Fabien,
>From looking at the documentation for ACEGI, it specifically states that the
framework could be used to secure actions on *services*.
Now, since all services reside in the DIC, maybe we could use a simmilar
technique Doctrine uses to create Proxy objects.
For example:
<service id="some_service" class="SomeService">
<tag name="secure">
<action role="moderator">moderateSomething</action>
</tag>
</service>
Then ContainerBuilder would build a proxy object for that service and
register it:
class SomeServiceSecured extends SomeService
{
protected $security;
public function __construct(SecurityContextHolder $contextHolder)
{
$this->security = $contextHolder->getSecurity();
}
public function moderateSomething()
{
if (!$security->hasAccess(array($this, 'moderateSomething'))) {
throw new AccessDeniedException();
}
return parent::moderateSomething();
}
}
And the cached container:
//...
public function getSomeService()
{
if (!isset($this->shared['some_service'])) {
$service = new
SomeServiceSecured($this->getSecurityContextHolderService());
$this->shared['some_service'] = $service;
}
return $this->shared['some_service'];
}
This approach might have some performance overhead, but I feel like it might
provide the necessary functionality.
Thoughts?
On Fri, Sep 17, 2010 at 6:52 AM, Fabien Potencier <
[email protected]> wrote:
> On 9/17/10 11:09 AM, Cyrille37 wrote:
>
>> On 13 sep, 17:30, Lukas Kahwe Smith<[email protected]> wrote:
>>
>>> On 13.09.2010, at 16:00, Fabien Potencier wrote:
>>> ... ... ...
>>> but the key thing that i would like to see addressed in a more consistent
>>> manner in the symfony community is checking of permissions when reading
>>> models. this obviously requires support on the ORM/ODM level.
>>> ... ... ...
>>>
>>
>> I like the concept of ACL applied on the Model.
>> I used to apply it when worked with Java. I used the ACEGI framework
>> (http://www.acegisecurity.org/) to protect the Model and do not rely
>> on web page developper for managing rights.
>>
>> I did not find this concept around Php. I think, from an industrial
>> view, it's a must have.
>>
>
> I makes a lot of sense but how can you do the same in PHP? The only
> possibility is to have AOP.
>
> Fabien
>
>
> --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
>
> You received this message because you are subscribed to the Google
> Groups "symfony developers" group.
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]<symfony-devs%[email protected]>
> For more options, visit this group at
> http://groups.google.com/group/symfony-devs?hl=en
>
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
