Zend Framework Blog » Zend_Mail http://blog.richardknop.com Zend Framework, PHP, Django, Python, SQL, MySQL, PostgreSQL, Oracle, PL/SQL, data model patterns, OOP, design patterns, JavaScript, jQuery, HTML, XHTML, CSS, XML, web services & APIs, Security, E-commerce and much more Sat, 04 Feb 2012 19:47:10 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 User login and authentication with Zend_Auth and Zend_Acl http://blog.richardknop.com/2009/06/user-login-and-authentication-with-zend_auth-and-zend_acl/ http://blog.richardknop.com/2009/06/user-login-and-authentication-with-zend_auth-and-zend_acl/#comments Tue, 23 Jun 2009 20:43:00 +0000 Richard Knop http://blog.richardknop.com/?p=369 Whether you are working on a content management system or almost any other type of application with member or admin area, user login and authentication is one of the most important tasks you will encounter. In this post I will show you how to combine Zend_Auth and Zend_Acl to create a flexible user system with different access levels.

Scenario is simple. Your application has three modules and each module needs to be accessible to users with different priviledges:

  1. ‘default’ module – accessible to all users and guests
  2. ‘member’ module – accessible only to registered users
  3. ‘admin’ module – accessible only to registered users with administrator priviledges

I will go step by step and explain all parts in depth:

  • database table and model
  • registration form
  • registration controller action
  • login form
  • login controller action
  • logout controller action
  • authentication controller plugin
  • recommended reading

Database table and model

Let’s create a database table that will store all users:

CREATE TABLE users (
id INT NOT NULL AUTO_INCREMENT,
first_name VARCHAR(255) NOT NULL,
last_name VARCHAR(255) NOT NULL,
email VARCHAR(255) NOT NULL,
username VARCHAR(255) NOT NULL,
password_hash VARCHAR(255) NOT NULL,
role VARCHAR(255) NOT NULL,
status VARCHAR(255) NOT NULL,
INDEX (first_name),
INDEX (last_name),
INDEX (username),
INDEX (email),
PRIMARY KEY (id)
) ENGINE = INNODB;

The ‘role’ column will hold a user access level, for example: ‘user’, ‘administrator’ etc. The ‘status’ column could have ‘pending’ and ‘approved’ possible values which would allow administrators to approve freshly registered users before they could access private parts of the website.

I put INDEX on ‘first_name’, ‘last_name’, ‘username’ and ‘email’ fields because are often be used instead of the ‘id’ to fetch a single user.

You will also need a model representing the table. Here is a very simple model, in a real-life application you will certainly need more methods (for editing and removing users etc):

  1. class Users extends Zend_Db_Table_Abstract
  2. {
  3.     public function add(array $data)
  4.     {
  5.         $data['password_hash'] = $data['salt'] . sha1($data['salt'] . $data['password']);
  6.         unset($data['password'], $data['salt']);
  7.         return $this->insert($data);
  8.     }
  9.  
  10.     public function getSingleWithUsername($username)
  11.     {
  12.         $select = $this->select();
  13.         $where = $this->getAdapter()->quoteInto('username = ?', $username);
  14.         $select->where($where);
  15.         return $this->fetchRow($select);
  16.     }
  17.  
  18.     public function getSingleWithEmail($email)
  19.     {
  20.         $select = $this->select();
  21.         $where = $this->getAdapter()->quoteInto('email = ?', $email);
  22.         $select->where($where);
  23.         return $this->fetchRow($select);
  24.     }
  25.  
  26.     public function getSingleWithEmailHash($hash)
  27.     {
  28.         $select = $this->select();
  29.         $where = $this->getAdapter()->quoteInto('SHA1(email) = ?', $hash);
  30.         $select->where($where);
  31.         return $this->fetchRow($select);
  32.     }
  33. }

Notice this line in the add() method:

  1. $data['password_hash'] = $data['salt'] . sha1($data['salt'] . $data['password']);

What it does is it first prepends the salt to the plain text password and then create an sha1 hash which can be safely stored in the database.

