On 19 sep, 07:49, Fabien Potencier <fabien.potenc...@symfony-
project.com> wrote:
> On 9/17/10 4:18 PM, Bulat Shakirzyanov wrote:
>
> > Fabien,
>
> > From looking at the documentation for ACEGI, it specifically states
> > that the framework could be used to secure actions on *services*.
>
> I know Spring Security (Ageci is the old name) pretty well ;)
>
> > Now, since all services reside in the DIC, maybe we could use a simmilar
> > technique Doctrine uses to create Proxy objects.
>
> That's something I want to avoid. I don't want to have one proxy object
> for each real object you have in your application.
>
> > For example:
>
> > <service id="some_service" class="SomeService">
> > <tag name="secure">
> > <action role="moderator">moderateSomething</action>
> > </tag>
> > </service>
>
> Yeah, but most the time, you want to secure entities, and those are not
> managed by the DIC.
>
> I'm no saying it is impossible, just that with the current state of PHP,
> it means we need to add a lot of black magic to make it work. And that's
> not something I want to do... yet.
Not necessarily protecting entities, services methods are a nice level
for a comfortable security management, since most of the daily
developer's job is to make change on Controllers and Views.
Cyrille.
>
> Fabien
>
> > Then ContainerBuilder would build a proxy object for that service and
> > register it:
>
> > class SomeServiceSecured extends SomeService
> > {
> > protected $security;
>
> > public function __construct(SecurityContextHolder $contextHolder)
> > {
> > $this->security = $contextHolder->getSecurity();
> > }
>
> > public function moderateSomething()
> > {
> > if (!$security->hasAccess(array($this, 'moderateSomething'))) {
> > throw new AccessDeniedException();
> > }
> > return parent::moderateSomething();
> > }
> > }
>
> > And the cached container:
>
> > //...
> > public function getSomeService()
> > {
> > if (!isset($this->shared['some_service'])) {
> > $service = new
> > SomeServiceSecured($this->getSecurityContextHolderService());
> > $this->shared['some_service'] = $service;
> > }
> > return $this->shared['some_service'];
> > }
>
> > This approach might have some performance overhead, but I feel like it
> > might provide the necessary functionality.
> > Thoughts?
>
> > On Fri, Sep 17, 2010 at 6:52 AM, Fabien Potencier
> > <[email protected]
> > <mailto:[email protected]>> wrote:
>
> > On 9/17/10 11:09 AM, Cyrille37 wrote:
>
> > On 13 sep, 17:30, Lukas Kahwe Smith<[email protected]
> > <mailto:[email protected]>> wrote:
>
> > On 13.09.2010, at 16:00, Fabien Potencier wrote:
> > ... ... ...
> > but the key thing that i would like to see addressed in a
> > more consistent manner in the symfony community is checking
> > of permissions when reading models. this obviously requires
> > support on the ORM/ODM level.
> > ... ... ...
>
> > I like the concept of ACL applied on the Model.
> > I used to apply it when worked with Java. I used the ACEGI framework
> > (http://www.acegisecurity.org/) to protect the Model and do not rely
> > on web page developper for managing rights.
>
> > I did not find this concept around Php. I think, from an industrial
> > view, it's a must have.
>
> > I makes a lot of sense but how can you do the same in PHP? The only
> > possibility is to have AOP.
>
> > Fabien
>
> > --
> > If you want to report a vulnerability issue on symfony, please send
> > it to security at symfony-project.com <http://symfony-project.com>
>
> > You received this message because you are subscribed to the Google
> > Groups "symfony developers" group.
> > To post to this group, send email to [email protected]
> > <mailto:[email protected]>
> > To unsubscribe from this group, send email to
> > [email protected]
> > <mailto:symfony-devs%[email protected]>
> > For more options, visit this group at
> > http://groups.google.com/group/symfony-devs?hl=en
>
> > --
> > If you want to report a vulnerability issue on symfony, please send it
> > to security at symfony-project.com
>
> > You received this message because you are subscribed to the Google
> > Groups "symfony developers" group.
> > To post to this group, send email to [email protected]
> > To unsubscribe from this group, send email to
> > [email protected]
> > For more options, visit this group at
> >http://groups.google.com/group/symfony-devs?hl=en
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
