Nabble - Zend Auth

AW: trouble with Zend_Auth_Adapter_Ldap

2009-11-20T05:22:31Z

Hi Ondrej,

>> You can stop Zend_Auth_Adapter_Ldap from trying to split the username by setting the
>> tryUsernameSplit option to false (true by default).

>Good to know, thanks. I missed this option when I browse source but
>any way I have to fetch extra information from LDAP.

To fetch extra information from the LDAP you can either use the Zend_Auth_Adapter_Ldap::getAccountObject() method to retrieve the user account entry or you can use Zend_Auth_Adapter_Ldap::getLdap() to get the underlying LDAP adapter that allows you to query the LDAP (be careful as this adapter is authenticated with the credentials provided to the Zend_Auth_Adapter_Ldap which could result in some access restriction problems).

>I reckon that there is a some bad design in Zend_Amf authentication
>but I have no idea what is wrong.

>Basically, I'm looking for clean way how to implement Ldap auth wit
>Zend_Amf_Server. I could extend Zend_Amf_Auth_Abstract and use it as a
>proxy to Zend_Auth_Adapter_Ldap...

A proxy seems to be the way to go. Create a My_Amf_Auth_LdapProxy (extends Zend_Amf_Auth_Abstract) and let it proxy your authentication request to the LDAP adapter:

class My_Amf_Auth_LdapProxy extends Zend_Amf_Auth_Abstract
{
protected $_ldapAdapter;

public function __construct(Zend_Auth_Adapter_Ldap $ldapAdapter)
{
$this->_ldapAdapter = $ldapAdapter;
}

public function setCredentials($username, $password)
{
parent::setCredentials($username, $password); // not really needed I think
$this->_ldapAdapter->setUsername($username);
$this->_ldapAdapter->setPassword($password);
}

public function authenticate()
{
return $this->_ldapAdapter->authenticate();
}
}

That seems to be the most natural way accomplish your task.

Best regards

Stefan

Re: trouble with Zend_Auth_Adapter_Ldap

2009-11-20T04:59:23Z

Hi Stefan,

2009/11/20 Stefan Gehrig <gehrig@...>:
> You can stop Zend_Auth_Adapter_Ldap from trying to split the username by setting the
> tryUsernameSplit option to false (true by default).

Good to know, thanks. I missed this option when I browse source but
any way I have to fetch extra information from LDAP.

I reckon that there is a some bad design in Zend_Amf authentication
but I have no idea what is wrong.

Basically, I'm looking for clean way how to implement Ldap auth wit
Zend_Amf_Server. I could extend Zend_Amf_Auth_Abstract and use it as a
proxy to Zend_Auth_Adapter_Ldap...

--
Ondrej Ivanic
(ondrej.ivanic@...)

AW: trouble with Zend_Auth_Adapter_Ldap

2009-11-19T23:34:13Z

Dear Ondrej,

the problem is, that Zend_Auth_Adapter_Ldap in its default configuration tries to split the username at the @-sign to retrieve the username and the domain name. It hereby assumes that a username with an @-sign is a new Microsoft Windows domain username in the form username@domain (old form, prior to Windows Server 2003 I think, was DOMAIN\username).
You can stop Zend_Auth_Adapter_Ldap from trying to split the username by setting the tryUsernameSplit option to false (true by default).

$adapter = new Zend_Auth_Adapter_Ldap(array(
// ...
'tryUsernameSplit' => false
), $username, $password);

That should do the trick.

Best regards

Stefan

-----Ursprüngliche Nachricht-----
Von: Ondrej Ivanič [mailto:ondrej.ivanic@...]
Gesendet: Freitag, 20. November 2009 05:56
An: fw-auth@...
Betreff: [fw-auth] trouble with Zend_Auth_Adapter_Ldap

Hi

I had to implement Zend_Amf auth service against LDAP which seems like
an easy task but it wasn't (maybe I missed something)

Zend_Amf_Server requires to use Zend_Amf_Auth_Abstract as a base class
because abstract class provides additional method for settings
credentials. Another surprise came with Zend_Auth_Adapter_Ldap which
doesn't like e-mail address as a uid. I always got error message
'ondrej' not found (ondrej@...). We use following LDAP
structure:
dc=customers, dc=local (<- baseDn)
ou=customer1
uid=ondrej@...
uid=user1@...
ou=customer1
uid=user1@...
uid=user2@...
and customers use (email, password) as credentials for login

Basically, I had to copy almost everything from
Zend_Auth_Adapter_Ldap::authenticate() (it's not possible to extend
because Zend_amf server requires Zend_Amf_Auth_Abstract as a base
class) method and add few searches because I need associated user and
company information.

Is there a better solution?
Thanks,

-class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
+class Amf_Auth_Ldap extends Zend_Amf_Auth_Abstract

@@ -275,15 +252,34 @@
continue;
}

- $canonicalName = $ldap->getCanonicalAccountName($username);
+ // bind with defualt credentials
+ $ldap->bind();
+ $user =
$ldap->search("(&(objectClass=inetorgperson)(uid=$username))");
+ if(1 != sizeof($user)) {
+ throw new Zend_Auth_Adapter_Exception('User: One
user expected; got ' . sizeof($user));
+ }
+ $user = $user->getFirst();
+
+ $ldap->bind($user['dn'], $password);

- $ldap->bind($canonicalName, $password);
+ $parentDn = explode(',', $user['dn'], 3);
+ if(isset($parentDn[1])) {
+ $parentDn = $parentDn[1];
+ } else {
+ throw new Zend_Auth_Adapter_Exception('Wrong LDAP
structure; expected organisation as a parent' .
sizeof($organisation));
+ }
+
+ $organisation =
$ldap->search("(&(objectClass=organizationalunit)($parentDn))");
+ if(1 != sizeof($organisation)) {
+ throw new
Zend_Auth_Adapter_Exception('Organisation: One result expected; got '
. sizeof($organisation));
+ }
+ $organisation = $organisation->getFirst();

$messages[0] = '';
$messages[1] = '';
- $messages[] = "$canonicalName authentication successful";
+ $messages[] = "$username authentication successful";

- return new
Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $canonicalName,
$messages);
+ return new
Zend_Auth_Result(Zend_Auth_Result::SUCCESS, new
FraudControl_UserInfo($user, $organisation), $messages);
} catch (Zend_Ldap_Exception $zle) {

--
Ondrej Ivanic
(ondrej.ivanic@...)

trouble with Zend_Auth_Adapter_Ldap

2009-11-19T20:55:51Z

Hi

I had to implement Zend_Amf auth service against LDAP which seems like
an easy task but it wasn't (maybe I missed something)

Zend_Amf_Server requires to use Zend_Amf_Auth_Abstract as a base class
because abstract class provides additional method for settings
credentials. Another surprise came with Zend_Auth_Adapter_Ldap which
doesn't like e-mail address as a uid. I always got error message
'ondrej' not found (ondrej@...). We use following LDAP
structure:
dc=customers, dc=local (<- baseDn)
ou=customer1
uid=ondrej@...
uid=user1@...
ou=customer1
uid=user1@...
uid=user2@...
and customers use (email, password) as credentials for login

Basically, I had to copy almost everything from
Zend_Auth_Adapter_Ldap::authenticate() (it's not possible to extend
because Zend_amf server requires Zend_Amf_Auth_Abstract as a base
class) method and add few searches because I need associated user and
company information.

