I use a simple ACL inspired by this video tutorial. The acl.global.php has a structure like
return [
'acl' => [
'roles' => [
'guest' => null,
'member' => 'guest',
'admin' => 'member'
],
'resources' => [
'allow' => [
'Application\Controller\Index' => ['all' => 'member'],
'Application\Controller\Error' => ['all' => 'member'],
'Item\Controller\Process' => [
'index' => 'member',
'create' => 'member',
'showItem' => 'member', // website.tld/item/:id
'showList' => 'member' // website.tld/list-items
]
]
],
'redirect_route' => [
'params' => [],
'options' => ['name' => 'error403']
]
]
];
There is an Authorization\Acl\Acl class, that extends Zend\Permissions\Acl\Acl and adds to it functionality for the setup an object using the data from the config file above.
The third and last actor is the Authorization\Module class. There an ACL processing is added as route event listener and in this listener method if (! $acl->isAllowed($role, $controller, $action)), the user gets a 403 HTTP status code and the according view.
Now I want additionally to restrict the users' access to items (articles, orders, comments etc.). The user should only be able to see a detailed view of an item (showItemAction), if he is its owner/author. How to integrate such logic into the ACL?