Hi all,
After learning how to use and implement the ACL feature of the Security
component I must say.. congratulations. GREAT implementation. It's fast,
flexible and it covers almost (if not all) the needs an app could have.
I've successfully implemented the ACL feature in my app using lots of its
features. And now I'd like to share some thoughts about the class-scope
permissions. I'd really like to know what do you think guys about this.
I've seen a couple of questions about how to assign class-scope permissions
(a lot of them were mine :P), and some tickets about it too. I think this is
the only thing I can say is not so clear in the ACL, at least for me. It
took me a while to understand how to implement it, and why it should be that
way. In a brief:
Let's suppose we have these classes:
. Element
. Article (inherits from Element)
. Page (inherits from Element)
1) How should we check for a CREATE permission for the class Article if we
don't have any instances (and for instance, no OID) created yet? The only
way is to create an OID for the class, and assign to it an identifier like
'class' or '-1'. Then you can add to it a class-scope ACE or an object-scope
ACE (it doesn't really matter in this case which one of these two) for the
SID you want and for the CREATE permission. Then you can do this:
$securityContext->isGranted('CREATE', new ObjectIdentity('class',
'Fully\Qualified\Article\Class'));
Now, knowing that we need an OID for the class:
2) Why should we have class-scope ACE's for the OIDs of each instance of
Article or any other class? class-scope permissions are supposed to apply to
every instance of Article. So, if we have an OID for the class, we can set
it as the parent of every OID of every instance of Article, and our
class-scope permissions would be checked that way. We could even have
something like this in this use case:
. Element class OID
. Article class OID (child of Element class OID)
. Article 1 OID (child of Article class OID)
. Article 2 OID (child of Article class OID)
. Article 3 OID (child of Article class OID)
. Article 4 OID ((child of Article 3 OID)
. Page class OID (child of Element class OID)
I've implemented this way ACL in my app and so far is working as expected.
Permissions assigned to Element class OID are inherited by Article class
OID, and by its childs. So, then, the remaining question I have is: Do we
need a separation between class and object ACE's for one ACL? Using this
implementation there's no difference in one ACL between class-scope and
object-scope permissions. Class scope permissions are applied to the
correspondent class OID, while object-permissions are applied to the OIDs
which refer to instances of the class.
That's it. Sorry about the long mail but I couldn't find a shorter way to
explain my point, and I wanted to share these thoughts with you guys to know
what do you think.
Thanks in advance, and congratulations again for this amazing component :)
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