Is there a better solution?
Thanks,

-class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
+class Amf_Auth_Ldap extends Zend_Amf_Auth_Abstract

@@ -275,15 +252,34 @@
continue;
}

- $canonicalName = $ldap->getCanonicalAccountName($username);
+ // bind with defualt credentials
+ $ldap->bind();
+ $user =
$ldap->search("(&(objectClass=inetorgperson)(uid=$username))");
+ if(1 != sizeof($user)) {
+ throw new Zend_Auth_Adapter_Exception('User: One
user expected; got ' . sizeof($user));
+ }
+ $user = $user->getFirst();
+
+ $ldap->bind($user['dn'], $password);

- $ldap->bind($canonicalName, $password);
+ $parentDn = explode(',', $user['dn'], 3);
+ if(isset($parentDn[1])) {
+ $parentDn = $parentDn[1];
+ } else {
+ throw new Zend_Auth_Adapter_Exception('Wrong LDAP
structure; expected organisation as a parent' .
sizeof($organisation));
+ }
+
+ $organisation =
$ldap->search("(&(objectClass=organizationalunit)($parentDn))");
+ if(1 != sizeof($organisation)) {
+ throw new
Zend_Auth_Adapter_Exception('Organisation: One result expected; got '
. sizeof($organisation));
+ }
+ $organisation = $organisation->getFirst();

$messages[0] = '';
$messages[1] = '';
- $messages[] = "$canonicalName authentication successful";
+ $messages[] = "$username authentication successful";

- return new
Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $canonicalName,
$messages);
+ return new
Zend_Auth_Result(Zend_Auth_Result::SUCCESS, new
FraudControl_UserInfo($user, $organisation), $messages);
} catch (Zend_Ldap_Exception $zle) {

--
Ondrej Ivanic
(ondrej.ivanic@...)

Re: help with GET method

2009-11-17T03:18:26Z

You can do that by calling
http://mysite.com/images/list/typeid/2/authorid/4 and writing the
appropriate controller code, of course. This assumes you use the
default router, however, I recommend you to define your own paths, in
this case I would use /images?type=2&author=4 instead.

Regards,
Ádám

help with GET method

2009-11-16T16:27:27Z

I'm new in ZF, i have a problem:
if i want to create a get method in ZF, maybe it looks like :
assumption: images(id,typeid,imgPath,Authorid) (in database)

Code:

http://mysite.com/images/list/typeid/2

It means i want to list all images which have typeid=2

but now i want to list all images have typeid=2 and authorid =4 by using GET method. how can i make it?
Thanks in advance

--
Nguyễn Thanh Tiến

view object

2009-11-10T16:47:34Z

Hi All,
I cannot undrestand that the vlaue of view in controller is different
form view/script.
to make it clear. when I am returning $this->view in the controller I
have some missing arguments compare to return $this in view/script.
forexample:
the $this->view in controller:
.
.
.
.["_path":"Zend_View_Abstract":private] => array(3) {

["script"] => array(1) {
[0] => string(71) "C:\roozbeh\repo\newskool\repo\application\modules\client\views\scripts\"
}
["helper"] => array(0) {
}
["filter"] => array(0) {

}

the value of $this in view/script.

["_path":"Zend_View_Abstract":private] => array(3) {
["script"] => array(3) {
[0] => string(63) "C:\roozbeh\repo\newskool\repo\application\views\scripts\client\"
[1] => string(56) "C:\roozbeh\repo\newskool\repo\application\views\scripts\"
[2] => string(71) "C:\roozbeh\repo\newskool\repo\application\modules\client\views\scripts\"
}
["helper"] => array(0) {
}
["filter"] => array(0) {
}

could you please let me know how can i have
[0] => string(63) "C:\roozbeh\repo\newskool\repo\application\views\scripts\client\"
[1] => string(56) "C:\roozbeh\repo\newskool\repo\application\views\scripts\"

in conroller so by running $this->view in controller I can have above values.
much appriciate for any help.

Thanks,
Roozbeh

Re: What is the Session object member in Zend_Auth_Storage_Session?

2009-11-09T20:45:36Z

yes. very helpful thanks.

ronnystalker wrote:

Hi
I am just looking into the code of Zend_Auth_Storage_Session for ideas on how i can extend it to customise my own class.

I see there is a property called $_member :

/**
* Session object member
*
* @var mixed
*/
protected $_member;

The Doc description is a little bit vague.

Is this referring to a member in the sense of a 'user' who is a member of the site?
OR
Is this referring to a member in the sense of the class member/property name of the variable that holds the session object?

I will probably discover the answer soon enough through more research.

However, it might be nice to explicitly have the answer to this question available 'on the web' somewhere to make code analysis quicker for those who are following my path.

Any way - i hope to reply to this when i find out more about this.

Re: Zend_Acl , Ownership - request scope or injection in domain objects

2009-11-09T06:38:42Z

vd,

I am not sure what you are basing this on. Out of the box, Zend_Acl
does not dictate how you use ACL: with a static definition, or even with
a dynamic definition one might read out of a database.

In general, Zend_Acl is probably one of the lightest components because
it no coupling with other components and only effectively has 2 jobs:

a) to give you the proper interfaces to identify which objects are
roles and resoures, and
b) to give you a minimal set of functionality to be able to determine
if according to the rules it were given, does some role have access to
some resource.

If you are finding that Zend_Acl is too slow, chances are it's not the
actual component, rather the implementation that is suspect number one.

-ralph

> reading from the disk. I dont think using ACL for high traffic site is a
> good option. Looking at ZF's slow performance using ACL will act as
> icing on cake. Correct me if I am wrong and this reply is not to prove

Re: What is the Session object member in Zend_Auth_Storage_Session?

2009-11-09T06:30:57Z

Hi,

$_member is the actual variable name that will be stored inside the
Zend_Session_Namespace object.

Think of it like this, if the namespace is called by 'Zend_Auth', the
default, and the member is called by 'storage', by default; it would
effectively map to this in memory:

$_SESSION['Zend_Auth']['storage'] = $valueOfIdentityHere;

Hope this helps,
Ralph

ronnystalker wrote:

> Hi
> I am just looking into the code of Zend_Auth_Storage_Session for ideas on
> how i can extend it to customise my own class.
>
> I see there is a property called $_member :
>
> /**
> * Session object member
> *
> * @var mixed
> */
> protected $_member;
>
> The Doc description is a little bit vague.
>
> Is this referring to a member in the sense of a 'user' who is a member of
> the site?
> OR
> Is this referring to a member in the sense of the class member/property name
> of the variable that holds the session object?
>
> I will probably discover the answer soon enough through more research.
>
> However, it might be nice to explicitly have the answer to this question
> available 'on the web' somewhere to make code analysis quicker for those who
> are following my path.
>
> Any way - i hope to reply to this when i find out more about this.
>
>
>
>
>
>
>
>
>
>

What is the Session object member in Zend_Auth_Storage_Session?

2009-11-07T08:57:51Z

Hi
I am just looking into the code of Zend_Auth_Storage_Session for ideas on how i can extend it to customise my own class.

I see there is a property called $_member :

/**
* Session object member
*
* @var mixed
*/
protected $_member;

The Doc description is a little bit vague.

Is this referring to a member in the sense of a 'user' who is a member of the site?
OR
Is this referring to a member in the sense of the class member/property name of the variable that holds the session object?

I will probably discover the answer soon enough through more research.

However, it might be nice to explicitly have the answer to this question available 'on the web' somewhere to make code analysis quicker for those who are following my path.

Any way - i hope to reply to this when i find out more about this.

