Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Modified the API

Changed most public functions to addClassPermission / addObjectPermission instead of addPermission(x,x,x, $permission_type).
Added setPermission that replaces all existing ACEs for given security id & object / class with a new one or creates one if none exists.

Did not add classField or objectField permission methods yet. These methods when updating the ACL have a different parameter order from class / object permissions and therefore cannot be used directly when doing: `$acl->{"insert{$type}Ace"}(...);`

TODO:
- add classField and objectField type permission
- add docs
- check revoke permission's behavior. Right now it does a full mask comparison so removing "EDIT" rights will have no effect if someone has "OWNER". Not a problem per se, except maybe when people craft their own bit mask and only want to remove some permission in the bit mask. In that case, better user revoke all and rebuild for now.
  • Loading branch information...
commit 121c81300f2f55325e189c9cdf338a56c0a978f4 1 parent ea9108c
@khepin khepin authored
View
28 Domain/AbstractAclManager.php
@@ -141,20 +141,30 @@ protected function doCreateSecurityIdentity($identity)
*/
protected function doApplyPermission(MutableAclInterface $acl, PermissionContextInterface $context, $replace_existing = false)
{
- $type = $context->getPermissionType();
+ $updated = false;
+
$aceCollection = $this->getAceCollection($acl, $context->getPermissionType());
-
$size = count($aceCollection) - 1;
reset($aceCollection);
for ($i = $size; $i >= 0; $i--) {
- if ($context->hasDifferentPermission($aceCollection[$i]) && $replace_existing) {
- // The ACE was found but with a different permission. Update it.
- $acl->{"update{$type}Ace"}($i, $context->getMask());
- return;
+ if($replace_existing){
+ // Replace all existing permissions with the new one
+ if ($context->hasDifferentPermission($aceCollection[$i])) {
+ // The ACE was found but with a different permission. Update it.
+ $acl->{"update{$type}Ace"}($i, $context->getMask());
+ $updated = true;
+ }
+ } else {
+ if($context->equals($aceCollection[$i])){
+ // The exact same ACE was found. Nothing to do.
+ return;
+ }
}
}
-
- $acl->{"insert{$type}Ace"}($context->getSecurityIdentity(), $context->getMask(), 0, $context->isGranting());
+ if(!$updated){
+ $type = $context->getPermissionType();
+ $acl->{"insert{$type}Ace"}($context->getSecurityIdentity(), $context->getMask(), 0, $context->isGranting());
+ }
}
protected function doRevokePermission(MutableAclInterface $acl, PermissionContextInterface $context)
@@ -166,6 +176,8 @@ protected function doRevokePermission(MutableAclInterface $acl, PermissionContex
$size = count($aceCollection) - 1;
reset($aceCollection);
for ($i = $size; $i >= 0; $i--) {
+ //@todo: probably not working if multiple ACEs or different bit mask
+ // but that include these permissions.
if ($context->equals($aceCollection[$i])) {
$acl->{"delete{$type}Ace"}($i);
$found = true;
View
73 Domain/AclManager.php
@@ -14,8 +14,31 @@
class AclManager extends AbstractAclManager
{
+ /**
+ * {@inheritDoc}
+ */
+ public function addObjectPermission($domainObject, $mask, $securityIdentity = null)
+ {
+ $this->addPermission($domainObject, $mask, $securityIdentity, 'object', false);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public function addClassPermission($domainObject, $mask, $securityIdentity = null)
+ {
+ $this->addPermission($domainObject, $mask, $securityIdentity, 'class', false);
+ }
- public function addPermission($domainObject, $mask, $securityIdentity = null, $type = 'object', $replace_existing = false)
+ /**
+ * @param mixed $domainObject
+ * @param int $mask
+ * @param UserInterface | TokenInterface | RoleInterface $securityIdentity
+ * @param string $type
+ * @param boolean $replace_existing
+ * @return \Problematic\AclManagerBundle\Domain\AbstractAclManager
+ */
+ protected function addPermission($domainObject, $mask, $securityIdentity = null, $type = 'object', $replace_existing = false)
{
if(is_null($securityIdentity)){
$securityIdentity = $this->getUser();
@@ -29,13 +52,34 @@ public function addPermission($domainObject, $mask, $securityIdentity = null, $t
return $this;
}
-
- public function setPermission($domainObject, $mask, $securityIdentity = null, $type = 'object')
+
+ /**
+ * @param mixed $domainObject
+ * @param int $mask
+ * @param UserInterface | TokenInterface | RoleInterface $securityIdentity
+ * @param string $type
+ * @param boolean $replace_existing
+ * @return \Problematic\AclManagerBundle\Domain\AbstractAclManager
+ */
+ protected function setPermission($domainObject, $mask, $securityIdentity = null, $type = 'object')
{
