Skip to content

Commit

Permalink
optimized AclVoter, added unit test
Browse files Browse the repository at this point in the history
  • Loading branch information
@schmittjoh @fabpot
schmittjoh authored and fabpot committed Jan 3, 2011
1 parent 1577110 commit 55a48bc
Show file tree
Hide file tree
Showing 4 changed files with 444 additions and 23 deletions.
3 changes: 3 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/Resources/config/security_acl.xml
View file
Expand Up @@ -15,6 +15,7 @@
<parameter key="security.acl.permission_granting_strategy.class">Symfony\Component\Security\Acl\Domain\PermissionGrantingStrategy</parameter>

<parameter key="security.acl.voter.class">Symfony\Component\Security\Acl\Voter\AclVoter</parameter>
<parameter key="security.acl.voter.allow_if_object_identity_unavailable">true</parameter>
<parameter key="security.acl.permission.map.class">Symfony\Component\Security\Acl\Permission\BasicPermissionMap</parameter>

<parameter key="security.acl.object_identity_retrieval_strategy.class">Symfony\Component\Security\Acl\Domain\ObjectIdentityRetrievalStrategy</parameter>
Expand Down Expand Up @@ -70,6 +71,8 @@
<argument type="service" id="security.acl.object_identity_retrieval_strategy" />
<argument type="service" id="security.acl.security_identity_retrieval_strategy" />
<argument type="service" id="security.acl.permission.map" />
<argument type="service" id="logger" on-invalid="null" />
<argument>%security.acl.voter.allow_if_object_identity_unavailable%</argument>
<tag name="security.voter" />
</service>
</services>
Expand Down
12 changes: 8 additions & 4 deletions src/Symfony/Component/Security/Acl/Domain/ObjectIdentity.php
View file
Expand Up @@ -58,10 +58,14 @@ public static function fromDomainObject($domainObject)
throw new InvalidDomainObjectException('$domainObject must be an object.');
}

if ($domainObject instanceof DomainObjectInterface) {
return new self($domainObject->getObjectIdentifier(), get_class($domainObject));
} else if (method_exists($domainObject, 'getId')) {
return new self($domainObject->getId(), get_class($domainObject));
try {
if ($domainObject instanceof DomainObjectInterface) {
return new self($domainObject->getObjectIdentifier(), get_class($domainObject));
} else if (method_exists($domainObject, 'getId')) {
return new self($domainObject->getId(), get_class($domainObject));
}
} catch (\InvalidArgumentException $invalid) {
throw new InvalidDomainObjectException($invalid->getMessage(), 0, $invalid);
}

throw new InvalidDomainObjectException('$domainObject must either implement the DomainObjectInterface, or have a method named "getId".');
Expand Down
77 changes: 58 additions & 19 deletions src/Symfony/Component/Security/Acl/Voter/AclVoter.php
View file
Expand Up @@ -2,6 +2,7 @@

namespace Symfony\Component\Security\Acl\Voter;

use Symfony\Component\HttpKernel\Log\LoggerInterface;
use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
Expand Down Expand Up @@ -35,13 +36,17 @@ class AclVoter implements VoterInterface
protected $permissionMap;
protected $objectIdentityRetrievalStrategy;
protected $securityIdentityRetrievalStrategy;
protected $allowIfObjectIdentityUnavailable;
protected $logger;

public function __construct(AclProviderInterface $aclProvider, ObjectIdentityRetrievalStrategyInterface $oidRetrievalStrategy, SecurityIdentityRetrievalStrategyInterface $sidRetrievalStrategy, PermissionMapInterface $permissionMap)
public function __construct(AclProviderInterface $aclProvider, ObjectIdentityRetrievalStrategyInterface $oidRetrievalStrategy, SecurityIdentityRetrievalStrategyInterface $sidRetrievalStrategy, PermissionMapInterface $permissionMap, LoggerInterface $logger = null, $allowIfObjectIdentityUnavailable = true)
{
$this->aclProvider = $aclProvider;
$this->permissionMap = $permissionMap;
$this->objectIdentityRetrievalStrategy = $oidRetrievalStrategy;
$this->securityIdentityRetrievalStrategy = $sidRetrievalStrategy;
$this->logger = $logger;
$this->allowIfObjectIdentityUnavailable = $allowIfObjectIdentityUnavailable;
}

public function supportsAttribute($attribute)
Expand All @@ -51,44 +56,78 @@ public function supportsAttribute($attribute)

public function vote(TokenInterface $token, $object, array $attributes)
{
if (null === $object) {
return self::ACCESS_ABSTAIN;
} else if ($object instanceof FieldVote) {
$field = $object->getField();
$object = $object->getDomainObject();
} else {
$field = null;
}

if (null === $oid = $this->objectIdentityRetrievalStrategy->getObjectIdentity($object)) {
return self::ACCESS_ABSTAIN;
}
$sids = $this->securityIdentityRetrievalStrategy->getSecurityIdentities($token);

$firstCall = true;
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
continue;
}

try {
$acl = $this->aclProvider->findAcl($oid, $sids);
} catch (AclNotFoundException $noAcl) {
return self::ACCESS_DENIED;
if ($firstCall) {
$firstCall = false;

if (null === $object) {
if (null !== $this->logger) {
$this->logger->debug(sprintf('Object identity unavailable. Voting to %s', $this->allowIfObjectIdentityUnavailable? 'grant access' : 'abstain'));
}

return $this->allowIfObjectIdentityUnavailable ? self::ACCESS_GRANTED : self::ACCESS_ABSTAIN;
} else if ($object instanceof FieldVote) {
$field = $object->getField();
$object = $object->getDomainObject();
} else {
$field = null;
}

if (null === $oid = $this->objectIdentityRetrievalStrategy->getObjectIdentity($object)) {
if (null !== $this->logger) {
$this->logger->debug(sprintf('Object identity unavailable. Voting to %s', $this->allowIfObjectIdentityUnavailable? 'grant access' : 'abstain'));
}

return $this->allowIfObjectIdentityUnavailable ? self::ACCESS_GRANTED : self::ACCESS_ABSTAIN;
}
$sids = $this->securityIdentityRetrievalStrategy->getSecurityIdentities($token);

try {
$acl = $this->aclProvider->findAcl($oid, $sids);
} catch (AclNotFoundException $noAcl) {
if (null !== $this->logger) {
$this->logger->debug('No ACL found for the object identity. Voting to deny access.');
}

return self::ACCESS_DENIED;
}
}

try {
if (null === $field && $acl->isGranted($this->permissionMap->getMasks($attribute), $sids, false)) {
if (null !== $this->logger) {
$this->logger->debug('ACL found, permission granted. Voting to grant access');
}

return self::ACCESS_GRANTED;
} else if (null !== $field && $acl->isFieldGranted($field, $this->permissionMap->getMasks($attribute), $sids, false)) {
if (null !== $this->logger) {
$this->logger->debug('ACL found, permission granted. Voting to grant access');
}

return self::ACCESS_GRANTED;
} else {
if (null !== $this->logger) {
$this->logger->debug('ACL found, insufficient permissions. Voting to deny access.');
}

return self::ACCESS_DENIED;
}
} catch (NoAceFoundException $noAce) {
if (null !== $this->logger) {
$this->logger->debug('ACL found, no ACE applicable. Voting to deny access.');
}

return self::ACCESS_DENIED;
}
}

// no attribute was supported
return self::ACCESS_ABSTAIN;
}

Expand Down

0 comments on commit 55a48bc

Please sign in to comment.