Re: Zend_Acl , Ownership - request scope or injection in domain objects

2009-11-04T20:26:51Z

Where are you going to store the ACL - in a file most probably then isnt't going to slow down the application in event of high traffic i.e reading from the disk. I dont think using ACL for high traffic site is a good option. Looking at ZF's slow performance using ACL will act as icing on cake. Correct me if I am wrong and this reply is not to prove that what you're doing is wrong. Just sharing my thoughts.

On Fri, Oct 30, 2009 at 10:23 PM, Abraham Block <atblock@...> wrote:

A lot of people (me included), like to have their domain entities implement the ACL Role interface, and then have the ACL check directly against the domain entities in question. You can do this in a service layer, or perhaps with some kind of event system.

On Fri, Oct 30, 2009 at 12:37 PM, tomascejka <dis.cejkatomas@...> wrote:

Hi,

I stand before implementing authorization/ownership in ZF based application.
I am developer but now I ask you as developer and architect in one person. I
would like to know how to design authorization process. After I read some
sources - there are two articles which interest me.

A.
http://devzone.zend.com/article/3510-Zend_Acl-and-MVC-Integration-Part-II-Advanced-Use
B.
http://www.weierophinney.net/matthew/archives/201-Applying-ACLs-to-Models.html

Where is good location to check rights and ownership?

-----
Enviroment
==========

OS:
SUSE Linux Enterprice 10 (i586) - version 2.6.16.60-0.27-smp
Windows XP SP 3

Tomcat v6.0.16, 6.0.18
Java(TM) SE Runtime Enviroment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)
Maven v2.0.9
Apache 2.2.11
MySQL 5.1.30
PHP 5.2.10
qooxdoo-0.8.2
Python 2.5
Zend framework 1.9.3
Dojo 1.3.2

Hudson:
=======
version 1.329
plugins: Maven 1.304, SSH Slaves
running: deployed in Tomcat

front-end developer web-based application
A.S.E.I. [http://www.asei.cz]
--
View this message in context: http://old.nabble.com/Zend_Acl-%2C-Ownership---request-scope-or-injection-in-domain-objects-tp26133244p26133244.html
Sent from the Zend Auth mailing list archive at Nabble.com.

Re: Zend_Acl , Ownership - request scope or injection in domain objects

2009-10-30T09:53:09Z

A lot of people (me included), like to have their domain entities implement the ACL Role interface, and then have the ACL check directly against the domain entities in question. You can do this in a service layer, or perhaps with some kind of event system.

On Fri, Oct 30, 2009 at 12:37 PM, tomascejka <dis.cejkatomas@...> wrote:

Hi,

I stand before implementing authorization/ownership in ZF based application.
I am developer but now I ask you as developer and architect in one person. I
would like to know how to design authorization process. After I read some
sources - there are two articles which interest me.

A.
http://devzone.zend.com/article/3510-Zend_Acl-and-MVC-Integration-Part-II-Advanced-Use
B.
http://www.weierophinney.net/matthew/archives/201-Applying-ACLs-to-Models.html

Where is good location to check rights and ownership?

-----
Enviroment
==========

OS:
SUSE Linux Enterprice 10 (i586) - version 2.6.16.60-0.27-smp
Windows XP SP 3

Tomcat v6.0.16, 6.0.18
Java(TM) SE Runtime Enviroment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)
Maven v2.0.9
Apache 2.2.11
MySQL 5.1.30
PHP 5.2.10
qooxdoo-0.8.2
Python 2.5
Zend framework 1.9.3
Dojo 1.3.2

Hudson:
=======
version 1.329
plugins: Maven 1.304, SSH Slaves
running: deployed in Tomcat

front-end developer web-based application
A.S.E.I. [http://www.asei.cz]
--
View this message in context: http://old.nabble.com/Zend_Acl-%2C-Ownership---request-scope-or-injection-in-domain-objects-tp26133244p26133244.html
Sent from the Zend Auth mailing list archive at Nabble.com.

Zend_Acl , Ownership - request scope or injection in domain objects

2009-10-30T09:37:12Z

Hi,

I stand before implementing authorization/ownership in ZF based application. I am developer but now I ask you as developer and architect in one person. I would like to know how to design authorization process. After I read some sources - there are two articles which interest me.

A. http://devzone.zend.com/article/3510-Zend_Acl-and-MVC-Integration-Part-II-Advanced-Use
B. http://www.weierophinney.net/matthew/archives/201-Applying-ACLs-to-Models.html

Where is good location to check rights and ownership?

I suppose that interconnecting domain with acl is not good, but there is a something what I do not see...

Enviroment
==========

OS:
SUSE Linux Enterprice 10 (i586) - version 2.6.16.60-0.27-smp
Windows XP SP 3

Tomcat v6.0.16, 6.0.18
Java(TM) SE Runtime Enviroment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)
Maven v2.0.9
Apache 2.2.11
MySQL 5.1.30
PHP 5.2.10
qooxdoo-0.8.2
Python 2.5
Zend framework 1.9.3
Dojo 1.3.2

Hudson:
=======
version 1.329
plugins: Maven 1.304, SSH Slaves
running: deployed in Tomcat

front-end developer web-based application
A.S.E.I. [http://www.asei.cz]

Re: Zend_Session::rememberMe() not working or not implemented correctly.

2009-10-16T08:26:54Z

Use the following to handle the "remember me" functionality:

            if ($this->_hasParam('rememberme') && $this->_getParam('rememberme')) {

            /**
                  * 'remeberMe' setting is defined it the global config
                  */
                Zend_Session::rememberMe();

            $saveHandler = Zend_Session::getSaveHandler();
            $saveHandler->setLifetime($this->_globalConfig->session->params->remember_me_seconds)
                        ->setOverrideLifetime(true);

            }

On Fri, Oct 16, 2009 at 9:36 AM, bmuse <brian.muse@...> wrote:

I'm trying to keep my users logged in for a month. Currently I'm calling
Zend_Session::start();
in my bootstrap.

In my login controller I have:
Zend_Session::rememberMe(60*60*24*7*4);

However, I'm only logged in in the current tab or window and the session
seems to expire after an hour or so.

Any advice on the proper way to set this up would be greatly appreciated.
--
View this message in context: http://www.nabble.com/Zend_Session%3A%3ArememberMe%28%29-not-working-or-not-implemented-correctly.-tp25926465p25926465.html
Sent from the Zend Auth mailing list archive at Nabble.com.

--
Cory Wiles
kwylez@...
http://www.corywiles.com/
http://www.randomthoughtprocess.com/

Zend_Session::rememberMe() not working or not implemented correctly.

2009-10-16T07:36:15Z

I'm trying to keep my users logged in for a month. Currently I'm calling
Zend_Session::start();
in my bootstrap.

In my login controller I have:
Zend_Session::rememberMe(60*60*24*7*4);

However, I'm only logged in in the current tab or window and the session seems to expire after an hour or so.

Any advice on the proper way to set this up would be greatly appreciated.

Re: Most Wanted: Zend_Acl Issues

2009-10-06T08:39:46Z

Hi Ralph,

I am interested in contributing to the Zend_Acl component. I am emailing my contributor agreement as we speak. I recently submitted an issue report on this component as well as a proposed fix. I'd like to formally submit this patch as well as tackle some of the issues you mention below. Right now I am particularly interested in adding more query methods, to get defined resources, roles, privileges.

Aaron

Ralph Schindler-2 wrote:

Hello everyone,

With the new states added to Zend Framework issues tracker, I have
pruned and triaged Zend_Acl's issues. You can tell them by the icon
that looks like this:

[I]

in the link below:

http://framework.zend.com/issues/secure/IssueNavigator.jspa?resolution=-1&component=10070

There are several issues listed (about 7) that sound like reasonable
requests or need further exploration, but are outside the scope of the
ZF Dev Team to work on.