- $this->addPermission($domainObject, $mask, $securityIdentity, $type = 'object', true);
+ $this->addPermission($domainObject, $mask, $securityIdentity, $type, true);
return $this;
}
+ /**
+ * {@inheritDoc}
+ */
+ public function setObjectPermission($domainObject, $mask, $securityIdentity = null){
+ $this->setPermission($domainObject, $mask, $securityIdentity, 'object');
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public function setClassPermission($domainObject, $mask, $securityIdentity = null){
+ $this->setPermission($domainObject, $mask, $securityIdentity, 'class');
+ }
public function revokePermission($domainObject, $mask, $securityIdentity = null, $type = 'object')
{
@@ -51,7 +95,23 @@ public function revokePermission($domainObject, $mask, $securityIdentity = null,
return $this;
}
- public function revokeAllPermissions($domainObject, $securityIdentity = null, $type = 'object')
+ /**
+ * {@inheritDoc}
+ */
+ public function revokeAllClassPermissions($domainObject, $securityIdentity)
+ {
+ $this->revokeAllPermissions($domainObject, $securityIdentity, 'class');
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public function revokeAllObjectPermissions($domainObject, $securityIdentity)
+ {
+ $this->revokeAllPermissions($domainObject, $securityIdentity, 'object');
+ }
+
+ protected function revokeAllPermissions($domainObject, $securityIdentity = null, $type = 'object')
{
if(is_null($securityIdentity)){
$securityIdentity = $this->getUser();
@@ -91,6 +151,9 @@ public function isGranted($attributes, $object = null)
return $this->getSecurityContext()->isGranted($attributes, $object);
}
+ /**
+ * {@inheritDoc}
+ */
public function getUser()
{
$token = $this->getSecurityContext()->getToken();
View
58 Model/AclManagerInterface.php
@@ -4,17 +4,69 @@
interface AclManagerInterface
{
-
- public function addPermission($domainObject, $mask, $securityIdentity = null, $type = 'object');
+ /**
+ * Sets permission mask for a given domain object. All previous permissions for this
+ * user and this object will be over written. If none existed, a new one will be created.
+ *
+ * @param mixed $domainObject
+ * @param int $mask
+ * @param UserInterface | TokenInterface | RoleInterface $securityIdentity if none given, the current session user will be used
+ */
+ public function addObjectPermission($domainObject, $mask, $securityIdentity = null);
+
+ /**
+ * Sets permission mask for a given class. All previous permissions for this
+ * user and this class will be over written. If none existed, a new one will be created.
+ *
+ * @param mixed $domainObject
+ * @param int $mask
+ * @param UserInterface | TokenInterface | RoleInterface $securityIdentity if none given, the current session user will be used
+ */
+ public function addClassPermission($domainObject, $mask, $securityIdentity = null);
+
+ /**
+ * Sets permission mask for a given domain object. All previous permissions for this
+ * user and this object will be over written. If none existed, a new one will be created.
+ *
+ * @param mixed $domainObject
+ * @param int $mask
+ * @param UserInterface | TokenInterface | RoleInterface $securityIdentity if none given, the current session user will be used
+ */
+ public function setObjectPermission($domainObject, $mask, $securityIdentity = null);
- public function setPermission($domainObject, $mask, $securityIdentity = null, $type = 'object');
+ /**
+ * Sets permission mask for a given class. All previous permissions for this
+ * user and this class will be over written. If none existed, a new one will be created.
+ *
+ * @param mixed $domainObject
+ * @param int $mask
+ * @param UserInterface | TokenInterface | RoleInterface $securityIdentity if none given, the current session user will be used
+ */
+ public function setClassPermission($domainObject, $mask, $securityIdentity = null);
public function revokePermission($domainObject, $mask, $securityIdentity = null, $type = 'object');
+ /**
+ * @param mixed $domainObject
+ * @param UserInterface | TokenInterface | RoleInterface $securityIdentity if none given, the current session user will be used
+ */
+ public function revokeAllObjectPermissions($domainObject, $securityIdentity = null);
+
+ /**
+ * @param mixed $domainObject
+ * @param UserInterface | TokenInterface | RoleInterface $securityIdentity if none given, the current session user will be used
+ */
+ public function revokeAllClassPermissions($domainObject, $securityIdentity = null);
+
public function deleteAclFor($domainObject);
public function isGranted($attributes, $object = null);
+ /**
+ * Retrieves the current session user
+ *
+ * @return UserInterface
+ */
public function getUser();
}
Please sign in to comment.
Something went wrong with that request. Please try again.