I don't know if it's okay for anyone to propose a topic (especially as I might not be able to be here on time for next meeting) but here I go.
I think something should be done about ACL and proxies, preferably ASAP (in 2.0). Here's the related PR: https://github.com/symfony/symfony/pull/2056 At the moment, ACL are almost unusable with Doctrine (ORM, ODM, any flavor of it really) because it doesn't support proxies at all. Which makes it for most people useless at the moment. Indeed, you can't be 100% sure that you are not manipulating a proxy with Doctrine and the ObjectIdentityRetrievalStrategy basically uses get_class to know the type of an object. There have been quite a number of issues about this on github already and my PR fixes the issue (and also does not force to actually fetch the object if it is a proxy, which is a nice improvement too). Johannes says the solution is not perfect but didn't really explain why. The problem is that, besides from being unusable, people don't know about it, and that could cause some security vulnerabilities because you can't rely on the return value of isGranted anymore when you work with Doctrine entities/documents. So I propose to discuss about this issue and maybe propose alternatives to my approach (or just merge it in 2.0 if it seems ok). Maybe Johannes can elaborate more. Regards, Jordan -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to symfony-devs@googlegroups.com To unsubscribe from this group, send email to symfony-devs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
