Class: Acl

A simple access control class for implementing custom permissions in your applications.



// Default usage
$acl = new Acl ();

if (! $acl->allowed ('resource')) {
    // Keep the current user out

// Use an alternate user
$user = new User ($user_id);

if (! $acl->allowed ('resource', $user)) {
    // Keep the user out


The format of the INI file is as follows:


default = On


default = On
user/admin = Off
myapp = Off


default = Off
user = On

The default lines change whether you should allow or deny by default for a given role. The naming convention user/admin signifies a feature within an app as opposed to the app itself.

To easily include access control in a handler, you can use the Controller's require_acl() method like this:

$this->require_acl ('admin', 'myapp');

Which says: Verify they can access the admin resource, as well as the myapp resource. You can also retrieve the Acl object for the currently active user via the User::acl() method like this:

$acl = User::acl ();

To define new resources that your custom app will use, create a conf/acl.php in your app and define your resources like this:

myapp = "My application"
myapp/feature-x = "Access feature X"

This will automatically include them in the Elefant role editor.


public $file = 'conf/acl.php'

The INI file that the rules were read from.

public $rules = array ()

The access control rules as an array of roles and their permissions.

public $resources

A list of resources defined by the installed apps.


public __construct ($file = 'conf/acl.php')

Constructor will call init() if a file is provided, or simply set the $rules if an array is passed to it. With no parameters, it will try to read conf/acl.php for the access list.

public init ()

Parses the INI file and generates the rule list, adding default=false if no default is specified for that role (deny by default).

public allowed ($resource, $user = false)

Test whether they can access a resource. If no user object is provided, will use User::$user->type to determine the role.

public add_role ($role, $default = false)

Add a role to the list, optionally assigning whether it should allow or deny by default.

public deny ($role, $resource)

Deny a role access to the specified resource.

public allow ($role, $resource)

Allow a role access to the specified resource.

public resources ()

Find all resources defined by the installed apps.