1) Yes, granting specifies whether the entry is granting (true) or denying
(false). Depending on the order of ACL entries, and the SIDs to which the
ACEs have been assigned, this can be used to implement scenarios like "grant
access to all users, but for this specific user deny access".
2) The index is the index of the entry in the array. You can retrieve the
array via ->getXXXAces() method, and then loop over it to get the correct
index for your entry. Do not call methods directly on the ACE instances,
these changes will not be persisted to the database.
3) Since the order in which the entries are checked is significant,
"ace_order" is used to preserve the order of the entries in the array.
audit_success/_failure are only relevant if you have set-up an AuditLogger
which then can log if someone has been granted permissions through the ACL
system, based on which entry permissions was granted, to which object
permission was granted, etc. The AuditLogger is only called if the value of
audit_success/_failure is true.
Kind regards,
Johannes
On Tue, Mar 22, 2011 at 9:42 PM, Gustavo Adrian <comfortablynum...@gmail.com
> wrote:
> After implementing class-scope permissions thanks to Christophe's tip, I
> now have more questions :)
>
> I've been looking at the ACE schema and I see a couple of interesting
> things that I'd like to know how to use them.
>
> 1) First I see a "granting" boolean field and a "grant_strategy" field
> (with value "all" in my case in each row) on the "acl_entries" table.
> Looking then at the MutableAclInterface I see that the method
> "insertClassAce" has these signature:
>
> *function insertClassAce(SecurityIdentityInterface $sid, $mask, $index =
> 0, $granting = true, $strategy = null);*
>
> Does the $granting field allow me to use something like a DENY permission
> if I pass "false" to it? if that's the case, could I use it to DENY a
> privilege that has an ALLOW permission somewhere up on the hierarchy?
>
> 2) I've noticed that I can insert multiple Class Ace's using the same
> object identity and the same security identity, but it increases the
> "ace_order" for each row I insert. I have a form for each type of entity on
> my app to give class-scope permissions to specific users. Each time a user
> updates them, how can I update the corresponding ACE? I see in the
> MutableAclInterface that it has a updateClassAce method, but it needs an
> $index parameter and I don't know what it is. Is this the primary key of the
> ACE? if this is the case, should I query myself the DB using the class ID
> and the SID ID to retrieve the corresponding ACE's PK or is there a method
> to update ACE's based on the SID and OID that I haven't found?
>
> 3) What's the purpose of the following fields on the "acl_entries" table?:
> ace_order, audit_success, audit_failure. I've seen the
> AuditableAclInterface. How methods like updateClassAuditing (with
> $auditSuccess and $auditFailure parameters) works?
>
>
>
> Thanks in advance and sorry if I asked too many questions, but this is a
> wonderful feature and I'd love to know all its possibilities :)
>
> On Mon, Mar 21, 2011 at 4:26 PM, Gustavo Adrian <
> comfortablynum...@gmail.com> wrote:
>
>> Great! even easier than I thought. I'm beginning to love this feature :)
>>
>>
>> Thanks a lot!
>>
>>
>> On Mon, Mar 21, 2011 at 4:22 PM, Christophe COEVOET <s...@notk.org>wrote:
>>
>>> Le 21/03/2011 20:11, Gustavo Adrian a écrit :
>>>
>>> Hi all,
>>>>
>>>> I'm starting to implement the ACL feature on my app and, for what I''ve
>>>> read and what I've already implemented, I must say: it's BEAUTIFUL. Great
>>>> job guys. It's just what I was looking for :)
>>>>
>>>> I have one question about this wonderful feature:
>>>>
>>>> 1) I've already implemented object scope permissions using the
>>>> ObjectIdentifier class. What I don't know is: How to grant a class scope
>>>> and
>>>> class-field scope permissions to a user? I didn't find how to do it in the
>>>> docs and I didn't find in the API something like ClassIdentifier. Which is
>>>> the right way to grant a class scope permission to a user? Do I have to
>>>> check this permissions the same way I do it with object-scope permissions?
>>>> ($securityContext->isGranted( 'UPDATE', $objectIdentity ) )
>>>>
>>>
>>> the key to create a class Ace is to use the insertClassAce method:
>>>
>>> $oid = new ObjectIdentity('whatever_you_want', 'Class\\Name');
>>> $acl = $provider->createAcl($oid);
>>> $sid = UserSecurityIdentity::fromAccount($user);
>>> $acl->insertClassAce($sid, MaskBuilder::MASK_OWNER);
>>>
>>> And then your user will have OWNER rights for all instances of the
>>> Class\Name class. The way to check does not change.
>>>
>>> Regards
>>>
>>> --
>>> Christophe | Stof
>>>
>>> --
>>> If you want to report a vulnerability issue on symfony, please send it to
>>> security at symfony-project.com
>>>
>>> You received this message because you are subscribed to the Google
>>> Groups "symfony users" group.
>>> To post to this group, send email to symfony-users@googlegroups.com
>>> To unsubscribe from this group, send email to
>>> symfony-users+unsubscr...@googlegroups.com
>>> For more options, visit this group at
>>> http://groups.google.com/group/symfony-users?hl=en
>>>
>>
>>
> --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
>
> You received this message because you are subscribed to the Google
> Groups "symfony users" group.
> To post to this group, send email to symfony-users@googlegroups.com
> To unsubscribe from this group, send email to
> symfony-users+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/symfony-users?hl=en
>
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
