documentation/manual/ko/module_specs/Zend_Acl-Refining.xml

   1 <sect1 id="zend.acl.refining">
   2
   3     <title>접근 제어의 정련(精鍊)</title>
   4
   5     <sect2 id="zend.acl.refining.precise">
   6
   7         <title>정확한 접근 제어</title>
   8
   9         <para>
  10         <link linkend="zend.acl.introduction">이전 장</link>에서 정의한 기본적인 ACL에서는, 다양한
  11         규칙을 ACL 전체(모든 자원)에 대해서 적용했습니다. 그러나 실제로 접근 제어에는 다양하고 복잡한
  12         단계와 예외사항을 만나기 쉽습니다. Zend_Acl은 이러한 경우에도 간단하고 유연한 방법으로
  13         대응할 수 있습니다.
  14         </para>
  15
  16         <para>
  17         예로 든 CMS에서 대부분의 유저를 'staff'그룹에서 정리해 관리하고 있었습니다. 여기에서는 CMS의
  18         뉴스레터나 최신 뉴스에의 접근을 필요로 하는 'marketing'이라는 새로운 그룹을 만듭니다. 이 그룹은
  19         뉴스레터 및 최신 뉴스의 발행과 보존 권한을 가집니다.
  20         </para>
  21
  22         <para>
  23         덧붙여, 'staff'그룹은 뉴스의 내용은 열람할 수는 있지만, 최신 뉴스의 수정은 할 수 없게 합니다.
  24         마지막으로, 누구라도 (administrators를 포함해서) '발표' 뉴스 내용은 보존할 수 없게 합니다.
  25         왜냐하면, 그것들의 유효기간은 1 ~ 2일 정도 밖에 되지 않기 때문입니다.
  26         </para>
  27
  28         <para>
  29         먼저, 이러한 변경을 반영시키기 위해 롤 레지스트리를 수정합니다. 'staff'그룹과 동일한 기본 권한을
  30         가지는 'marketing'그룹을 만들기로 했으므로, 'marketing'그룹을 만들고, 'staff'그룹으로 부터 권한을
  31         상속받습니다:
  32         </para>
  33
  34         <programlisting role="php"><![CDATA[<?php
  35 // 새로운 marketing그룹은 staff그룹으로부터 권한을 상속받습니다
  36 $acl->addRole(new Zend_Acl_Role('marketing'), 'staff');]]>
  37         </programlisting>
  38
  39         <para>
  40         다음에, 위의 접근 제어는 특정 자원(예: "newsletter","latest news","announcement news")에 대해 한정되는 것에 주의하시기 바랍니다. 이제 우리는 다음과 같이 이들 자원을 추가합니다:
  41         </para>
  42
  43         <programlisting role="php"><![CDATA[<?php
  44 // 규칙을 적용할 자원을 만듭니다
  45 require_once 'Zend/Acl/Resource.php';
  46 $acl->add(new Zend_Acl_Resource('newsletter'));           // newsletter
  47 $acl->add(new Zend_Acl_Resource('news'));                 // news
  48 $acl->add(new Zend_Acl_Resource('latest'), 'news');       // latest news
  49 $acl->add(new Zend_Acl_Resource('announcement'), 'news'); // announcement news]]>
  50         </programlisting>
  51
  52         <para>
  53         그러면, 이들에게 ACL의 해당 범위에 특정 규칙들을 정의하는 문제는 간단합니다:
  54         </para>
  55
  56         <programlisting role="php"><![CDATA[<?php
  57 // Marketing그룹은 뉴스레터 및 최신 뉴스를 발행, 보존할 수 없으면 안됩니다
  58 $acl->allow('marketing', array('newsletter', 'latest'), array('publish', 'archive'));
  59
  60 // Staff (그리고 상속에 의한 marketing)그룹은 최신 뉴스의 수정을 할 수 없습니다
  61 $acl->deny('staff', 'latest', 'revise');
  62
  63 // 전원 (administrators를 포함해서)은 발표 뉴스를 보존할 수 없습니다
  64 $acl->deny(null, 'announcement', 'archive');]]>
  65         </programlisting>
  66
  67         <para>
  68         이것으로, 이제 최신 변경 내용을 반영한 ACL에 질의할 수 있습니다:
  69         </para>
  70
  71         <programlisting role="php"><![CDATA[<?php
  72 echo $acl->isAllowed('staff', 'newsletter', 'publish') ?
