Resource based ACL vs controller based ACL

Question

Hello,

The traditional approach to manage access to controller actions is to create resource (string identifier) for each /module/controller/action, then check the ACL in controller plugin.

Lately I discovered very handy Zend_Acl_Resource_Interface, which can be used to control access to any class implementing it. This way, any Model, Form or other application element may become ACL resource. This is quite common sense approach, because this way application resources become ACL resources.

This becomes extremely easily with Doctrine listeners, so I don't need any additional logic in the controller at all.

Now, I can check the ACL e.g. whenever any form is instantiated and eventually redirect to login page.
But how can I hide Zend Navigation items which use restricted forms, models etc.
Do I need the traditional, controller oriented approach as well? Do I need a separate resource identifier for each navigation element? What's the benefit of using resource based ACL then?

Answer 1

You can assign the corresponding resource id to Zend_Navigation page items, set predefined ACL and current logged in user's role to the Zend_Navigation instance, Navigation helper checks the ACL before render. Please see the example here http://framework.zend.com/manual/en/zend.view.helpers.html#zend.view.helpers.initial.navigation.acl