display only certian Zend Form elements based on ACL

I have a standard Zend update user form that includes Zend acl roles in a drop down e.g. guest, user, admin. The idea is that an administrator could change the role of the users via the update user form. The user/update controller displays the entire form. I want to use the same form so that the user can update their profile but I don't want a non-admin to be able to change or even see their role.

How do I hide the role or deactivate the role dropdown in Zend Form?

I tried logic to removeElement which removes the field altogether. Problem here is that the original role value gets overwritten.

Thanks
// ZEND FORM CODE I WANT TO HIDE IF NOT ADMIN
        $role = $this->createElement('select', 'role');
        $role->setLabel("Select a role:");
        $role->addMultiOption('user', 'Normal User');
        $role->addMultiOption('administrator', 'Fully privileged Admin');
        $this->addElement($role);

// UPDATE CONTROLLER
 public function updateAction() {
        $userForm = new Form_User();
        		$userForm->setAction('/user/update');
        		$userForm->removeElement('password');
        		$userModel = new Model_User();
        		if($this->_request->isPost()) {
        			if($userForm->isValid($_POST)) {
        				$userModel->updateUser(
        					$userForm->getValue('id'),
        					$userForm->getValue('username'),
        					$userForm->getValue('first_name'),
        					$userForm->getValue('last_name'),
        					$userForm->getValue('role')
        				);
        				$this->view->error = 'User updated';
        				return $this->_forward('list');
        			}
        		} else {
        			$id = $this->_request->getParam('id');
        			$currentUser = $userModel->find($id)->current();
        			$userForm->populate($currentUser->toArray());
        		}
        		$this->view->form = $userForm;
    }

Open in new window

LVL 4
kent3800Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

UtteCommented:
First you need to read the acl part of zend framework.

Here is some proposed code:
$acl = new Zend_Acl();

$acl ->addRole(new Zend_Acl_Role('admin'));

$acl->addRole(new Zend_Acl_Role('AllowedUser'), 'admin');
 
$acl->add(new Zend_Acl_Resource('someResource'));
 
$acl->allow('admin', 'someResource');
 
if($acl->isAllowed('AllowedUser', 'someResource'))
{
//part to show...
}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kent3800Author Commented:
ok. Thanks. Looks like I was victim of the classic ACL vs. AUTH newbie problem. Below is how I ended up solving my Form Element toggle using Zend_Auth. This is fine but can be hacked in firebug by changing the hidden field to admin if you are a user. I guess I can switch this logic to the update db logic. Is there a better way to do this?
// In User Form
$auth = Zend_Auth::getInstance();
		if($auth->hasIdentity()) {
			if($auth->getIdentity()->role == 'admin') {
		        $role = $this->createElement('select', 'role');
				$role->setLabel("Select a role:");
		        $role->addMultiOption('user', 'Normal User');
		        $role->addMultiOption('admin', 'Fully privileged Admin');
			} else {
				$role = $this->createElement('hidden', 'role');
			}
			$this->addElement($role);
		}

// UPDATE USER CONTROLLER
public function updateAction() {
        $userForm = new Form_User();
        		$userForm->setAction('/user/update');
        		$userForm->removeElement('password');
        		$userModel = new Model_User();
        		if($this->_request->isPost()) {
        			if($userForm->isValid($_POST)) {
        				$userModel->updateUser(
        					$userForm->getValue('id'),
        					$userForm->getValue('username'),
        					$userForm->getValue('first_name'),
        					$userForm->getValue('last_name'),
        					$userForm->getValue('role')
        				);
        				$this->view->error = 'User updated';
        				return $this->_forward('list');
        			}
        		} else {
        			$id = $this->_request->getParam('id');
        			$currentUser = $userModel->find($id)->current();
        			$userForm->populate($currentUser->toArray());
        		}
        		$this->view->form = $userForm;
    }

Open in new window

0
UtteCommented:
I think you should put in a session. So you keep the value on the server and not in the html...

And then in the update action make the verification again before accepting the role value in the form.
0
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

kent3800Author Commented:
Ok. Thanks! Are you suggesting saving the admin role value in a Zend_Registry session in the _iniAutoload() bootstrap i.e.

$auth = Zend_Auth::getInstance();
if($auth->hasIdentity()) {
      if($auth->getIdentity()->role == 'admin') {
               Zend_Registry::set('isAdmin', "true");
        else {
                Zend_Registry::set('isAdmin', "false");
         }
}

and then calling it in the update function like this:

$checkAdmin = Zend_Registry::get('isAdmin');
if($checkAdmin == 'admin') { ... change role to admin ... }
0
UtteCommented:
Yes.

But you could just do validation again like you did the first time.
$auth = Zend_Auth::getInstance();
            if($auth->hasIdentity()) {
                  if($auth->getIdentity()->role == 'admin') {

I think that would make code maintenance easier.
0
kent3800Author Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.