Registration form

Unless you want to create user accounts manually you should allow guests to register. The registration form:

  1. class Register extends Zend_Form
  2. {
  3.     private $elementDecorators = array(
  4.         'ViewHelper',
  5.         array(array('data' => 'HtmlTag'), array('tag' => 'div', 'class' => 'element')),
  6.         'Label',
  7.         array(array('row' => 'HtmlTag'), array('tag' => 'li')),
  8.     );
  9.  
  10.     private $buttonDecorators = array(
  11.         'ViewHelper',
  12.         array(array('data' => 'HtmlTag'), array('tag' => 'div', 'class' => 'button')),
  13.         array(array('row' => 'HtmlTag'), array('tag' => 'li')),
  14.     );
  15.  
  16.     public function init()
  17.     {
  18.         $this->setMethod('post');
  19.  
  20.         $firstName = new Zend_Form_Element_Text('first_name', array(
  21.             'decorators' => $this->elementDecorators,
  22.             'label' => 'First name',
  23.             'required' => true,
  24.             'filters' => array(
  25.                 'StringTrim'
  26.             ),
  27.             'validators' => array(
  28.                 array('StringLength', false, array(2, 50))
  29.             ),
  30.             'class' => 'input-text'
  31.         ));
  32.  
  33.         $lastName = new Zend_Form_Element_Text('last_name', array(
  34.             'decorators' => $this->elementDecorators,
  35.             'label' => 'First name',
  36.             'required' => true,
  37.             'filters' => array(
  38.                 'StringTrim'
  39.             ),
  40.             'validators' => array(
  41.                 array('StringLength', false, array(2, 50))
  42.             ),
  43.             'class' => 'input-text'
  44.         ));
  45.  
  46.         $email = new Zend_Form_Element_Text('email', array(
  47.             'decorators' => $this->elementDecorators,
  48.             'label' => 'Email',
  49.             'required' => true,
  50.             'filters' => array(
  51.                 'StringTrim'
  52.             ),
  53.             'validators' => array(
  54.                 'EmailAddress'
  55.             ),
  56.             'class' => 'input-text'
  57.         ));
  58.  
  59.         $emailAgain = new Zend_Form_Element_Text('emailAgain', array(
  60.             'decorators' => $this->elementDecorators,
  61.             'label' => 'Email again',
  62.             'required' => true,
  63.             'filters' => array(
  64.                 'StringTrim'
  65.             ),
  66.             'validators' => array(
  67.                 'EmailAddress'
  68.             ),
  69.             'class' => 'input-text'
  70.         ));
  71.  
  72.         $username = new Zend_Form_Element_Text('username', array(
  73.             'decorators' => $this->elementDecorators,
  74.             'label' => 'Username',
  75.             'required' => true,
  76.             'filters' => array(
  77.                 'StringTrim'
  78.             ),
  79.             'validators' => array(
  80.                 array('StringLength', false, array(3, 50))
  81.             ),
  82.             'class' => 'input-text'
  83.         ));
  84.  
  85.         $password = new Zend_Form_Element_Password('password', array(
  86.             'decorators' => $this->elementDecorators,
  87.             'label' => 'Password',
  88.             'required' => true,
  89.             'filters' => array(
  90.                 'StringTrim'
  91.             ),
  92.             'validators' => array(
  93.                 array('StringLength', false, array(6, 50))
  94.             ),
  95.             'class' => 'input-password'
  96.         ));
  97.  
  98.         $passwordAgain = new Zend_Form_Element_Password('passwordAgain', array(
  99.             'decorators' => $this->elementDecorators,
  100.             'label' => 'Password again',
  101.             'required' => true,
  102.             'filters' => array(
  103.                 'StringTrim'
  104.             ),
  105.             'validators' => array(
  106.                 array('StringLength', false, array(6, 50))
  107.             ),
  108.             'class' => 'input-password'
  109.         ));
  110.  
  111.         $submit = new Zend_Form_Element_Submit('register', array(
  112.             'decorators' => $this->buttonDecorators,
  113.             'label' => 'Register',
  114.             'class' => 'input-submit'
  115.         ));
  116.  
  117.         $this->addElements(array(
  118.             $firstName,
  119.             $lastName,
  120.             $email,
  121.             $emailAgain,
  122.             $username,
  123.             $password,
  124.             $passwordAgain,
  125.             $submit
  126.         ));
  127.     }
  128.  
  129.     public function loadDefaultDecorators()
  130.     {
  131.         $this->setDecorators(array(
  132.             'FormErrors',
  133.             'FormElements',
  134.             array('HtmlTag', array('tag' => 'ol')),
  135.             'Form'
  136.         ));
  137.     }
  138. }

The form is straightforward – a single form element per table column (except ‘id’, ‘role’ and ‘status’). I always use my custom decorators which produce the markup I want.

