Another thing I'd want to know is the order in which permission are checked.
The docs says it does the check like this:
"The PermissionGrantingStrategy first checks all your object-scope ACEs if
none is applicable, the class-scope ACEs will be checked, if none is
applicable, then the process will be repeated with the ACEs of the parent
ACL. If no parent ACL exists, an exception will be thrown."
But I have a class scope ACE already inserted and when I check if my user
isGranted, it shows this log:
SELECT a.ancestor_id
FROM acl_object_identities o
INNER JOIN acl_classes c ON c.id = o.class_id
INNER JOIN acl_object_identity_ancestors a ON
a.object_identity_id = o.id
WHERE ((o.object_identifier = '24435' AND c.class_type =
'MyFullClassCurrency'))
No ACL found for the object identity. Voting to deny access.
It looks for an object-scope ACL (it's using the ID of the currency 24435)
and if it doesn't found it, it doesn't check for class-scope permissions. It
just denies me the action. The thing is that it couldn't do it anyway
because to create a class-scope ACL I need to create an ObjectIdentity
object with some random ID (in my case "-1"), so the ACL component has no
way to know which object identity referers to my class-scope ACL.
Is this the expected behaviour? if it is, should I create an ACL for the
object and make it inherit from the class-scope ACL?
Thanks in advance.
On Tue, Mar 29, 2011 at 4:26 PM, Gustavo Adrian <[email protected]
> wrote:
> Hi all,
>
> I'm still working with the ACL feature. Now I'm implementing class scope
> permissions. What I'd need to know is how to work with indexes. If I want to
> update a class ACE, I would have this:
>
>
> $acl = $aclProvider->findAcl( $classIdentity, array( $securityIdentity ) );
> $classAces = $acl->getClassAces();
>
> // Suppose I have an ACE with the CREATE permission with granting = true,
> but I want
> // to update it to inherit this permission from its parent ACL, so I would
> have to delete this
> // ACE
> foreach ( $classAces as $index => $ace )
> {
> if ( $ace->getMask() === MaskBuilder::CREATE )
> {
> $acl->deleteClassAce( $index );
> }
> }
>
>
> The problem here is that it throws an exception claming that the index "%d"
> is undefined. How should I obtain the index of the ACE so I can delete or
> update it? and BTW, if I want to change a permission CREATE from GRANTED to
> NOT GRANTED or DENIED (changing "granting" from true to false), how could I
> do it? should I delete the ACE and insert a new one?
>
>
>
> Thanks in advance.
>
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en