Zend_Acl Whitelist VS Blacklist?

Question

Should i use a whitelist or blacklist approach to Zend_Acl? By that i mean deny any and all resources to everyone and write each single allow case for each role [blacklist] or allow all resources and write each deny care for each role [whitelist]

Answer 1

don't need to specify every denied role.

at first you should define all of role as denied. after that, set allowable access resource for every role. so every role that you haven't declare as allowed for resource will be automatically denied.

something like this :

$acl = new Zend_Acl();
$acl->deny();
$acl->addResource($resource);
$acl->addRole($role);
$acl->allow($role, $resource, $access);

Answer 2

Since you don't even mention what it is exactly that you want to achieve, there's no way anybody can give a good answer. The most fitting solution will depend on your specific use case, so either provide more information or decide for yourself what's the best solution.

Answer 3

Unless anything is bothering you to do the opposite, you should always do whatever requires less effort to implement.

Answer 4

I am using a white-list approach. This means I have a denyAll as a start policy and a grant access to resources only after checking the permissions for the given role. I think is a safer practice. In same cases you could choose one over another depending on how most of your resources are. For example if most of your website is public start from allowAll and just deny access to x resources. This can limit the growth of your ACL tree.