Has anyone done any good solid implementation of Zend ACL class to work with database backend?
What I am looking for is to have these features:
User belongs to a some group
Each group has specific permissions, some groups inherit permissions from other groups, but that is optional, sometimes it is helpfull like every group will inherit from ‘EVERYONE’ group (like in Windows based server or XP or any windows after Windows NT)
A User typically gets his permissions from being a member of some group, but by default every user is a member of EVERYONE group. This helps with setting permissions for unregistered site visitors.
Here is the catch: a permission can also be assigned directly to a user, in which case his effective permission is calculated by what permissions are assigned directly to him plus his group’s permissions.
I have thought about the possibility of user belonging to multiple groups, but so far have decided against it just because it can lean to confusion with permissions. I think that if a user really needs some custom permissions, the admin should create a special group and make that user a member of a special group, then set special permissions on a special group.
Finally, how to use the ACL? ACL is basically an object that holds permissions for all groups (called roles in Zend jargon) and can calculate effective permissions on specific object if there are any inheritence of group permissions is involved.
Zends says that their ACL object can be serialized and stored anywhere. This is what I am interested it. I want to be able to store ACL object in cache, so it can be accessed very fast because I don’t want to run the database queries every time.
I Looked at Zend’s ACL related classes and they don’t specifically made them serializable, they are serializable ‘just because’ they only hold array as property and array is easily serializable. I think that could lead to a problem when storing the object in cache and when it wakes up it needs to find the class. I would personally rewrite it a little bit to make then implement serializable interface, but that may not be necessary, only after I try it I will know for sure.
Has anyone done anything like that? Are there any better permission management class than Zend ACL?