  73      "allowed" : "denied"; // denied
  74
  75 echo $acl->isAllowed('marketing', 'newsletter', 'publish') ?
  76      "allowed" : "denied"; // allowed
  77
  78 echo $acl->isAllowed('staff', 'latest', 'publish') ?
  79      "allowed" : "denied"; // denied
  80
  81 echo $acl->isAllowed('marketing', 'latest', 'publish') ?
  82      "allowed" : "denied"; // allowed
  83
  84 echo $acl->isAllowed('marketing', 'latest', 'archive') ?
  85      "allowed" : "denied"; // allowed
  86
  87 echo $acl->isAllowed('marketing', 'latest', 'revise') ?
  88      "allowed" : "denied"; // denied
  89
  90 echo $acl->isAllowed('editor', 'announcement', 'archive') ?
  91      "allowed" : "denied"; // denied
  92
  93 echo $acl->isAllowed('administrator', 'announcement', 'archive') ?
  94      "allowed" : "denied"; // denied]]>
  95         </programlisting>
  96
  97     </sect2>
  98
  99     <sect2 id="zend.acl.refining.removing">
 100
 101         <title>접근 제어의 삭제</title>
 102
 103         <para>
 104         ACL로부터 하나 또는 복수의 접근 규칙을 삭제하려면, <code>removeAllow()</code> 또는 <code>removeDeny()</code> 메소드를 사용합니다. <code>allow()</code> 및 <code>deny()</code>와 같이, null값을 지정하면 모든 롤이나 자원, 권한을 나타내게 됩니다:
 105         </para>
 106
 107         <programlisting role="php"><![CDATA[<?php
 108 // staff(그리고 상속에 의한 marketing)그룹으로부터 최신 뉴스의 수정 거부를 삭제합니다
 109 $acl->removeDeny('staff', 'latest', 'revise');
 110
 111 echo $acl->isAllowed('marketing', 'latest', 'revise') ?
 112      "allowed" : "denied"; // allowed
 113
 114 // marketing그룹으로부터 뉴스레터의 발행 및 보존 권한을 없앱니다
 115 $acl->removeAllow('marketing', 'newsletter', array('publish', 'archive'));
 116
 117 echo $acl->isAllowed('marketing', 'newsletter', 'publish') ?
 118      "allowed" : "denied"; // denied
 119
 120 echo $acl->isAllowed('marketing', 'newsletter', 'archive') ?
 121      "allowed" : "denied"; // denied]]>
 122         </programlisting>
 123
 124         <para>
 125         위에서 설명한 것처럼, 서서히 권한을 변경해 나갈 수도 있습니다만, 권한에 대해서 <code>null</code>
 126         값을 설정하면, 이러한 변경을 일괄적으로 수행할 수 있습니다.
 127         </para>
 128
 129         <programlisting role="php"><![CDATA[<?php
 130 // marketing그룹에 대해 최신 뉴스의 모든 권한을 허가합니다
 131 $acl->allow('marketing', 'latest');
 132
 133 echo $acl->isAllowed('marketing', 'latest', 'publish') ?
 134      "allowed" : "denied"; // allowed
 135
 136 echo $acl->isAllowed('marketing', 'latest', 'archive') ?
 137      "allowed" : "denied"; // allowed
 138
 139 echo $acl->isAllowed('marketing', 'latest', 'anything') ?
 140      "allowed" : "denied"; // allowed]]>
 141         </programlisting>
 142
 143     </sect2>
 144
 145 </sect1>