If I want a global ALLOW (granting = true) for the VIEW permission for all entities of "Currency" class, do I need to insert a Class ACE in each currency for this permission? maybe is better:
$classIdentity = new ObjectIdentity( '-1', 'Currency' ); $acl = $aclProvider->createAcl( $classIdentity ); $acl->insertClassAce( $userIdentity, MaskBuilder::CREATE, 0, true ); And then, en each ACL of each Currency's object, it would inherit from the ACL of the example. This way I don't need to insert a class ace in each ACL of each individual Currency object. Besides, what if I want to update this class-scope permission to granting = false? I would need to update the Class ACE of each object's ACL. This way I only need to update the Class ACE of the ObjectIdentity I've created in the example. Is this valid? Thanks in advance. Best regards. On Tue, Mar 29, 2011 at 5:34 PM, Johannes Schmitt <[email protected]>wrote: > When you delete entries, I'd recommend that you iterate from back to front > "for ($i=count($aces)-1; $i>=0; $i--) { /* ... */ }" since deleting an entry > will change all indices of the following entries. > > One of the principles of the ACL system is that each domain object instance > has exactly one ACL instance. That ACL instance will also hold the > class-scoped ACEs, but you need to create an ACL for each object instance. > > Kind regards, > Johannes > > On Tue, Mar 29, 2011 at 10:11 PM, Gustavo Adrian < > [email protected]> wrote: > >> Another thing I'd want to know is the order in which permission are >> checked. The docs says it does the check like this: >> >> "The PermissionGrantingStrategy first checks all your object-scope ACEs if >> none is applicable, the class-scope ACEs will be checked, if none is >> applicable, then the process will be repeated with the ACEs of the parent >> ACL. If no parent ACL exists, an exception will be thrown." >> >> But I have a class scope ACE already inserted and when I check if my user >> isGranted, it shows this log: >> >> >> SELECT a.ancestor_id >> FROM acl_object_identities o >> INNER JOIN acl_classes c ON c.id = o.class_id >> INNER JOIN acl_object_identity_ancestors a ON >> a.object_identity_id = o.id >> WHERE ((o.object_identifier = '24435' AND c.class_type = >> 'MyFullClassCurrency')) >> >> No ACL found for the object identity. Voting to deny access. >> >> >> It looks for an object-scope ACL (it's using the ID of the currency 24435) >> and if it doesn't found it, it doesn't check for class-scope permissions. It >> just denies me the action. The thing is that it couldn't do it anyway >> because to create a class-scope ACL I need to create an ObjectIdentity >> object with some random ID (in my case "-1"), so the ACL component has no >> way to know which object identity referers to my class-scope ACL. >> >> Is this the expected behaviour? if it is, should I create an ACL for the >> object and make it inherit from the class-scope ACL? >> >> >> >> Thanks in advance. >> >> On Tue, Mar 29, 2011 at 4:26 PM, Gustavo Adrian < >> [email protected]> wrote: >> >>> Hi all, >>> >>> I'm still working with the ACL feature. Now I'm implementing class scope >>> permissions. What I'd need to know is how to work with indexes. If I want to >>> update a class ACE, I would have this: >>> >>> >>> $acl = $aclProvider->findAcl( $classIdentity, array( $securityIdentity ) >>> ); >>> $classAces = $acl->getClassAces(); >>> >>> // Suppose I have an ACE with the CREATE permission with granting = true, >>> but I want >>> // to update it to inherit this permission from its parent ACL, so I >>> would have to delete this >>> // ACE >>> foreach ( $classAces as $index => $ace ) >>> { >>> if ( $ace->getMask() === MaskBuilder::CREATE ) >>> { >>> $acl->deleteClassAce( $index ); >>> } >>> } >>> >>> >>> The problem here is that it throws an exception claming that the index >>> "%d" is undefined. How should I obtain the index of the ACE so I can delete >>> or update it? and BTW, if I want to change a permission CREATE from GRANTED >>> to NOT GRANTED or DENIED (changing "granting" from true to false), how could >>> I do it? should I delete the ACE and insert a new one? >>> >>> >>> >>> Thanks in advance. >>> >> >> -- >> If you want to report a vulnerability issue on symfony, please send it to >> security at symfony-project.com >> >> You received this message because you are subscribed to the Google >> Groups "symfony users" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/symfony-users?hl=en >> > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony users" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/symfony-users?hl=en > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
