Вот как я делаю свой плагин контроллера ACL, у которого есть роли + ресурсы, где ресурсы - это комбинации {{module}} _ {{controller}} => массива ({{actions}})
<?php
class My_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
{
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
// set up acl
$obj_acl = new Zend_Acl();
// add the roles
$obj_acl->addRole(new Zend_Acl_Role('guest'));
$obj_acl->addRole(new Zend_Acl_Role('member'), 'guest');
$obj_acl->addRole(new Zend_Acl_Role('admin'), 'member');
// define all role/resource/actions
$arr_role_resources = array(
// role => array of resources
'guest' => array(
'default_index' => array('index', 'about-us', 'testimonials', 'interns', 'staff', 'contact-us'),
'default_error' => array('error', 'denied'),
'default_account' => array('index', 'login', 'register', 'logout', 'forgot-password'),
'store_index' => array('index'),
'store_category' => array('index', 'list', 'view'),
'store_search' => array('index', 'results',),
'store_product' => array('index', 'view', 'ajax-variant'),
'store_cart' => array('index', 'view', 'empty', 'checkout', 'payment', 'review', 'confirmation', 'apply-coupon'),
'store-admin_index' => array('login')
),
'member' => array(
'default_account' => array('index', 'me', 'update', 'change-password', 'orders', 'view-order'),
),
'admin' => array(
'store-admin_index' => array('index'),
'store-admin_category' => array('index', 'list', 'create', 'update', 'delete'),
'store-admin_customers' => array('index', 'list', 'create', 'update', 'delete'),
'store-admin_customer-group' => array('index', 'list', 'create', 'update', 'delete'),
'store-admin_orders' => array('index', 'list', 'create', 'update', 'delete'),
'store-admin_product' => array('index', 'list', 'create', 'update', 'delete'),
'store-admin_coupon' => array('index', 'list', 'create', 'update', 'delete'),
'store-admin_import' => array('index', 'list', 'create', 'update', 'delete'),
)
);
// create a list of registered resources
$registered_resources = array();
// add the resources for each role
foreach($arr_role_resources as $role => $arr_resource)
{
foreach($arr_resource as $name_resource => $subset)
{
// If the resource hasn't been added add it
if(!in_array($name_resource, $registered_resources))
{
// register the resource
$obj_acl->add(new Zend_Acl_Resource($name_resource));
// remember that we registered this resource
$registered_resources[] = $name_resource;
}
// add the subset of privileges this role has for this resource
$obj_acl->allow($role, $name_resource, $subset);
}
}
// Admin can do anything by default
$obj_acl->allow('admin', null);
// fetch the current user's role
$obj_auth = Zend_Auth::getInstance();
$role = 'guest';
if($obj_auth->hasIdentity())
{
$role = strtolower($obj_auth->getIdentity()->role);
}
try
{
// requested resource
$resource = $request->module . '_' . $request->controller;
$action = $request->action;
// Check to see if user's role has access to the current resource
if(!$obj_acl->isAllowed($role, $resource, $action))
{
// direct users to an error page
if($request->module == 'store-admin')
{
$request->setModuleName('store-admin');
$request->setControllerName('index');
$request->setActionName('login');
}
else
{
$request->setControllerName('error');
$request->setActionName('denied');
}
}
}
catch(Zend_Acl_Exception $e) {
echo $e->getMessage();
// direct users to an error page
if($request->module == 'store-admin')
{
$request->setModuleName('store-admin');
$request->setControllerName('index');
$request->setActionName('login');
}
else
{
$request->setControllerName('error');
$request->setActionName('denied');
}
}
}
}