After implementing class-scope permissions thanks to Christophe's tip, I now have more questions :)
I've been looking at the ACE schema and I see a couple of interesting things that I'd like to know how to use them. 1) First I see a "granting" boolean field and a "grant_strategy" field (with value "all" in my case in each row) on the "acl_entries" table. Looking then at the MutableAclInterface I see that the method "insertClassAce" has these signature: *function insertClassAce(SecurityIdentityInterface $sid, $mask, $index = 0, $granting = true, $strategy = null);* Does the $granting field allow me to use something like a DENY permission if I pass "false" to it? if that's the case, could I use it to DENY a privilege that has an ALLOW permission somewhere up on the hierarchy? 2) I've noticed that I can insert multiple Class Ace's using the same object identity and the same security identity, but it increases the "ace_order" for each row I insert. I have a form for each type of entity on my app to give class-scope permissions to specific users. Each time a user updates them, how can I update the corresponding ACE? I see in the MutableAclInterface that it has a updateClassAce method, but it needs an $index parameter and I don't know what it is. Is this the primary key of the ACE? if this is the case, should I query myself the DB using the class ID and the SID ID to retrieve the corresponding ACE's PK or is there a method to update ACE's based on the SID and OID that I haven't found? 3) What's the purpose of the following fields on the "acl_entries" table?: ace_order, audit_success, audit_failure. I've seen the AuditableAclInterface. How methods like updateClassAuditing (with $auditSuccess and $auditFailure parameters) works? Thanks in advance and sorry if I asked too many questions, but this is a wonderful feature and I'd love to know all its possibilities :) On Mon, Mar 21, 2011 at 4:26 PM, Gustavo Adrian <[email protected] > wrote: > Great! even easier than I thought. I'm beginning to love this feature :) > > > Thanks a lot! > > > On Mon, Mar 21, 2011 at 4:22 PM, Christophe COEVOET <[email protected]> wrote: > >> Le 21/03/2011 20:11, Gustavo Adrian a écrit : >> >> Hi all, >>> >>> I'm starting to implement the ACL feature on my app and, for what I''ve >>> read and what I've already implemented, I must say: it's BEAUTIFUL. Great >>> job guys. It's just what I was looking for :) >>> >>> I have one question about this wonderful feature: >>> >>> 1) I've already implemented object scope permissions using the >>> ObjectIdentifier class. What I don't know is: How to grant a class scope and >>> class-field scope permissions to a user? I didn't find how to do it in the >>> docs and I didn't find in the API something like ClassIdentifier. Which is >>> the right way to grant a class scope permission to a user? Do I have to >>> check this permissions the same way I do it with object-scope permissions? >>> ($securityContext->isGranted( 'UPDATE', $objectIdentity ) ) >>> >> >> the key to create a class Ace is to use the insertClassAce method: >> >> $oid = new ObjectIdentity('whatever_you_want', 'Class\\Name'); >> $acl = $provider->createAcl($oid); >> $sid = UserSecurityIdentity::fromAccount($user); >> $acl->insertClassAce($sid, MaskBuilder::MASK_OWNER); >> >> And then your user will have OWNER rights for all instances of the >> Class\Name class. The way to check does not change. >> >> Regards >> >> -- >> Christophe | Stof >> >> -- >> If you want to report a vulnerability issue on symfony, please send it to >> security at symfony-project.com >> >> You received this message because you are subscribed to the Google >> Groups "symfony users" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/symfony-users?hl=en >> > > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
