Ok so I have been nose deep in the ACL system for the last few weeks and I have to say it has been quite a learning experience. I think I have it pretty well figured out but one problem has cropped up that I cant work out a solution to which is inheritance at the ace level.
Here is my general hierarchy: Category > Thread > Post Category gets the base permissions for the roles then thread gives read, write, edit, delete to the creator and the same occurs to the post for its creator. The problem is obviously the fact that I do not want to allow the thread creator the ability to edit the posts that are not his. Possible solutions I have thought of 1. Add a denying ace for the thread creator on posts that are not his. This would work but it has the major problem wherein if that user also happens to be a moderator they will have their permissions denied. Now on ace creation I could do checks to make sure the user is not a moderator but this would leave weird permissions if the user ever had their role revoked. 2. Create a voter. This is the best option I have thought of but I anticipate needing to do this quite a bit over the entirety of the site so I would rather not have to create a voter in every instance I need this functionality. 3. Disable inheritance on the post object. This would work but I would have to create the entire acl hierarchy again creating all sorts of headaches. So this leaves me wondering if there is a way to effectively disable inheritance at the ace level. Thanks -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
