"Zend Framework" Programmer's Reference Guide - reading notes (Chapter 2)

        这两天刚开始接触Zend Framework，于是开始阅读它的Manual。计划展开一个阅读手记系列来总结对这个Manual的解读，摘录一些当中的要点，日后再回头查阅也较为方便。

        前面的Introduction章节就不再赘述了，仅从chapter 2开始。（原文有详细的例子和源代码，就不贴出来了，可参看Zend Framework：http://framework.zend.com/manual/en/zend.acl.html）

        以下是要点摘录：

- Acl: Access Control List, a lightweight and flexible access control list functionality and privileges management provided by Zend_Acl.

- 2 key points: Resourse & Role.

- The simple model: an application may control how requesting objects (Roles) are granted access to protected objects (Resources). For example, if a person requests access to a car, then the person is the requesting Role, and the car is the Resource, since access to the car is under control. When applied to the web applications, a simple example is "what can a user do to the system". A detailed example has been given out.

- Multiple inheritance between Roles: roles can be multi-inherited. Note: When specifying multiple parents for a Role, keep in mind that the last parent listed is the first one searched for rules applicable to an authorization query.

- 2 steps of creating ACL: 1. Registering roles; 2. Defining access controls. Note: Until a developer specifies an "allow" rule, Zend_Acl denies access to every privilege upon every Resource by every Role.

- Querying the ACL after creating.

- Refining access controls: 1. Precise access controls; 2. Removing access controls. Precise access controls means making the access controls more specific (can take full advantage of inheritance).

- Advanced use:  Writing conditional ACL rules with assertions. Sometimes a rule for allowing or denying a Role access to a Resource should not be absolute but dependent upon various criteria. There are 2 examples: 1. certain access should be allowed, but only between the hours of 8:00am and 5:00pm; 2. deny access because a request comes from an IP address that has been flagged as a source of abuse.