Symfony 2 Acls insertClassAces
I am using Symfony acls and I noticed that when the acl class is first created, acl_object_identities is also created with object_identifier = class
But if you insert the ace class (acl_entries) the object_identity_id is set to NULL. I wonder why the previously created acl_object_identity is not being used?
table acl_class: 6 xxxxxxxx / myclass
acl_object_identities table 63 NULL 6 class 1
acl_entries table 199 6 NULL 1 NULL 3 1073741823 1 all 0 0
Must not be? 199 6 63 1 NULL 3 1073741823 1 all 0 0
I don't understand why the objet identity class is created and not used with class entries.
This is my code, maybe something is wrong:
//find or create acl
$classIdentity = new ObjectIdentity('class', ClassUtils::getRealClass($class));
$aclProvider = $this->getService('security.acl.provider');
try {
$acl = $aclProvider->findAcl($classIdentity);
} catch (AclNotFoundException $e) {
$acl = $aclProvider->createAcl($classIdentity);
}
//insert class aces
$maskBuilder = new MaskBuilder(128);
$securityId = new RoleSecurityIdentity('ROLE_ADMIN');
$acl->insertClassAce($securityId, $maskBuilder->get());
$aclProvider->updateAcl($acl);
thank
source to share
I hope I read your question correctly.
The table acl_object_identities
contains only that: object identifiers. Even when you create an ACE based on a class, you must provide a valid object id, and you do so using the named "dummy" id class
. In theory, it could be anything other than NULL
an empty string. Use class
is a general agreement in these cases).
Remember that ACLs can theoretically have a mix of object ACEs and global scope ACEs (even with or without fields). Without the (dummy) object id present in the table acl_object_identities
, you cannot use the ACL directly, for example to update, delete.
Another reason why you want to access such an ACL directly is to check permissions when there are no objects:
$objectIdentity = new ObjectIdentity('class', 'The\Namespaced\Class');
if ($context->isGranted('CREATE', $objectIdentity)) {
... // seems you are allowed to create objects of this class
}
It would be useful to check against "global" CREATE
permissions for the class.
The table acl_entries
consists of all ACEs, both objects and areas of the ACE class. When object_identity_id is set NULL
, the entry is an ACE with class extension, otherwise it is scope ACE. The class-class ACE only needs to know which class is being used, and doesn't really care about object IDs, so this field can be empty. The field is class_id
used in these cases to define the class type.
In theory, they could have removed the column
class_id
from
acl_entries
and always used
object_identity_id
, because that table also has a reference to
class_id
. However, this will require an additional connection and we still need to add somewhere in
ace_table
whether the ACE is a class or an object's ACE.
Keep in mind that much of the ACL is written for efficiency and speed reasons, which sometimes impairs readability.
source to share