Registration controller action

  1. public function registerAction()
  2. {
  3.     // redirect logged in users
  4.     if (Zend_Registry::getInstance()->get('auth')->hasIdentity()) {
  5.         $this->_redirect('/');
  6.     }
  7.  
  8.     $request = $this->getRequest();
  9.     $users = $this->_getTable('Users');
  10.  
  11.     $form = $this->_getForm('Register',
  12.                             $this->_helper->url('register'));
  13.     // if POST data has been submitted
  14.     if ($request->isPost()) {
  15.         // if the Register form has been submitted and the submitted data is valid
  16.         if (isset($_POST['register']) && $form->isValid($_POST)) {
  17.  
  18.             $data = $form->getValues();
  19.  
  20.             if ($users->getSingleWithEmail($data['email']) != null) {
  21.                 // if the email already exists in the database
  22.                 $this->view->error = 'Email already taken';
  23.             } else if ($users->getSingleWithUsername($data['username']) != null) {
  24.                 // if the username already exists in the database
  25.                 $this->view->error = 'Username already taken';
  26.             } else if ($data['email'] != $data['emailAgain']) {
  27.                 // if both emails do not match
  28.                 $this->view->error = 'Both emails must be same';
  29.             } else if ($data['password'] != $data['passwordAgain']) {
  30.                 // if both passwords do not match
  31.                 $this->view->error = 'Both passwords must be same';
  32.             } else {
  33.  
  34.                 // everything is OK, let's send email with a verification string
  35.                 // the verifications string is an sha1 hash of the email
  36.                 $mail = new Zend_Mail();
  37.                 $mail->setFrom('your@name.com', 'Your Name');
  38.                 $mail->setSubject('Thank you for registering');
  39.                 $mail->setBodyText('Dear Sir or Madam,
  40.  
  41. Thank You for registering at yourwebsite.com. In order for your account to be
  42. activated please click on the following URI:
  43.  
  44. http://yourwebsite.com/admin/login/email-verification?str=' . sha1($data['email'])
  45. . '
  46. Best Regards,
  47. Your Name and yourwebsite.com staff');
  48.                 $mail->addTo($data['email'],
  49.                              $data['first_name'] . ' ' . $data['last_name']);
  50.  
  51.                 if (!$mail->send()) {
  52.                     // email sending failed
  53.                     $this->view->error = 'Failed to send email to the address you provided';
  54.                 } else {
  55.  
  56.                     // email sent successfully, let's add the user to the database
  57.                     unset($data['emailAgain'], $data['passwordAgain'],
  58.                           $data['register']);
  59.                     $data['salt'] = $this->_helper->RandomString(40);
  60.                     $data['role'] = 'user';
  61.                     $data['status'] = 'pending';
  62.                     $users->add($data);
  63.                     $this->view->success = 'Successfully registered';
  64.  
  65.                 }
  66.  
  67.             }
  68.  
  69.         }
  70.     }
  71.  
  72.     $this->view->form = $form;
  73. }

First of all, in order to eliminate duplicate rows in the database we check for users with the same username or email before continuing. We also make sure a user correctly filled in both email input fields and both password input fields.

Afterwards, an email with a verification string (which happens to be an sha1 hash of the user email) is sent to the user and a new account is created. I use a handy action helper to generate a random string (in this case used as a salt):

  1. class My_Controller_Action_Helper_RandomString extends Zend_Controller_Action_Helper_Abstract
  2. {
  3.     public function direct($length = 32,
  4.                            $chars = '1234567890abcdef') {
  5.         // length of character list
  6.         $charsLength = (strlen($chars) - 1);
  7.  
  8.         // start our string
  9.         $string = $chars{rand(0, $charsLength)};
  10.  
  11.         // generate random string
  12.         for ($i = 1; $i < $length; $i = strlen($string)) {
  13.             // grab a random character from our list
  14.             $r = $chars{rand(0, $charsLength)};
  15.             // make sure the same two characters don't appear next to each other
  16.             if ($r != $string{$i - 1}) {
  17.                 $string .=  $r;
  18.             } else {
  19.                 $i–;
  20.             }
  21.         }
  22.  
  23.         // return the string
  24.         return $string;
  25.     }
  26. }

By clicking on the link the user is taken to the email verification page:

