views:

43

answers:

4

Should i use a whitelist or blacklist approach to Zend_Acl? By that i mean deny any and all resources to everyone and write each single allow case for each role [blacklist] or allow all resources and write each deny care for each role [whitelist]

A: 

don't need to specify every denied role.

at first you should define all of role as denied. after that, set allowable access resource for every role. so every role that you haven't declare as allowed for resource will be automatically denied.

something like this :

$acl = new Zend_Acl();
$acl->deny();
$acl->addResource($resource);
$acl->addRole($role);
$acl->allow($role, $resource, $access);
Swing Magic
A: 

Since you don't even mention what it is exactly that you want to achieve, there's no way anybody can give a good answer. The most fitting solution will depend on your specific use case, so either provide more information or decide for yourself what's the best solution.

wimvds
please read it again. i said all that is needed.
Brandon_R
Nope, you don't say what you're going to do with it, so we can't decide whether one or the other would make more sense. But anyway : I tend to prefer whitelisting (where you deny everything per default and allow on a per role/resource basis), because it will not expose new functionality by default (so users will only be able to access the new functionality after you updated the ACL accordingly).
wimvds
A: 

Unless anything is bothering you to do the opposite, you should always do whatever requires less effort to implement.

takeshin
+1  A: 

I am using a white-list approach. This means I have a denyAll as a start policy and a grant access to resources only after checking the permissions for the given role. I think is a safer practice. In same cases you could choose one over another depending on how most of your resources are. For example if most of your website is public start from allowAll and just deny access to x resources. This can limit the growth of your ACL tree.

Elzo Valugi
Yeah, i decided to go with this was as well since it's safer.
Brandon_R