It would be really nice to have a more friendly API for the ACL management. Maybe creating an AclManager or something like that to expose all the functionalities with a friendly API like the one you mentioned.
After using this component (which is amazing, by the way) there's a couple of additional points I'd like to see too. I've implemented the ACL component in my last app three months ago or so, so maybe these points are not valid anymore. If that's the case, ignore them :) 1) Last time I worked with the ACL feature I had to implement a way to not only allow a permission, but to deny it too, or to set it as "inherit", so the parent ACL decides if the permission is granted or denied (or inherited again, leaving again the decision to its parent ACL if it exists). There's a lot of cool things like this available in the security component, but some of them are not so intuitive to implement. Maybe this could be included in the "AclManager" mentioned above to ease the process of setting permissions like these. 2) There's a topic I didn't touch yet because in my last app, the visibility of the elements is decided according to three or four application-specific rules, so I didn't use the VIEW permission at an object level to decide which specific objects a user can see, and which not. But if I want to limit the view of the objects a user can see based on a VIEW permission set at the object level for this user, how can I, for example, list only the objects that the user owns or have the VIEW permission for them assigned? if I remember right, I think that the decision about if a permission is granted or not is not decided by a query on the DB, but by one of the classes in the security component (I don't remember which), so I can't simply add a condition on my query and JOIN some ACL table to filter the objects the user can see. I could, for example, obtain from the ACL component the IDs of the objects for which the user have the VIEW permission granted, and then limit the list of objects shown to the user using those IDs. I'm not sure if this is the best way to do it, but the point is that it would be nice if we have a friendly way to query the ACL DB to obtain this kind of information. 3) Since the decision of granting a permission or not is not at the DB level, but at the PHP level, is there a way to implement Assertions, like in Zend_Acl? (http://framework.zend.com/manual/en/zend.acl.advanced.html). It would be great to have an easy way of adding some custom additional check at the moment of decide if some permission is granted or not for a user. Again, I worked sometime ago with the ACL feature, so maybe some (if not all) of these points are not relevant anymore, or there are already ways to do things like these that I'm not aware of yet. In any case, I'd like to hear comments about this. I'd be glad to help too if you guys agree that some of these points would be useful. Thanks. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