  1. public function emailVerificationAction()
  2. {
  3.     $request = $this->getRequest();
  4.     $users = $this->_getTable('Users');
  5.  
  6.     // get the verification string from the URI
  7.     $str = $request->getParam('str');
  8.  
  9.     // check if the user corresponding to the string exists
  10.     $user = $users->getSingleWithEmailHash($str);
  11.     if ($user == null) {
  12.         $this->view->error = 'Invalid verification string';
  13.     } else {
  14.         if ($user->status == 'approved') {
  15.             // user account has already been activated
  16.             $this->view->error = 'Account has already been activated';
  17.         } else {
  18.  
  19.             // the user exists and the verification string is correct
  20.             // let's approve the user
  21.             if ($users->edit($user->id, array('status' => 'approved')) != false) {
  22.                 $this->view->success = 'Hello, '
  23.                 . $user->username . '! Your account has been activated';
  24.             }
  25.  
  26.         }
  27.     }
  28. }

Login form

The login form is quite simple. It contains just two input fields (for username and password) and a “Remember me?” checkbox:

  1. class Login extends Zend_Form
  2. {
  3.     private $elementDecorators = array(
  4.         'ViewHelper',
  5.         array(array('data' => 'HtmlTag'), array('tag' => 'div', 'class' => 'element')),
  6.         'Label',
  7.         array(array('row' => 'HtmlTag'), array('tag' => 'li')),
  8.     );
  9.  
  10.     private $buttonDecorators = array(
  11.         'ViewHelper',
  12.         array(array('data' => 'HtmlTag'), array('tag' => 'div', 'class' => 'button')),
  13.         array(array('row' => 'HtmlTag'), array('tag' => 'li')),
  14.     );
  15.  
  16.     private $checkboxDecorators = array(
  17.         'Label',
  18.         'ViewHelper',
  19.         array(array('data' => 'HtmlTag'), array('tag' => 'div', 'class' => 'checkbox')),
  20.         array(array('row' => 'HtmlTag'), array('tag' => 'li')),
  21.     );
  22.  
  23.     public function init()
  24.     {
  25.         $this->setMethod('post');
  26.  
  27.         $username = new Zend_Form_Element_Text('username', array(
  28.             'decorators' => $this->elementDecorators,
  29.             'label' => 'Username',
  30.             'required' => true,
  31.             'filters' => array(
  32.                 'StringTrim'
  33.             ),
  34.             'validators' => array(
  35.                 array('StringLength', false, array(3, 50))
  36.             ),
  37.             'class' => 'input-text'
  38.         ));
  39.  
  40.         $password = new Zend_Form_Element_Password('password', array(
  41.             'decorators' => $this->elementDecorators,
  42.             'label' => 'Password',
  43.             'required' => true,
  44.             'filters' => array(
  45.                 'StringTrim'
  46.             ),
  47.             'validators' => array(
  48.                 array('StringLength', false, array(6, 50))
  49.             ),
  50.             'class' => 'input-password'
  51.         ));
  52.  
  53.         $rememberMe = new Zend_Form_Element_Checkbox('rememberMe', array(
  54.             'decorators' => $this->checkboxDecorators,
  55.             'label' => 'Remember me?',
  56.             'required' => true,
  57.             'class' => 'input-checkbox'
  58.         ));
  59.  
  60.         $submit = new Zend_Form_Element_Submit('login', array(
  61.             'decorators' => $this->buttonDecorators,
  62.             'label' => 'Login',
  63.             'class' => 'input-submit'
  64.         ));
  65.  
  66.         $this->addElements(array(
  67.             $username,
  68.             $password,
  69.             $rememberMe,
  70.             $submit
  71.         ));
  72.     }
  73.  
  74.     public function loadDefaultDecorators()
  75.     {
  76.         $this->setDecorators(array(
  77.             'FormErrors',
  78.             'FormElements',
  79.             array('HtmlTag', array('tag' => 'ol')),
  80.             'Form'
  81.         ));
  82.     }
  83. }