If anyone would like to take them on, please let me know and we can work
together on a resolution.

Some of them include:

* Zend_Acl::Zend_Acl_Resource - equal childs for different parents
* Add methods to get defined roles, resources, rules
* Allow roles to be entered in array format in isAllowed
* Database Driven ACL
* add method to get parent resource and methods get all parents of roles
or resources
* Support adding parent(s) to existing Role
* Zend_Acl : debug for inheritance of rules : get source from used rule

While I encourage anyone to take what they find interesting, you can
also see what might be higher priority by looking at the votes column to
see how many people would be waiting on such a feature.

I'll be in #zftalk.dev, or reply to this thread if you'd like to take
something on.

Thanks!
-ralph

Re: a couple questions about customizing Zend_Auth

2009-09-30T07:12:40Z

On Tue, Sep 29, 2009 at 2:04 PM, Ralph Schindler <ralph.schindler@...> wrote:

used getDbSelect() to get the select and join() a table, and could not

This is a bug in Zend_Db_Select. Currently, calling join before from
causes odd SQL to be produced. It seems like fixing this issue:

http://framework.zend.com/issues/browse/ZF-6653

will probably solve yours. I have this slated for an upcoming release.

Interesting, and not entirely surprising. Most people probably think of building their SQL from left to right, so the join() before from() would be an unusual case that you can easily forgive developers for not anticipating.

and kept getting Zend_Auth_Adapter_Exception, invalid SQL statement.

In any event, I gave up on this approach and am now extending Zend_Auth_Adapter_DbTable and overriding authenticate(). Is this a reasonable solution?

This is a very reasonable solution, in fact, it was designed for. You
can see that since there are several small succinct methods that you can
override in Zend_Auth_Adapter_DbTable.

I extended Zend_Auth_Adapter_DbTable and implemented my own authenticate(), leveraging a couple of protected methods from the parent, stealing whoever's clever snippet that builds the boolean 'zend_auth_credential_match' expression, and adding the stuff I needed, e.g, a rather tortured SQL query because of my weird database structure, and a database update to set the users last_login timestamp. Works great.

Which brings me to the next question: suppose you want to add an authentication failure code that means 'account disabled.' Extend Zend_Auth_Result and have your authenticate return an instance of it?

It sounds like you want to build an Auth model, and inside that model,
extends Zend_Auth_Adapter_DbTable to detect this situation. I would
return the standard failure constant, but also add the message that you
feel you might want to use as the failure message.

Well, yeah -- if I understand correctly, that's what I've done.

Model_AuthAdapter extends Zend_Auth_Adapter_DbTable
{

const FAILURE_ACCOUNT_DISABLED = 'Account disabled.';

function authenticate() {

        $this->_authenticateResultInfo['identity'] = $this->_identity;
        // stolen from parent
        if (empty($this->_credentialTreatment) || (strpos($this->_credentialTreatment, '?') === false)) {
            $this->_credentialTreatment = '?';
        }
        $credentialExpression = new Zend_Db_Expr(
            '(CASE WHEN ' .
            $this->_zendDb->quoteInto(
                $this->_zendDb->quoteIdentifier($this->_credentialColumn, true)
                . ' = ' . $this->_credentialTreatment, $this->_credential
                )
            . ' THEN 1 ELSE 0 END) AS '
            . $this->_zendDb->quoteIdentifier('zend_auth_credential_match')
            );
        // end stolen part
        if ($this->_identityColumn == 'username') {
            $identityColumn = 'users.username';
        } elseif ($this->_identityColumn == 'email') {
            $identityColumn = 'people.email';
        } else {
            throw new Exception('invalid identity column: '.$this->_identityColumn);
        }
        $select = $this->_zendDb->select();
        $select
            ->from($this->_tableName, array('username','group_id','active','last_login', $credentialExpression))
            ->join('groups','users.group_id = groups.id',array('group'=>'groups.name'))
            ->join('people','users.person_id = people.id',array('id','lastname','firstname','email'))
            ->join('person_types','people.person_type_id = person_types.id',array('person_type'=>'flavor'))
            ->where("$identityColumn = ? ",$this->_identity) ;

        $this->_zendDb->setFetchMode(Zend_Db::FETCH_OBJ);
        $results = $this->_zendDb->fetchAll($select);
        // borrowed from parent
        if ( ($authResult = $this->_authenticateValidateResultset($results)) instanceof Zend_Auth_Result) {
            return $authResult;
        }
        $user = array_shift($results);
        $authResult = $this->_authenticateValidateResult((array)$user);
        // if everything is good so far, make sure account is active
        if ($authResult->isValid()) {
            if (! $user->active) {
                return new Zend_Auth_Result(Zend_Auth_Result::FAILURE_UNCATEGORIZED,
                    $this->_identity,array(self::FAILURE_ACCOUNT_DISABLED));
            }
        }
        $this->_zendDb->update('users',   array('last_login' => time()),           $this->_zendDb->quoteInto( 'person_id = ?', $user->id ) );
         return $authResult;
    }

}

Thank you Ralph.

--
David Mintz
http://davidmintz.org/

The subtle source is clear and bright
The tributary streams flow through the darkness

Re: a couple questions about customizing Zend_Auth

2009-09-29T11:04:26Z

> used getDbSelect() to get the select and join() a table, and could not

This is a bug in Zend_Db_Select. Currently, calling join before from
causes odd SQL to be produced. It seems like fixing this issue:

http://framework.zend.com/issues/browse/ZF-6653

will probably solve yours. I have this slated for an upcoming release.

>
> and kept getting Zend_Auth_Adapter_Exception, invalid SQL statement.
>
> In any event, I gave up on this approach and am now extending
> Zend_Auth_Adapter_DbTable and overriding authenticate(). Is this a
> reasonable solution?

This is a very reasonable solution, in fact, it was designed for. You
can see that since there are several small succinct methods that you can
override in Zend_Auth_Adapter_DbTable.

> Which brings me to the next question: suppose you want to add an
> authentication failure code that means 'account disabled.' Extend
> Zend_Auth_Result and have your authenticate return an instance of it?

It sounds like you want to build an Auth model, and inside that model,
extends Zend_Auth_Adapter_DbTable to detect this situation. I would
return the standard failure constant, but also add the message that you
feel you might want to use as the failure message.

-ralph

Re: How to set up OpenID authentication

2009-09-24T10:04:36Z

I had problems with Google's OpenId. So far I understood, Zend_OpenId was not supporting final OpenId 2.0 protocol version (only draft 11 version of it).

Maybe you have intentions to implement it?

Or only me has problems with Google's openId? :-)

--
Regards,
Vladas Diržys

On Thu, Sep 24, 2009 at 18:47, Pádraic Brady <padraic.brady@...> wrote:

Unfortunately, Zend_Openid has a few issues. I started doing some testing last week and will roll in some fixes in a while. In the meantime, I suggest reverting to something like the Janrain PHP library while this is being fixed.

