display only certian Zend Form elements based on ACL

I have a standard Zend update user form that includes Zend acl roles in a drop down e.g. guest, user, admin. The idea is that an administrator could change the role of the users via the update user form. The user/update controller displays the entire form. I want to use the same form so that the user can update their profile but I don't want a non-admin to be able to change or even see their role.

How do I hide the role or deactivate the role dropdown in Zend Form?

I tried logic to removeElement which removes the field altogether. Problem here is that the original role value gets overwritten.

Thanks
// ZEND FORM CODE I WANT TO HIDE IF NOT ADMIN
        $role = $this->createElement('select', 'role');
        $role->setLabel("Select a role:");
        $role->addMultiOption('user', 'Normal User');
        $role->addMultiOption('administrator', 'Fully privileged Admin');
        $this->addElement($role);

// UPDATE CONTROLLER
 public function updateAction() {
        $userForm = new Form_User();
        		$userForm->setAction('/user/update');
        		$userForm->removeElement('password');
        		$userModel = new Model_User();
        		if($this->_request->isPost()) {
        			if($userForm->isValid($_POST)) {
        				$userModel->updateUser(
        					$userForm->getValue('id'),
        					$userForm->getValue('username'),
        					$userForm->getValue('first_name'),
        					$userForm->getValue('last_name'),
        					$userForm->getValue('role')
        				);
        				$this->view->error = 'User updated';
        				return $this->_forward('list');
        			}
        		} else {
        			$id = $this->_request->getParam('id');
        			$currentUser = $userModel->find($id)->current();
        			$userForm->populate($currentUser->toArray());
        		}
        		$this->view->form = $userForm;
    }

Open in new window

LVL 4
kent3800Asked:
Who is Participating?
 
UtteCommented:
First you need to read the acl part of zend framework.

Here is some proposed code:
$acl = new Zend_Acl();

$acl ->addRole(new Zend_Acl_Role('admin'));

$acl->addRole(new Zend_Acl_Role('AllowedUser'), 'admin');
 
$acl->add(new Zend_Acl_Resource('someResource'));
 
$acl->allow('admin', 'someResource');
 
if($acl->isAllowed('AllowedUser', 'someResource'))
{
//part to show...
}
0
 
kent3800Author Commented:
ok. Thanks. Looks like I was victim of the classic ACL vs. AUTH newbie problem. Below is how I ended up solving my Form Element toggle using Zend_Auth. This is fine but can be hacked in firebug by changing the hidden field to admin if you are a user. I guess I can switch this logic to the update db logic. Is there a better way to do this?
// In User Form
$auth = Zend_Auth::getInstance();
		if($auth->hasIdentity()) {
			if($auth->getIdentity()->role == 'admin') {
		        $role = $this->createElement('select', 'role');
				$role->setLabel("Select a role:");
		        $role->addMultiOption('user', 'Normal User');
		        $role->addMultiOption('admin', 'Fully privileged Admin');
			} else {
				$role = $this->createElement('hidden', 'role');
			}
			$this->addElement($role);
		}

// UPDATE USER CONTROLLER
public function updateAction() {
        $userForm = new Form_User();
        		$userForm->setAction('/user/update');
        		$userForm->removeElement('password');
        		$userModel = new Model_User();
        		if($this->_request->isPost()) {
        			if($userForm->isValid($_POST)) {
        				$userModel->updateUser(
        					$userForm->getValue('id'),
        					$userForm->getValue('username'),
        					$userForm->getValue('first_name'),
        					$userForm->getValue('last_name'),
        					$userForm->getValue('role')
        				);
        				$this->view->error = 'User updated';
        				return $this->_forward('list');
        			}
        		} else {
        			$id = $this->_request->getParam('id');
        			$currentUser = $userModel->find($id)->current();
        			$userForm->populate($currentUser->toArray());
        		}
        		$this->view->form = $userForm;
    }

Open in new window

0
 
UtteCommented:
I think you should put in a session. So you keep the value on the server and not in the html...

And then in the update action make the verification again before accepting the role value in the form.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
kent3800Author Commented:
Ok. Thanks! Are you suggesting saving the admin role value in a Zend_Registry session in the _iniAutoload() bootstrap i.e.

$auth = Zend_Auth::getInstance();
if($auth->hasIdentity()) {
      if($auth->getIdentity()->role == 'admin') {
               Zend_Registry::set('isAdmin', "true");
        else {
                Zend_Registry::set('isAdmin', "false");
         }
}

and then calling it in the update function like this:

$checkAdmin = Zend_Registry::get('isAdmin');
if($checkAdmin == 'admin') { ... change role to admin ... }
0
 
UtteCommented:
Yes.

But you could just do validation again like you did the first time.
$auth = Zend_Auth::getInstance();
            if($auth->hasIdentity()) {
                  if($auth->getIdentity()->role == 'admin') {

I think that would make code maintenance easier.
0
 
kent3800Author Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.