I'm working on an SF2 app (my first) and am looking for some guidance wrt. access controls. I don't think ACLs fit the requirements so I thought I'd ask around and see if someone has run into something similar and has some thoughts to share.
The purpose of the application is to manage Log entities for Widget entities. Widget entities belong to a Group entity. Groups are organized into multi-rooted tree hierarchies, one root Group entity for each Organization entity. So, logs belong to a widget which belongs to a group (which belongs to a parent group...) which belongs to an organization. Users are assigned to zero or more organizations. They cannot access groups or widgets in organizations they are not assigned to. Users are assigned to zero or more groups. If they are not assigned to any groups within an organization, they can access all of that organization's groups and widgets. If they are assigned to one or more groups within an organization, they can only access the assigned groups and their contained subgroups and widgets. Users are assigned a role which determines what actions they can perform on the entities they have access to. Roles are layered inheriting the privileges of lower levels. From low to high, they are: * GUEST allows read-only access. * USER adds creation of logs for accessible widgets as well as editing of own logs. * MANAGER adds editing of assigned groups and create/edit/delete subgroups, widgets and logs. * ADMIN adds editing assigned organizations and full access to their groups, widgets and logs * SYSADMIN adds full access to all organizations I've read what I can find on SF2's ACLs but I don't see how this kind of access scheme can be managed well with them. Maybe I'm wrong. I'm inclined to manually implement the logic I've described. My EntityRepository classes would have get*() methods that used the current user to filter results. My Entity classes would have can*() methods that return true if the current user can perform the action. My controllers would use these to control access. So, how far off base am I here? :) Paul -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