Pádraic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
OpenID Europe Foundation Irish Representative
From: iceangel89 <comet2005@...>
To: fw-auth@...
Sent: Thursday, September 24, 2009 3:12:07 PM
Subject: [fw-auth] How to set up OpenID authentication
How to set up OpenID authentication, something of that like StackOverflow. i tried the code from http://framework.zend.com/manual/en/zend.auth.adapter.openid.html
$status = "";
$auth = Zend_Auth::getInstance();
if ((isset($_POST['openid_action']) &&
     $_POST['openid_action'] == "login" &&


     !empty($_POST['openid_identifier'])) ||
    isset($_GET['openid_mode']) ||
    isset($_POST['openid_mode'])) {
    $result = $auth->authenticate(
        new Zend_Auth_Adapter_OpenId(@$_POST['openid_identifier']));


...
this code does not seem to be working... i keep getting posted back to the same page
View this message in context: How to set up OpenID authentication
Sent from the Zend Auth mailing list archive at Nabble.com.

a couple questions about customizing Zend_Auth

2009-09-24T09:32:21Z

I have tried getting Zend_Auth_Adapter_DbTable's authenticate() to fetch data from multiple joined tables so that getResultRowObject() would give me everything about the user that I wanted to load into the session. I used getDbSelect() to get the select and join() a table, and could not get it to work. (I actually thought I had it the other day, but it was a false positive.) Is this supposed to be possible? For example, I tried various variations on

$select = $authAdapter->getDbSelect();
$select
    ->where('users.active');
    ->join(array('groups'), 'groups.id = users.group_id',array('groups.name'=>'group'),array())
    ->join(array('people'),'users.person_id = people.id',array('lastname','firstname',))

and kept getting Zend_Auth_Adapter_Exception, invalid SQL statement.

In any event, I gave up on this approach and am now extending Zend_Auth_Adapter_DbTable and overriding authenticate(). Is this a reasonable solution?

Which brings me to the next question: suppose you want to add an authentication failure code that means 'account disabled.' Extend Zend_Auth_Result and have your authenticate return an instance of it?

Another possible solution: create a view (at the database level) that pulls together all the columns I want from the different tables. Any thoughts?

Thanks.

--
David Mintz
http://davidmintz.org/

The subtle source is clear and bright
The tributary streams flow through the darkness

Re: How to set up OpenID authentication

2009-09-24T08:47:40Z

Unfortunately, Zend_Openid has a few issues. I started doing some testing last week and will roll in some fixes in a while. In the meantime, I suggest reverting to something like the Janrain PHP library while this is being fixed.

Pádraic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
OpenID Europe Foundation Irish Representative

From: iceangel89 <comet2005@...>
To: fw-auth@...
Sent: Thursday, September 24, 2009 3:12:07 PM
Subject: [fw-auth] How to set up OpenID authentication

How to set up OpenID authentication, something of that like StackOverflow. i tried the code from http://framework.zend.com/manual/en/zend.auth.adapter.openid.html

$status = "";
$auth = Zend_Auth::getInstance();
if ((isset($_POST['openid_action']) &&
     $_POST['openid_action'] == "login" &&
     !empty($_POST['openid_identifier'])) ||
    isset($_GET['openid_mode']) ||
    isset($_POST['openid_mode'])) {
    $result = $auth->authenticate(
        new Zend_Auth_Adapter_OpenId(@$_POST['openid_identifier']));
...

this code does not seem to be working... i keep getting posted back to the same page

View this message in context: How to set up OpenID authentication
Sent from the Zend Auth mailing list archive at Nabble.com.

Pádraic Brady

Blog: http://blog.astrumfutura.com
Free Zend Framework Book: http://www.survivethedeepend.com
OpenID Europe Foundation - Irish Representative

How to set up OpenID authentication

2009-09-24T07:12:07Z

How to set up OpenID authentication, something of that like StackOverflow. i tried the code from http://framework.zend.com/manual/en/zend.auth.adapter.openid.html

$status = "";
$auth = Zend_Auth::getInstance();
if ((isset($_POST['openid_action']) &&
     $_POST['openid_action'] == "login" &&
     !empty($_POST['openid_identifier'])) ||
    isset($_GET['openid_mode']) ||
    isset($_POST['openid_mode'])) {
    $result = $auth->authenticate(
        new Zend_Auth_Adapter_OpenId(@$_POST['openid_identifier']));
...

this code does not seem to be working... i keep getting posted back to the same page UPDATE: oh i keep getting posted back because i forgot to add action and method attributes for the form. but now whats the meaning of Authentication failed Discovery failed?

Re: [zf-contributors] Re: [fw-auth] Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

2009-09-17T21:09:06Z

Hello!

Just thought I'd let y'all know that I've made a significant overhaul to my original proposal (now at http://framework.zend.com/wiki/display/ZFPROP/Zend_Controller_Action_Helper_AuthSelector+-+Adam+Jensen), reflecting what we discussed yesterday. I think it's a lot clearer now, but I'm open to any further suggestions. Thanks again for your help!

Adam

On Wed, Sep 16, 2009 at 7:36 PM, Adam Jensen <jazzslider@...> wrote:

Thank you both for your feedback on this; I'll be adjusting the proposal to reflect the new action helper approach as soon as I can. Seems like that's a better fit, and I'm happy to make the necessary changes.

Thanks!
Adam

On Wed, Sep 16, 2009 at 9:44 AM, Ralph Schindler <ralph.schindler@...> wrote:

All that said, I'm starting to wonder if my proposal might work better as an
action helper, since the main benefit is the simplification of controller
logic? It may be more complicated than that, but it's probably worth some
thought; any ideas?

This sounds like application logic in many ways -- even the forms would
differ for each in some cases (OpenID would require a URL only; LDAP and/or
DbTable would require user/pass, etc.). This sounds like several

The form part could be handled userland, but yes, an action helper that
takes the form input and does the adapter delegation makes sense.

I'd like to see you explore the controller/action-helper route. Currently, there is not much in the way of helpers or plugins that aid Zend_Auth in "coupling" with an applications AuthController.

Much like the viewRenderer helps the controller's job of interacting with Zend_View, I think it makes alot of sense to have something like, say, "authSelector" to help decide and load various pieces to the authentication puzzle: forms, views, form helpers, and finally actual auth adapter.

While, the term "flexible" is good, I think we need to find something more succinct that will, by name, identify its job to the developer immediately. Since you haven't gotten many comments on the original proposal, I can only guess that the naming is not something developers are immediately drawn to as its name does not conjure up any visions of what job it actually does.

Looking forward to your feedback now that I have a better grasp on what it is you are attempting to do!

-ralph

Re: [zf-contributors] Re: [fw-auth] Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

2009-09-16T17:36:36Z

Thank you both for your feedback on this; I'll be adjusting the proposal to reflect the new action helper approach as soon as I can. Seems like that's a better fit, and I'm happy to make the necessary changes.

Thanks!

Adam

On Wed, Sep 16, 2009 at 9:44 AM, Ralph Schindler <ralph.schindler@...> wrote:

All that said, I'm starting to wonder if my proposal might work better as an
action helper, since the main benefit is the simplification of controller
logic? It may be more complicated than that, but it's probably worth some
thought; any ideas?

This sounds like application logic in many ways -- even the forms would
differ for each in some cases (OpenID would require a URL only; LDAP and/or
DbTable would require user/pass, etc.). This sounds like several

The form part could be handled userland, but yes, an action helper that
takes the form input and does the adapter delegation makes sense.

I'd like to see you explore the controller/action-helper route. Currently, there is not much in the way of helpers or plugins that aid Zend_Auth in "coupling" with an applications AuthController.

Much like the viewRenderer helps the controller's job of interacting with Zend_View, I think it makes alot of sense to have something like, say, "authSelector" to help decide and load various pieces to the authentication puzzle: forms, views, form helpers, and finally actual auth adapter.

