ACL is all working fine on the default module - even on the admin module, but the trouble arises when I have identical controller names and actions, for example:

This action will allow users to edit their own account
Module: Default
Controller: User
Action: Edit

This action will allow an admin to edit any account
Module: Admin
Controller: User
Action: Edit

When I set a rule into the ACL like this:

$acl->allow('member', 'user', array('edit'));

The user will also be allowed to access the admin's edit page on the user controller. How do I tell the ACL that there's a difference between modules? I've seen many examples use "admin:user" instead of "user" as the controller/resource name when adding resources to the ACL. This doesn't seem to work when the controller and/or action names are identical, though.

So - the big question is: how do I solve this problem in my current situation, or how would you suggest I structure my application to avoid the problem all together? I would rather not resort to using additional controller prefixes like "Admin_AdminUserController" or just removing the modules all together and just make "adminEditAction" etc.

Answer 1

I'm interested in what others have to say as well, but I thought I would offer one possible solution to you.

In my current project, I use a separate ACL for my default (end user) module and my admin module. In addition to that, for the admin module, I extended Zend_Auth and have it set to use a different session namespace (Zend_Auth_admin) so user logins are completely isolated from admin logins. A person can be logged in as a user, and an administrator at the same time because it is using two different Zend_Session namespaces.

That said, we still have an admin role in the user ACL because we allow an admin user to log into any user account from the admin modul (no personal/sensitive information are part of our user accounts).

In our case also, it is much easier to read and understand the ACL's when the admin and user ACLs are separate, as the admin ACL has a lot of rules, and some logic completely separate from the user ACL.

This may or may not be a useful approach in your project but I thought I'd put it out there as a possibility. Good luck!