Symfony 2 Acls insertClassAces

I am using Symfony acls and I noticed that when the acl class is first created, acl_object_identities is also created with object_identifier = class

But if you insert the ace class (acl_entries) the object_identity_id is set to NULL. I wonder why the previously created acl_object_identity is not being used?

table acl_class: 6 xxxxxxxx / myclass

acl_object_identities table 63 NULL 6 class 1

acl_entries table 199 6 NULL 1 NULL 3 1073741823 1 all 0 0

Must not be? 199 6 63 1 NULL 3 1073741823 1 all 0 0

I don't understand why the objet identity class is created and not used with class entries.

This is my code, maybe something is wrong:

//find or create acl
$classIdentity = new ObjectIdentity('class', ClassUtils::getRealClass($class));
$aclProvider = $this->getService('security.acl.provider');
 try {
        $acl = $aclProvider->findAcl($classIdentity);
    } catch (AclNotFoundException $e) {
        $acl = $aclProvider->createAcl($classIdentity);

//insert class aces 
$maskBuilder = new MaskBuilder(128);
$securityId = new RoleSecurityIdentity('ROLE_ADMIN');
$acl->insertClassAce($securityId, $maskBuilder->get());




source to share

1 answer

I hope I read your question correctly.

The table acl_object_identities

contains only that: object identifiers. Even when you create an ACE based on a class, you must provide a valid object id, and you do so using the named "dummy" id class

. In theory, it could be anything other than NULL

an empty string. Use class

is a general agreement in these cases).

Remember that ACLs can theoretically have a mix of object ACEs and global scope ACEs (even with or without fields). Without the (dummy) object id present in the table acl_object_identities

, you cannot use the ACL directly, for example to update, delete.

Another reason why you want to access such an ACL directly is to check permissions when there are no objects:

 $objectIdentity = new ObjectIdentity('class', 'The\Namespaced\Class');
 if ($context->isGranted('CREATE', $objectIdentity)) {
    ... // seems you are allowed to create objects of this class


It would be useful to check against "global" CREATE

permissions for the class.

The table acl_entries

consists of all ACEs, both objects and areas of the ACE class. When object_identity_id is set NULL

, the entry is an ACE with class extension, otherwise it is scope ACE. The class-class ACE only needs to know which class is being used, and doesn't really care about object IDs, so this field can be empty. The field is class_id

used in these cases to define the class type.

In theory, they could have removed the column class_id

from acl_entries

and always used object_identity_id

, because that table also has a reference to class_id

. However, this will require an additional connection and we still need to add somewhere in ace_table

whether the ACE is a class or an object's ACE.

Keep in mind that much of the ACL is written for efficiency and speed reasons, which sometimes impairs readability.



All Articles