While, the term "flexible" is good, I think we need to find something more succinct that will, by name, identify its job to the developer immediately. Since you haven't gotten many comments on the original proposal, I can only guess that the naming is not something developers are immediately drawn to as its name does not conjure up any visions of what job it actually does.

Looking forward to your feedback now that I have a better grasp on what it is you are attempting to do!

-ralph

Re: [zf-contributors] Re: [fw-auth] Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

2009-09-16T07:44:20Z

>> All that said, I'm starting to wonder if my proposal might work better as an
>> action helper, since the main benefit is the simplification of controller
>> logic? It may be more complicated than that, but it's probably worth some
>> thought; any ideas?

> This sounds like application logic in many ways -- even the forms would
> differ for each in some cases (OpenID would require a URL only; LDAP and/or
> DbTable would require user/pass, etc.). This sounds like several

> The form part could be handled userland, but yes, an action helper that
> takes the form input and does the adapter delegation makes sense.

I'd like to see you explore the controller/action-helper route.
Currently, there is not much in the way of helpers or plugins that aid
Zend_Auth in "coupling" with an applications AuthController.

Much like the viewRenderer helps the controller's job of interacting
with Zend_View, I think it makes alot of sense to have something like,
say, "authSelector" to help decide and load various pieces to the
authentication puzzle: forms, views, form helpers, and finally actual
auth adapter.

While, the term "flexible" is good, I think we need to find something
more succinct that will, by name, identify its job to the developer
immediately. Since you haven't gotten many comments on the original
proposal, I can only guess that the naming is not something developers
are immediately drawn to as its name does not conjure up any visions of
what job it actually does.

Looking forward to your feedback now that I have a better grasp on what
it is you are attempting to do!

-ralph

Re: Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

2009-09-16T05:52:51Z

-- Adam Jensen <jazzslider@...> wrote
(on Tuesday, 15 September 2009, 05:43 PM -0500):

> Actually I'd spent some time looking at Zend_Auth_Adapter_Chain, but I feel
> like it's addressing a different use case.
>
> It seems like the chain adapter would work best in situations where the same
> set of credentials could be checked against multiple authentication sources for
> instance, a local username/password versus an LDAP username/password. The
> chain adapter makes it easy to support both in a single action with very little
> additional controller logic.
>
> However, if the user input requirements differ for each adapter (e.g., if you
> replace LDAP with OpenID in the above example), the chain approach isn't as
> viable. You now not only need differing authentication logic; you also need
> differing form objects, differing view scripts, and sometimes different action
> methods (esp. relevant w/OpenID, since OpenID auth takes several different
> requests, and not all are guaranteed to be POSTs). This is the use case that
> my proposal is designed to address; using the adapter I've proposed, it's a lot
> easier to support a wide variety of authentication adapters with a wide variety
> of user input requirements from within a single, tidy controller action.

Excellent synopsis of the difference in approach -- I suspected this
might be the case, but wanted you to verify (or not). :)

> All that said, I'm starting to wonder if my proposal might work better as an
> action helper, since the main benefit is the simplification of controller
> logic? It may be more complicated than that, but it's probably worth some
> thought; any ideas?

So, what I'm understanding is that you want functionality that makes it
possible to authenticate against any of several types of authentication
schemes, some of which may require different credentialing mechanisms.

This sounds like application logic in many ways -- even the forms would
differ for each in some cases (OpenID would require a URL only; LDAP and/or
DbTable would require user/pass, etc.). This sounds like several
cross-cutting concerns:

* a form with multiple types of credential, and a selector to
determine which to authenticate against
* logic to switch based on the authentication selector that would then
instantiate the appropriate auth adapter and validate it

The form part could be handled userland, but yes, an action helper that
takes the form input and does the adapter delegation makes sense.

> On Tue, Sep 15, 2009 at 11:29 AM, Matthew Weier O'Phinney <matthew@...>
> wrote:
>
> -- Adam Jensen <jazzslider@...> wrote
> (on Tuesday, 15 September 2009, 09:40 AM -0500):
> > Several months ago I posted a proposal (http://framework.zend.com/wiki/
> display/
> > ZFPROP/Zend_Auth_Adapter_Flexible+-+Adam+Jensen) for a new kind of
> > authentication adapter which simplifies the process of allowing multiple
> modes
> > of authentication (e.g., email/pass and OpenID) via the same controller
> and
> > view code.
> >
> > Unfortunately, I haven't received any community feedback, which either
> means my
> > proposal is (a) perfect, or (b) totally uninteresting :) I was hoping I
> could
> > entice some of you to take a look at it in the next couple of days to see
> if
> > there's anything I can improve before I promote it to Ready for
> Recommendation.
> > Please let me know what you think; personally, I've found that this
> approach
> > saves me a heck of a lot of code, and I'd love to see it added to the
> > framework.
>
> There's actually a proposal already accepted, Zend_Auth_Adapter_Chain,
> which may already do much of what you're proposing:
>
> http://framework.zend.com/wiki/display/ZFPROP/
> Zend_Auth_Adapter_Chain+-+Geoffrey+Tran
>
> I'm not sure what Geoffrey's timeframe for completion is, however.
>
> --
> Matthew Weier O'Phinney
> Project Lead | matthew@...
> Zend Framework | http://framework.zend.com/
>
>

--
Matthew Weier O'Phinney
Project Lead | matthew@...
Zend Framework | http://framework.zend.com/

Re: Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

2009-09-15T15:43:13Z

Hello!

Actually I'd spent some time looking at Zend_Auth_Adapter_Chain, but I feel like it's addressing a different use case.

It seems like the chain adapter would work best in situations where the same set of credentials could be checked against multiple authentication sources…for instance, a local username/password versus an LDAP username/password. The chain adapter makes it easy to support both in a single action with very little additional controller logic.

However, if the user input requirements differ for each adapter (e.g., if you replace LDAP with OpenID in the above example), the chain approach isn't as viable. You now not only need differing authentication logic; you also need differing form objects, differing view scripts, and sometimes different action methods (esp. relevant w/OpenID, since OpenID auth takes several different requests, and not all are guaranteed to be POSTs). This is the use case that my proposal is designed to address; using the adapter I've proposed, it's a lot easier to support a wide variety of authentication adapters with a wide variety of user input requirements from within a single, tidy controller action.

All that said, I'm starting to wonder if my proposal might work better as an action helper, since the main benefit is the simplification of controller logic? It may be more complicated than that, but it's probably worth some thought; any ideas?

Thanks!

Adam

On Tue, Sep 15, 2009 at 11:29 AM, Matthew Weier O'Phinney <matthew@...> wrote:

-- Adam Jensen <jazzslider@...> wrote
(on Tuesday, 15 September 2009, 09:40 AM -0500):

> Several months ago I posted a proposal (http://framework.zend.com/wiki/display/
> ZFPROP/Zend_Auth_Adapter_Flexible+-+Adam+Jensen) for a new kind of
> authentication adapter which simplifies the process of allowing multiple modes
> of authentication (e.g., email/pass and OpenID) via the same controller and
> view code.
>
> Unfortunately, I haven't received any community feedback, which either means my
> proposal is (a) perfect, or (b) totally uninteresting :) I was hoping I could
> entice some of you to take a look at it in the next couple of days to see if
> there's anything I can improve before I promote it to Ready for Recommendation.
> Please let me know what you think; personally, I've found that this approach
> saves me a heck of a lot of code, and I'd love to see it added to the
> framework.

There's actually a proposal already accepted, Zend_Auth_Adapter_Chain,
which may already do much of what you're proposing:

http://framework.zend.com/wiki/display/ZFPROP/Zend_Auth_Adapter_Chain+-+Geoffrey+Tran

I'm not sure what Geoffrey's timeframe for completion is, however.

