When you delete entries, I'd recommend that you iterate from back to front
"for ($i=count($aces)-1; $i>=0; $i--) { /* ... */ }" since deleting an entry
will change all indices of the following entries.

One of the principles of the ACL system is that each domain object instance
has exactly one ACL instance. That ACL instance will also hold the
class-scoped ACEs, but you need to create an ACL for each object instance.

Kind regards,
Johannes

On Tue, Mar 29, 2011 at 10:11 PM, Gustavo Adrian <
[email protected]> wrote:

> Another thing I'd want to know is the order in which permission are
> checked. The docs says it does the check like this:
>
> "The PermissionGrantingStrategy first checks all your object-scope ACEs if
> none is applicable, the class-scope ACEs will be checked, if none is
> applicable, then the process will be repeated with the ACEs of the parent
> ACL. If no parent ACL exists, an exception will be thrown."
>
> But I have a class scope ACE already inserted and when I check if my user
> isGranted, it shows this log:
>
>
> SELECT a.ancestor_id
>             FROM acl_object_identities o
>             INNER JOIN acl_classes c ON c.id = o.class_id
>             INNER JOIN acl_object_identity_ancestors a ON
> a.object_identity_id = o.id
>             WHERE ((o.object_identifier = '24435' AND c.class_type =
> 'MyFullClassCurrency'))
>
> No ACL found for the object identity. Voting to deny access.
>
>
> It looks for an object-scope ACL (it's using the ID of the currency 24435)
> and if it doesn't found it, it doesn't check for class-scope permissions. It
> just denies me the action. The thing is that it couldn't do it anyway
> because to create a class-scope ACL I need to create an ObjectIdentity
> object with some random ID (in my case "-1"), so the ACL component has no
> way to know which object identity referers to my class-scope ACL.
>
> Is this the expected behaviour? if it is, should I create an ACL for the
> object and make it inherit from the class-scope ACL?
>
>
>
> Thanks in advance.
>
> On Tue, Mar 29, 2011 at 4:26 PM, Gustavo Adrian <
> [email protected]> wrote:
>
>> Hi all,
>>
>> I'm still working with the ACL feature. Now I'm implementing class scope
>> permissions. What I'd need to know is how to work with indexes. If I want to
>> update a class ACE, I would have this:
>>
>>
>> $acl = $aclProvider->findAcl( $classIdentity, array( $securityIdentity )
>> );
>> $classAces = $acl->getClassAces();
>>
>> // Suppose I have an ACE with the CREATE permission with granting = true,
>> but I want
>> // to update it to inherit this permission from its parent ACL, so I would
>> have to delete this
>> // ACE
>> foreach ( $classAces as $index => $ace )
>> {
>>      if ( $ace->getMask() === MaskBuilder::CREATE )
>>      {
>>           $acl->deleteClassAce( $index );
>>      }
>> }
>>
>>
>> The problem here is that it throws an exception claming that the index
>> "%d" is undefined. How should I obtain the index of the ACE so I can delete
>> or update it? and BTW, if I want to change a permission CREATE from GRANTED
>> to NOT GRANTED or DENIED (changing "granting" from true to false), how could
>> I do it? should I delete the ACE and insert a new one?
>>
>>
>>
>> Thanks in advance.
>>
>
>  --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
>
> You received this message because you are subscribed to the Google
> Groups "symfony users" group.
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]
> For more options, visit this group at
> http://groups.google.com/group/symfony-users?hl=en
>

-- 
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en

Reply via email to