Login controller action

  1. public function indexAction()
  2. {
  3.     // redirect logged in users
  4.     if (Zend_Registry::getInstance()->get('auth')->hasIdentity()) {
  5.         $this->_redirect('/');
  6.     }
  7.  
  8.     $request = $this->getRequest();
  9.     $users = $this->_getTable('Users');
  10.  
  11.     $form = $this->_getForm('Login',
  12.                             $this->_helper->url('login'));
  13.     // if POST data has been submitted
  14.     if ($request->isPost()) {
  15.         // if the Login form has been submitted and the submitted data is valid
  16.         if (isset($_POST['login']) && $form->isValid($_POST)) {
  17.  
  18.             // prepare a database adapter for Zend_Auth
  19.             $adapter = new Zend_Auth_Adapter_DbTable($this->_getDb());
  20.             $adapter->setTableName('users');
  21.             $adapter->setIdentityColumn('username');
  22.             $adapter->setCredentialColumn('password_hash');
  23.             $adapter->setCredentialTreatment('CONCAT(SUBSTRING(password_hash, 1, 40), SHA1(CONCAT(SUBSTRING(password_hash, 1, 40), ?)))');
  24.             $adapter->setIdentity($form->getValue('username'));
  25.             $adapter->setCredential($form->getValue('password'));
  26.  
  27.             // try to authenticate a user
  28.             $auth = Zend_Registry::get('auth');
  29.             $result = $auth->authenticate($adapter);
  30.  
  31.             // is the user valid one?
  32.             switch ($result->getCode()) {
  33.  
  34.                 case Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND:
  35.                     $this->view->error = 'Identity not found';
  36.                     break;
  37.  
  38.                 case Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID:
  39.                     $this->view->error = 'Invalid credential';
  40.                     break;
  41.  
  42.                 case Zend_Auth_Result::SUCCESS:
  43.                     // get user object (ommit password_hash)
  44.                     $user = $adapter->getResultRowObject(null, 'password_hash');
  45.                     // check if the user is approved
  46.                     if ($user->status != 'approved') {
  47.                         $this->view->error = 'User not approved';
  48.                     } else {
  49.                         // to help thwart session fixation/hijacking
  50.                         if ($form->getValue('rememberMe') == 1) {
  51.                             // remember the session for 604800s = 7 days
  52.                             Zend_Session::rememberMe(604800);
  53.                         } else {
  54.                             // do not remember the session
  55.                             Zend_Session::forgetMe();
  56.                         }
  57.                         // store user object in the session
  58.                         $authStorage = $auth->getStorage();
  59.                         $authStorage->write($user);
  60.                         $this->_redirect('/admin');
  61.                     }
  62.                     break;
  63.  
  64.                 default:
  65.                     $this->view->error = 'Wrong username and/or password';
  66.                     break;
  67.             }
  68.  
  69.         }
  70.     }
  71.  
  72.     $this->view->form = $form;
  73. }

Notice this line:

  1. $adapter->setCredentialTreatment('CONCAT(SUBSTRING(password_hash, 1, 40), SHA1(CONCAT(SUBSTRING(password_hash, 1, 40), ?)))');

The argument of the setCredentialTreatment() method is probably confusing, it’s a little more complex SQL expression. What it does is it compares the entered password with the password_hash from the database (substitute the entered password for the question mark). CONCAT() is a MySQL function for concating strings (in PHP it’s done with the concatenation operator – ‘.’), SUBSTRING() is very similar to the PHP’s substr() (the only difference is the first character has index 1 in MySQL and 0 in PHP), SHA1() is the same as sha1() in PHP.

Logout controller action

  1. public function logoutAction()
  2. {
  3.     Zend_Registry::get('auth')->clearIdentity();
  4.     $this->_redirect('/');
  5. }

Authentication controller plugin

I always use a controller plugin for authentication. You could possibly do it in controllers (let’s say in the init() method) but I find the controller plugin to be an ideal for this purpose:

  1. class My_Controller_Plugin_Auth extends Zend_Controller_Plugin_Abstract
  2. {
  3.     public function preDispatch(Zend_Controller_Request_Abstract $request)
  4.     {
  5.         $auth = Zend_Registry::getInstance()->get('auth');
  6.         $acl = new Zend_Acl();
  7.  
  8.         // for default module
  9.         if ($request->getModuleName() == 'default') {
  10.  
  11.             // access resources (controllers)
  12.             // usually there will be more access resources
  13.             $acl->add(new Zend_Acl_Resource('index'));
  14.             $acl->add(new Zend_Acl_Resource('error'));
  15.  
  16.             // access roles
  17.             $acl->addRole(new Zend_Acl_Role('guest'));
  18.             $acl->addRole(new Zend_Acl_Role('user'));
  19.             $acl->addRole(new Zend_Acl_Role('administrator'));
  20.  
  21.             // access rules
  22.             $acl->allow('guest'); // allow guests everywhere
  23.             $acl->allow('user'); // allow users everywhere
  24.             $acl->allow('administrator'); // allow administrators everywhere
  25.  
  26.             $role = ($auth->getIdentity() && $auth->getIdentity()->status = 'approved')
  27.             ? $auth->getIdentity()->role : 'guest';
  28.             $controller = $request->getControllerName();
  29.             $action = $request->getActionName();
  30.  
  31.             if (!$acl->isAllowed($role, $controller, $action)) {
  32.                 $redirector = Zend_Controller_Action_HelperBroker::getStaticHelper('Redirector');
  33.                 $redirector->gotoUrlAndExit('error/denied');
  34.             }
  35.  
  36.         }
  37.         // for member module
  38.         else if ($request->getModuleName() == 'member') {
  39.  
  40.             // access resources (controllers)
  41.             // usually there will be more access resources
  42.             $acl->add(new Zend_Acl_Resource('index'));
  43.             $acl->add(new Zend_Acl_Resource('error'));
  44.  
  45.             // access roles
  46.             $acl->addRole(new Zend_Acl_Role('guest'));
  47.             $acl->addRole(new Zend_Acl_Role('user'));
  48.             $acl->addRole(new Zend_Acl_Role('administrator'));
  49.  
  50.             // access rules
  51.             $acl->allow('user'); // allow users everywhere
  52.             $acl->allow('administrator'); // allow administrators everywhere
  53.  
  54.             $role = ($auth->getIdentity() && $auth->getIdentity()->status = 'approved')
  55.             ? $auth->getIdentity()->role : 'guest';
  56.             $controller = $request->getControllerName();
  57.             $action = $request->getActionName();
  58.  
  59.             if (!$acl->isAllowed($role, $controller, $action)) {
  60.                 $redirector = Zend_Controller_Action_HelperBroker::getStaticHelper('Redirector');
  61.                 $redirector->gotoUrlAndExit('error/denied');
  62.             }
  63.  
  64.         }
  65.         // for admin module
  66.         else if ($request->getModuleName() == 'admin') {
  67.  
  68.             // access resources (controllers)
  69.             // usually there will be more access resources
  70.             $acl->add(new Zend_Acl_Resource('index'));
  71.             $acl->add(new Zend_Acl_Resource('error'));
  72.  
  73.             // access roles
  74.             $acl->addRole(new Zend_Acl_Role('guest'));
  75.             $acl->addRole(new Zend_Acl_Role('user'));
  76.             $acl->addRole(new Zend_Acl_Role('administrator'));
  77.  
  78.             // access rules
  79.             $acl->allow('administrator'); // allow administrators everywhere
  80.  
  81.             $role = ($auth->getIdentity() && $auth->getIdentity()->status = 'approved')
  82.             ? $auth->getIdentity()->role : 'guest';
  83.             $controller = $request->getControllerName();
  84.             $action = $request->getActionName();
  85.  
  86.             if (!$acl->isAllowed($role, $controller, $action)) {
  87.                 $redirector = Zend_Controller_Action_HelperBroker::getStaticHelper('Redirector');
  88.                 $redirector->gotoUrlAndExit('error/denied');
  89.             }
  90.  
  91.         }
  92.     }
  93. }

As you can see, there are different access rules for each module. It’s not terribly difficult to create more comples access rules. The one thing you must understand is that (quoted from the Zend Framework documentation):

In general, Zend_Acl obeys a given rule if and only if a more specific rule does not apply.

For instance, let’s say you want to disallow logged in users from accessing the login form:

  1. // allow guest to access the login controller
  2. // this still doesn't mean they can access any other controller unless specified
  3. $acl->allow('guest', 'login')
  4. // allow users to access all controllers
  5. $acl->allow('user');
  6. // disallow users from accessing specifically the login controller
  7. $acl->deny('user', 'login');
  8. // allow administrators to access all controllers
  9. $acl->allow('administrator');
  10. // disallow administrators from accessing specifically the login controller
  11. $acl->deny('administrator', 'login');

You can also specify actions in the access rules:

  1. // disallow users from accessing action1, action2 and action3 of the index controller
  2. $acl->deny('user', 'index', array('action1', 'action2', 'action3'));

One more thing, you need to register the plugin so it works. I usually do it in the bootstrap file:

  1. $frontController->registerPlugin(new My_Controller_Plugin_Auth());

You need to add the ‘My_’ namespace to the application config file, too:

autoloaderNamespaces[] = "My_"

Recommended reading

]]> http://blog.richardknop.com/2009/06/user-login-and-authentication-with-zend_auth-and-zend_acl/feed/ 7