The reason why class-scope permissions are not implemented using the inheritance feature is that it would lock yourself into an inheritance tree since there can only be one parent ACL.
Let's say you got blog posts, and comments. Blog Post 1 ACL - Comment 1 ACL - Comment 2 ACL - Comment 3 ACL Blog Post 2 ACL - Comment 4 ACL - Comment 5 ACL If you know want every author of an blog posts to be able to delete comments for this blog post, you would set the blog post ACL as parent of each comment ACL. This would not be possible if you would let all comments inherit from a fake class-scope comment ACL instance because this instance in turn could only inherit from one blog post ACL instance. So, the short answer is that you have more flexibility with the current implementation. Regarding a class identity, I see some abuse potential there because you only need this if the object does not exist yet (e.g. for checking a CREATE permission). In all other cases, you should never use a class identity. Kind regards, Johannes On Wed, Apr 20, 2011 at 2:33 AM, Gustavo Adrian <[email protected] > wrote: > 2011/4/19 Gustavo Adrian <[email protected]> > >> Why should we have class-scope ACE's for the OIDs of each instance of >> Article or any other class? > > > > Indeed, I said this completely wrong. What I was trying to say is that it's > a little bit confusing to have an ACL for an OID, which is supposed to be a > representation of an instance of a class, and a way to insert a class ACE in > the same ACL. I've found that having a separate OID only for the class is a > lot easier to handle. And it allows even to represent a class tree using the > ACL inheritance feature. There're even situations where you can't check for > class-scope permissions without an OID representing only the class. Like I > said in my last mail, what If I want to check if a user can CREATE an > Article?, I need an OID to find the ACL corresponding to the SID of this > user, and I shouldn't look for an OID of a specific Article to check this > class permission. Maybe there isn't one because there are no articles > created yet. As a result, I need an OID for the class. > > Maybe it could be useful to have a ClassIdentity or something like that? It > could be just an ObjectIdentity but with a pre-defined identifier like > 'class'. The thing is that, doing it like this, we wouldn't need class ACEs > / class field ACEs anymore. These type of permissions would exists on its > own "OID", which would be indeed a Class Identity instead of an Object > Identity. > > I'm just throwing my thoughts here. It's already possible to do all the > stuff I'm saying without any modifications. But, as I said, I'd really > appreciate to read your opinions about this. It's healthy to talk about this > topics :) > > > Thanks in advance. > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