--
Matthew Weier O'Phinney
Project Lead | matthew@...
Zend Framework | http://framework.zend.com/

Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

2009-09-15T09:29:11Z

-- Adam Jensen <jazzslider@...> wrote
(on Tuesday, 15 September 2009, 09:40 AM -0500):

> Several months ago I posted a proposal (http://framework.zend.com/wiki/display/
> ZFPROP/Zend_Auth_Adapter_Flexible+-+Adam+Jensen) for a new kind of
> authentication adapter which simplifies the process of allowing multiple modes
> of authentication (e.g., email/pass and OpenID) via the same controller and
> view code.
>
> Unfortunately, I haven't received any community feedback, which either means my
> proposal is (a) perfect, or (b) totally uninteresting :) I was hoping I could
> entice some of you to take a look at it in the next couple of days to see if
> there's anything I can improve before I promote it to Ready for Recommendation.
> Please let me know what you think; personally, I've found that this approach
> saves me a heck of a lot of code, and I'd love to see it added to the
> framework.

There's actually a proposal already accepted, Zend_Auth_Adapter_Chain,
which may already do much of what you're proposing:

http://framework.zend.com/wiki/display/ZFPROP/Zend_Auth_Adapter_Chain+-+Geoffrey+Tran

I'm not sure what Geoffrey's timeframe for completion is, however.

--
Matthew Weier O'Phinney
Project Lead | matthew@...
Zend Framework | http://framework.zend.com/

Feedback on Zend_Auth_Adapter_Flexible?

2009-09-15T07:40:22Z

Hello!

Several months ago I posted a proposal (http://framework.zend.com/wiki/display/ZFPROP/Zend_Auth_Adapter_Flexible+-+Adam+Jensen) for a new kind of authentication adapter which simplifies the process of allowing multiple modes of authentication (e.g., email/pass and OpenID) via the same controller and view code.

Unfortunately, I haven't received any community feedback, which either means my proposal is (a) perfect, or (b) totally uninteresting :) I was hoping I could entice some of you to take a look at it in the next couple of days to see if there's anything I can improve before I promote it to Ready for Recommendation. Please let me know what you think; personally, I've found that this approach saves me a heck of a lot of code, and I'd love to see it added to the framework.

Thanks!
Adam

Most Wanted: Zend_Acl Issues

2009-09-15T07:03:55Z

Hello everyone,

With the new states added to Zend Framework issues tracker, I have
pruned and triaged Zend_Acl's issues. You can tell them by the icon
that looks like this:

[I]

in the link below:

http://framework.zend.com/issues/secure/IssueNavigator.jspa?resolution=-1&component=10070

There are several issues listed (about 7) that sound like reasonable
requests or need further exploration, but are outside the scope of the
ZF Dev Team to work on.

If anyone would like to take them on, please let me know and we can work
together on a resolution.

Some of them include:

* Zend_Acl::Zend_Acl_Resource - equal childs for different parents
* Add methods to get defined roles, resources, rules
* Allow roles to be entered in array format in isAllowed
* Database Driven ACL
* add method to get parent resource and methods get all parents of roles
or resources
* Support adding parent(s) to existing Role
* Zend_Acl : debug for inheritance of rules : get source from used rule

While I encourage anyone to take what they find interesting, you can
also see what might be higher priority by looking at the votes column to
see how many people would be waiting on such a feature.

I'll be in #zftalk.dev, or reply to this thread if you'd like to take
something on.

Thanks!
-ralph

Odd behaviour with storage cookie.

2009-09-13T05:22:30Z

I'm using a Storage_Cookie like http://metaversedeveloper.com/2009/01/03/logging-in-users-via-zend_auth-without-sessions-in-php-zend-framework/ I only add json_encode/decode to manage the not scalar data.

I've had trouble with the logout method because the $auth->hasIdentity() was still true after the logout action.

I end up with this code and it works but it seems to me just a little odd

public function clear()
    {
        if (!setcookie($this->_cookieName,
                       false, // clears the cookie
                       time()-$this->_expire,
                       $this->getBasedir())) {
            throw new Zend_Auth_Storage_Exception('Failed to clear cookie');
        }
        /* odd ! with a DEBUG session it is set with the user email !!!!!!!
used as identity
 */
        unset($_SESSION[$this->_cookieName]);
        unset($_COOKIE[$this->_cookieName]);
    }

In my bootstrap
protected function _initAuth()
    {
        $auth = Zend_Auth::getInstance(); 
        if(null !== W_Cookie::get('wh')){
            $auth->setStorage(new W_Auth_Storage_Cookie(md5('ayn'), md5('ayn')));
        }
        else{
            $auth->setStorage(new Zend_Auth_Storage_Session(md5('ayn')));
        }
        Zend_Registry::set('auth', $auth);
    }
In my controller
LOGIN
W_Cookie::deleteCookie('wh'); 
                    if(!empty($remember)){
                         W_Cookie::setCookie('wh',md5(time())); 
                         $this->auth->setStorage(new W_Auth_Storage_Cookie(md5('ayn'), md5('ayn')));
                    }
                    $this->auth->getStorage()->write($data);

LOGOUT
 W_Cookie::deleteCookie('wh'); 
        $this->auth->clearIdentity();
        $this->_helper->redirector('index','index','default');


Does anyone know why ?
Thanks in advance
Bye

Re: Zend_Acl and pagination

2009-09-04T16:59:53Z

Of course I meant asynchronously, not synchronously.

-Matt

On Friday, September 4, 2009, Matthew Ratzloff <matt@...> wrote:

> Hi Adam,
>
> That sounds like it may be premature optimization. If you find while
> testing that it is a problem, however, create a script that generates
> lists for each role and kick it off synchronously when an article is
> created or deleted.
>
> -Matt
>
> On Friday, September 4, 2009, Adam Jensen <jazzslider@...> wrote:
>> Interesting…I hadn't thought to apply caching in that way; good call. Allows me to do all the access control at the application level rather than tying it to the database, which is exactly what I wanted.
>>
>> The one downside, I suppose, is that the unlucky user who hits the site when neither cache has been generated yet will have to wait quite awhile, especially if there are lots of posts in the database, since that initial query doesn't have the benefit of pagination at all. I suppose I could try to grab that request via a cron job periodically so that it didn't have to affect any live users.
>>
>> Anyway, thanks for your help!
>> Adam
>>
>>
>> On Fri, Sep 4, 2009 at 12:20 PM, Matthew Ratzloff <matt@...> wrote:
>> Hi Adam,
>> I'd store an array representation of the result set in memory (memcache or similar) and apply the ACL rules against the cached array, generating a new array you can paginate. Cache this new array with an ID that is easily recoverable.
>>
>>
>> {{{if specific array does not exist in memcache if raw array does not exist in memcache query database store array in memcache end if
>>
>>
>> create specific array from filtered raw array store specific arrayend if
>> return specific array}}}
>> -Matt
>>
>>
>> On Fri, Sep 4, 2009 at 5:55 AM, Adam Jensen <jazzslider@...> wrote:
>>
>>
>> Hello!
>>
>> Got an interesting problem I was hoping some of you could help me with. I'm trying to figure out the best way to do result set pagination in combination with Zend_Acl-based access control. Let me explain…
>>
>> Start with the following assumptions:
>>
>> 1. You have a database table containing 500 or so blog posts.
>> 2. One of the resources set up in your Bootstrap class is a Zend_Acl object, containing all the rules you'll need to control access to those blog posts. Some of these rules might be based on stuff in the database, but some of them might not be…the ACL object controls all that.
>> 3. You want to set up a paginated listing view for your blog posts; each page is to list exactly 10 posts, and contain pagination links to get to all the other pages.
>>
>> So, in the action method for that listing view, we do the following:
>>
>> 1. Pull the models in by database query (really, the query would probably be in a service layer rather than hard-coded into the action, but for this example that's not really important)
>> 2. Loop through the result set and check each result against the ACL object to see if it's allowed for the current user; if not, remove it from the result set.
>> 3. Pass the adjusted result set to the view for rendering.
>>
>> Suppose, however, that of the 10 results we get back, 3 of them aren't permissible for the current user. That means we're only left with 7 results to show, when the user is expecting 10. Or, suppose that of the 10 results, all 10 are impermissible…in that case, the user sees nothing but a set of pagination links, with no guarantee that any of the links will lead to better results.
>>
>> Now, one possible solution here would be to adjust the database query to account for access control, but then we'd have to maintain access control logic in two places: the ACL and the database query itself. Plus, if the ACL object is basing its rules on information not found in the database (dunno how realistic that is, but I'm exploring all angles), we can't take this approach at all.
>>
>> So the problem in a nutshell is this: how can I ensure a paginated result set of exactly 10 items per page when the access control is handled outside of the database query?
>>
>> Thanks!
>> Adam Jensen
>>
>>
>>
>>
>

