On 9/17/10 4:18 PM, Bulat Shakirzyanov wrote:
Fabien,
From looking at the documentation for ACEGI, it specifically states
that the framework could be used to secure actions on *services*.
I know Spring Security (Ageci is the old name) pretty well ;)
Now, since all services reside in the DIC, maybe we could use a simmilar
technique Doctrine uses to create Proxy objects.
That's something I want to avoid. I don't want to have one proxy object
for each real object you have in your application.
For example:
<service id="some_service" class="SomeService">
<tag name="secure">
<action role="moderator">moderateSomething</action>
</tag>
</service>
Yeah, but most the time, you want to secure entities, and those are not
managed by the DIC.
I'm no saying it is impossible, just that with the current state of PHP,
it means we need to add a lot of black magic to make it work. And that's
not something I want to do... yet.
Fabien
Then ContainerBuilder would build a proxy object for that service and
register it:
class SomeServiceSecured extends SomeService
{
protected $security;
public function __construct(SecurityContextHolder $contextHolder)
{
$this->security = $contextHolder->getSecurity();
}
public function moderateSomething()
{
if (!$security->hasAccess(array($this, 'moderateSomething'))) {
throw new AccessDeniedException();
}
return parent::moderateSomething();
}
}
And the cached container:
//...
public function getSomeService()
{
if (!isset($this->shared['some_service'])) {
$service = new
SomeServiceSecured($this->getSecurityContextHolderService());
$this->shared['some_service'] = $service;
}
return $this->shared['some_service'];
}
This approach might have some performance overhead, but I feel like it
might provide the necessary functionality.
Thoughts?
On Fri, Sep 17, 2010 at 6:52 AM, Fabien Potencier
<[email protected]
<mailto:[email protected]>> wrote:
On 9/17/10 11:09 AM, Cyrille37 wrote:
On 13 sep, 17:30, Lukas Kahwe Smith<[email protected]
<mailto:[email protected]>> wrote:
On 13.09.2010, at 16:00, Fabien Potencier wrote:
... ... ...
but the key thing that i would like to see addressed in a
more consistent manner in the symfony community is checking
of permissions when reading models. this obviously requires
support on the ORM/ODM level.
... ... ...
I like the concept of ACL applied on the Model.
I used to apply it when worked with Java. I used the ACEGI framework
(http://www.acegisecurity.org/) to protect the Model and do not rely
on web page developper for managing rights.
I did not find this concept around Php. I think, from an industrial
view, it's a must have.
I makes a lot of sense but how can you do the same in PHP? The only
possibility is to have AOP.
Fabien
--
If you want to report a vulnerability issue on symfony, please send
it to security at symfony-project.com <http://symfony-project.com>
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
<mailto:[email protected]>
To unsubscribe from this group, send email to
[email protected]
<mailto:symfony-devs%[email protected]>
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
--
If you want to report a vulnerability issue on symfony, please send it
to security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
