If I want a global ALLOW (granting = true) for the VIEW permission for all
entities of "Currency" class, do I need to insert a Class ACE in each
currency for this permission? maybe is better:

$classIdentity = new ObjectIdentity( '-1', 'Currency' );

$acl = $aclProvider->createAcl( $classIdentity );
$acl->insertClassAce( $userIdentity, MaskBuilder::CREATE, 0, true );

And then, en each ACL of each Currency's object, it would inherit from the
ACL of the example. This way I don't need to insert a class ace in each ACL
of each individual Currency object. Besides, what if I want to update this
class-scope permission to granting = false? I would need to update the Class
ACE of each object's ACL. This way I only need to update the Class ACE of
the ObjectIdentity I've created in the example.

Is this valid?


Thanks in advance.

Best regards.

On Tue, Mar 29, 2011 at 5:34 PM, Johannes Schmitt <[email protected]>wrote:

> When you delete entries, I'd recommend that you iterate from back to front
> "for ($i=count($aces)-1; $i>=0; $i--) { /* ... */ }" since deleting an entry
> will change all indices of the following entries.
>
> One of the principles of the ACL system is that each domain object instance
> has exactly one ACL instance. That ACL instance will also hold the
> class-scoped ACEs, but you need to create an ACL for each object instance.
>
> Kind regards,
> Johannes
>
> On Tue, Mar 29, 2011 at 10:11 PM, Gustavo Adrian <
> [email protected]> wrote:
>
>> Another thing I'd want to know is the order in which permission are
>> checked. The docs says it does the check like this:
>>
>> "The PermissionGrantingStrategy first checks all your object-scope ACEs if
>> none is applicable, the class-scope ACEs will be checked, if none is
>> applicable, then the process will be repeated with the ACEs of the parent
>> ACL. If no parent ACL exists, an exception will be thrown."
>>
>> But I have a class scope ACE already inserted and when I check if my user
>> isGranted, it shows this log:
>>
>>
>> SELECT a.ancestor_id
>>             FROM acl_object_identities o
>>             INNER JOIN acl_classes c ON c.id = o.class_id
>>             INNER JOIN acl_object_identity_ancestors a ON
>> a.object_identity_id = o.id
>>              WHERE ((o.object_identifier = '24435' AND c.class_type =
>> 'MyFullClassCurrency'))
>>
>> No ACL found for the object identity. Voting to deny access.
>>
>>
>> It looks for an object-scope ACL (it's using the ID of the currency 24435)
>> and if it doesn't found it, it doesn't check for class-scope permissions. It
>> just denies me the action. The thing is that it couldn't do it anyway
>> because to create a class-scope ACL I need to create an ObjectIdentity
>> object with some random ID (in my case "-1"), so the ACL component has no
>> way to know which object identity referers to my class-scope ACL.
>>
>> Is this the expected behaviour? if it is, should I create an ACL for the
>> object and make it inherit from the class-scope ACL?
>>
>>
>>
>> Thanks in advance.
>>
>> On Tue, Mar 29, 2011 at 4:26 PM, Gustavo Adrian <
>> [email protected]> wrote:
>>
>>> Hi all,
>>>
>>> I'm still working with the ACL feature. Now I'm implementing class scope
>>> permissions. What I'd need to know is how to work with indexes. If I want to
>>> update a class ACE, I would have this:
>>>
>>>
>>> $acl = $aclProvider->findAcl( $classIdentity, array( $securityIdentity )
>>> );
>>> $classAces = $acl->getClassAces();
>>>
>>> // Suppose I have an ACE with the CREATE permission with granting = true,
>>> but I want
>>> // to update it to inherit this permission from its parent ACL, so I
>>> would have to delete this
>>> // ACE
>>> foreach ( $classAces as $index => $ace )
>>> {
>>>      if ( $ace->getMask() === MaskBuilder::CREATE )
>>>      {
>>>           $acl->deleteClassAce( $index );
>>>      }
>>> }
>>>
>>>
>>> The problem here is that it throws an exception claming that the index
>>> "%d" is undefined. How should I obtain the index of the ACE so I can delete
>>> or update it? and BTW, if I want to change a permission CREATE from GRANTED
>>> to NOT GRANTED or DENIED (changing "granting" from true to false), how could
>>> I do it? should I delete the ACE and insert a new one?
>>>
>>>
>>>
>>> Thanks in advance.
>>>
>>
>>  --
>> If you want to report a vulnerability issue on symfony, please send it to
>> security at symfony-project.com
>>
>> You received this message because you are subscribed to the Google
>> Groups "symfony users" group.
>> To post to this group, send email to [email protected]
>> To unsubscribe from this group, send email to
>> [email protected]
>> For more options, visit this group at
>> http://groups.google.com/group/symfony-users?hl=en
>>
>
>  --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
>
> You received this message because you are subscribed to the Google
> Groups "symfony users" group.
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]
> For more options, visit this group at
> http://groups.google.com/group/symfony-users?hl=en
>

-- 
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en

Reply via email to