Re: Zend_Acl and pagination

2009-09-04T16:58:07Z

Hi Adam,

That sounds like it may be premature optimization. If you find while
testing that it is a problem, however, create a script that generates
lists for each role and kick it off synchronously when an article is
created or deleted.

-Matt

On Friday, September 4, 2009, Adam Jensen <jazzslider@...> wrote:

> Interesting…I hadn't thought to apply caching in that way; good call. Allows me to do all the access control at the application level rather than tying it to the database, which is exactly what I wanted.
>
> The one downside, I suppose, is that the unlucky user who hits the site when neither cache has been generated yet will have to wait quite awhile, especially if there are lots of posts in the database, since that initial query doesn't have the benefit of pagination at all. I suppose I could try to grab that request via a cron job periodically so that it didn't have to affect any live users.
>
> Anyway, thanks for your help!
> Adam
>
>
> On Fri, Sep 4, 2009 at 12:20 PM, Matthew Ratzloff <matt@...> wrote:
> Hi Adam,
> I'd store an array representation of the result set in memory (memcache or similar) and apply the ACL rules against the cached array, generating a new array you can paginate. Cache this new array with an ID that is easily recoverable.
>
>
> {{{if specific array does not exist in memcache if raw array does not exist in memcache query database store array in memcache end if
>
>
> create specific array from filtered raw array store specific arrayend if
> return specific array}}}
> -Matt
>
>
> On Fri, Sep 4, 2009 at 5:55 AM, Adam Jensen <jazzslider@...> wrote:
>
>
> Hello!
>
> Got an interesting problem I was hoping some of you could help me with. I'm trying to figure out the best way to do result set pagination in combination with Zend_Acl-based access control. Let me explain…
>
> Start with the following assumptions:
>
> 1. You have a database table containing 500 or so blog posts.
> 2. One of the resources set up in your Bootstrap class is a Zend_Acl object, containing all the rules you'll need to control access to those blog posts. Some of these rules might be based on stuff in the database, but some of them might not be…the ACL object controls all that.
> 3. You want to set up a paginated listing view for your blog posts; each page is to list exactly 10 posts, and contain pagination links to get to all the other pages.
>
> So, in the action method for that listing view, we do the following:
>
> 1. Pull the models in by database query (really, the query would probably be in a service layer rather than hard-coded into the action, but for this example that's not really important)
> 2. Loop through the result set and check each result against the ACL object to see if it's allowed for the current user; if not, remove it from the result set.
> 3. Pass the adjusted result set to the view for rendering.
>
> Suppose, however, that of the 10 results we get back, 3 of them aren't permissible for the current user. That means we're only left with 7 results to show, when the user is expecting 10. Or, suppose that of the 10 results, all 10 are impermissible…in that case, the user sees nothing but a set of pagination links, with no guarantee that any of the links will lead to better results.
>
> Now, one possible solution here would be to adjust the database query to account for access control, but then we'd have to maintain access control logic in two places: the ACL and the database query itself. Plus, if the ACL object is basing its rules on information not found in the database (dunno how realistic that is, but I'm exploring all angles), we can't take this approach at all.
>
> So the problem in a nutshell is this: how can I ensure a paginated result set of exactly 10 items per page when the access control is handled outside of the database query?
>
> Thanks!
> Adam Jensen
>
>
>
>

Re: Zend_Acl and pagination

2009-09-04T15:11:50Z

Interesting…I hadn't thought to apply caching in that way; good call. Allows me to do all the access control at the application level rather than tying it to the database, which is exactly what I wanted.

The one downside, I suppose, is that the unlucky user who hits the site when neither cache has been generated yet will have to wait quite awhile, especially if there are lots of posts in the database, since that initial query doesn't have the benefit of pagination at all. I suppose I could try to grab that request via a cron job periodically so that it didn't have to affect any live users.

Anyway, thanks for your help!
Adam

On Fri, Sep 4, 2009 at 12:20 PM, Matthew Ratzloff <matt@...> wrote:

Hi Adam,

I'd store an array representation of the result set in memory (memcache or similar) and apply the ACL rules against the cached array, generating a new array you can paginate. Cache this new array with an ID that is easily recoverable.

{{{
if specific array does not exist in memcache
   if raw array does not exist in memcache
   query database
        store array in memcache
   end if

   create specific array from filtered raw array
   store specific array
end if

return specific array
}}}

-Matt

On Fri, Sep 4, 2009 at 5:55 AM, Adam Jensen <jazzslider@...> wrote:

Hello!

Got an interesting problem I was hoping some of you could help me with. I'm trying to figure out the best way to do result set pagination in combination with Zend_Acl-based access control. Let me explain…

Start with the following assumptions:

1. You have a database table containing 500 or so blog posts.
2. One of the resources set up in your Bootstrap class is a Zend_Acl object, containing all the rules you'll need to control access to those blog posts. Some of these rules might be based on stuff in the database, but some of them might not be…the ACL object controls all that.
3. You want to set up a paginated listing view for your blog posts; each page is to list exactly 10 posts, and contain pagination links to get to all the other pages.

So, in the action method for that listing view, we do the following:

1. Pull the models in by database query (really, the query would probably be in a service layer rather than hard-coded into the action, but for this example that's not really important)
2. Loop through the result set and check each result against the ACL object to see if it's allowed for the current user; if not, remove it from the result set.
3. Pass the adjusted result set to the view for rendering.

Suppose, however, that of the 10 results we get back, 3 of them aren't permissible for the current user. That means we're only left with 7 results to show, when the user is expecting 10. Or, suppose that of the 10 results, all 10 are impermissible…in that case, the user sees nothing but a set of pagination links, with no guarantee that any of the links will lead to better results.

Now, one possible solution here would be to adjust the database query to account for access control, but then we'd have to maintain access control logic in two places: the ACL and the database query itself. Plus, if the ACL object is basing its rules on information not found in the database (dunno how realistic that is, but I'm exploring all angles), we can't take this approach at all.

So the problem in a nutshell is this: how can I ensure a paginated result set of exactly 10 items per page when the access control is handled outside of the database query?

Thanks!
Adam Jensen