Today i was looking for a nice tutorial about how to use Zend_Acl to check on every page request if the user has the right to access the controller/action. Now, there are some infos about that out there, but either they’re outdated, or not useable, cause the code is incomplete, or doesnt work at all.
So this is the solution i came up with during the day. I will start at the entry point, the Bootstrap.php.


  1. protected function _initAuth() {
    // set up the roles and resources
    $acl = H_Plugin_Acl::getInstance();
    $fc = $this->getResource(‚frontController‘);
    // check the rights vs. the roles
    $fc->registerPlugin(new H_Plugin_Accescontrol($acl), 10);

  2. Now, my acl class:
    class H_Plugin_Acl extends Zend_Acl
    const ROLE_GUEST = ‚guest‘;
    const ROLE_ADMIN = ‚admin‘;
    protected static $_instance;
    / Singleton pattern /
    protected function __construct()
    $this->addRole(new Zend_Acl_Role(self::ROLE_GUEST));
    $this->addRole(new Zend_Acl_Role(self::ROLE_ADMIN), self::ROLE_GUEST);
    $this->addResource(new Zend_Acl_Resource(‚index‘))
    ->addResource(new Zend_Acl_Resource(‚admin‘))
    ->addResource(new Zend_Acl_Resource(‚auth‘))
    $this->allow(‚guest‘, ‚index‘);
    $this->allow(‚guest‘, ‚auth‘);
    $this->allow(‚admin‘, ‚admin‘);
    return $this;
    public static function getInstance()
    if (null === self::$_instance) {
    self::$_instance = new self();
    return self::$_instance;

  3. Now, the class to check the user against the acl:
    class H_Plugin_Accescontrol extends Zend_Controller_Plugin_Abstract {
    private $auth;
    private $acl;
    public function __construct(Zend_Acl $acl){
    $this->auth = Zend_Auth::getInstance();
    $this->acl = $acl;
    public function preDispatch(Zend_Controller_Request_Abstract $request) {
    if ($this->auth->hasIdentity()){// && Zend_Registry::isRegistered(’strRole‘)){
    // fetchbyloginname calls a ModelMapper, and the method retrieves the user from db which is logged in
    // also have a look at: where we have set up a nice caching system for zend
    $objBenutzer = Model_BenutzerMapper::getCachedInstance()->fetchByLoginname($this->auth->getIdentity());
    $role = $objBenutzer->getRole();
    Zend_Registry::set(’numBenutzerId‘, $objBenutzer->getId());
    Zend_Registry::set(’strRole‘, $objBenutzer->getRole());
    } else {
    $role = ‚guest‘;
    $resource = $request->getControllerName();
    if (!$this->acl->has($resource)) {
    $resource = null;
    if (!$this->acl->isAllowed($role, $resource)) {
    if ($this->auth->hasIdentity()) {
    // angemeldet, aber keine Rechte -> Fehler!
    } else {
    //nicht angemeldet -> Login

  4. And finally the navigation with acl, which is very simple, this is what i have in my standard layout.phtml:
    $HPN = new H_Plugin_Navigation();
    $nav = $HPN->getNav();
    $acl = H_Plugin_Acl::getInstance();
    $strRole = null;
    $strRole = Zend_Registry::get(’strRole‘);
    echo $this->navigation($nav)->menu()->setAcl($acl)->setRole($strRole);


Thats basically it, my user table consists of at least 3 entries: role, loginname, passwort, where role is an enum of all the available roles in the Zend_Acl.
This is a very basic example, of course you can get that all cached, read the roles und rules from db, etc. but for small projects, thats most of the times to much overhaul :-)

Ah, and not to forget, i wont paste the Zend_Auth class here, cause thats pretty standard, something that can be found everywhere :-)