Is Security ACL abandoned? #31
Comments
|
👍 I would like to know it too. I see no activity for this repository and the ACL system is not even included anymore in Symfony 3.x by default, so maybe it should be considered deprecated? /cc @fabpot |
|
This component was extracted from the Symfony core because none of the current core team member use it, but also because we think that most use cases should use roles instead. So, I think we need people taking over the maintenance of this component. |
|
Just to ask, which solution do core members use for ACL? A custom one? |
|
We developed a custom implementation of the Symfony ACL. We're using the ACL to protect routes via a controller listener and deny access when a ACL entry is not found (using a combination of annotations, UI and custom CLI to manage the permissions). We also have a custom implementation for the ACL proper because our class objects are accessible by default (no ACL entry) and our class instances are inaccessible by default (must have a granting ACL entry), so we have a custom permission mask for an entry that is zero, meaning no permissions granted so that classes can be explicitly denied access, and we also added some custom code to remove entries manually to bypass the known issues with missing sequential id entries affecting ACL management. |
|
@ste93cry Personally, I never had a project where I couldn't solve permission checks using voters. |
|
@fabpot Thank you for your reply. I deduce that this library is no longer maintained by any member of Symfony, and that the community must create a fork. It's quite understandable that this library is no longer included in the core since it is an advanced feature, and little used. However, I understand and I see 2 major problems to using the ACLs for anyone looking for an advanced authorization management system. The first, It's the complexity of implementation and use that calms many users, But also a performance problem on large volumes when we wish to filter the lists according to the authorizations of each user (in case the ACLs is saved for each record). To improve performance, I had initially implement a system to optimize the analysis of permissions over ACLs and avoid unnecessary database queries, but other problems have emerged, such as limiting the number of permissions define on the MaskBuilder. All this to say that I agree with @xabbuh, And that we can set permissions using Voters. As is the case for this library. Symfony included a role system, which is very well done in passing, But which very quickly reaches its limitations as soon as we wish to go further in the management of the authorizations (ex. define a role for each object for each permission: On another side @xabbuh, I understand that the use of this library for 'simple' projects with this level of authorizations is not necessary, but it's a pity that there is no longer any official library. Especially since this level of security is much used for professional tools, such as the ERP. @ste93cry Having found no other libraries than this one to manage finely the permissions and the shares, and given that this library is no longer maintained, I abandoned the ACLs for a management using the pattern 'Extended Role-Based Access Control' With a records sharing system. Of course, it uses a Voter to be compatible with the Authorization Checker. I will not go into details, because it is not the subject or the place, but the advantage of this approach, it's that the permissions are defined globally for each role. You can set as many permissions according to your needs, and set them global, for each class or each class field. It's however possible to give access to different records for a user or a role or a group (or an organization, but that is another topic). If you are interested by this approach, and given that this library is no longer maintained, I allow myself to show my work. You can found the Bundle here, and the library there. To conclude, and as far as I am concerned, I greatly thank the entire Symfony team and @fabpot for their work on this library, which was very useful for different projects until these last few months, despite the small bugs here and there. |
|
I think there is no need to "fork" this repository, I would be more than happy to give write access to people willing to continue maintaining this component here. |
|
I don't know if it's feasible nor if @francoispluchino would ever give a chance to this proposal, but given that he created a new ACL library that seems more advanced and at the same time simpler to understand that this one maybe we could integrate Sonatra Security into Symfony? |
|
@ste93cry I don't want to answer for @fabpot, but the purpose of the new versions of Symfony is to precisely keep the minimum, and allow third-party libraries to add specific functionalities. You are free to use the library that suits you. And not an imposed library, knowing that for this feature, every project has these specifications, and that a library can not meet all the possibilities. To answer your last question, I don't think @fabpot is interested to offering this feature (ERBAC) under the Symfony brand. |
I absolutely agree on this
I think I misspoke: I didn't meant to take your library and offer it under the Symfony brand. What I was thinking of is to mark this ACL library as deprecated (honestly, I don't think we can find people willing to maintain this now that's not even part anymore of Symfony Standard Edition) and instead integrate the docs of your library into the Symfony website and suggest to use it if the user has the need for an ACL. This is something similar to what's done with bundles of the FOS family. |
|
I have no experience with that bundle, but if it's something that is well maintained and integrates smoothly into Symfony featuring its documentation on symfony.com could indeed be a good idea. |
|
we are using the component quite intensive and will probably add more fixes to it or fill the gaps. Currently we are using our fork, but we'd like so see some of the improvements merged to the original component. I have not much experience as a maintainer, but I might as give it a shot. |
|
A really standard feature anyone using ACL would like to have is to be able to filter a query by ACL. Kudos to jaminvanderberg for implementing a working solution. https://github.com/jaminvanderberg/ACLFilterBundle Would it be possible to integrate this business logic into the official ACL source code after review? Any update on the maintenance of this bundle for next year? We have a product using ACL deeply. |
|
Hello devs, |
|
After some work I finally managed to build an Elastic Search (ElasticaBundle) version of jamin vanderberg's ACLFilterBundle. If you're intested, let me know. |
|
Closing this issue as this was more a discussion than anything else. |
Since the ACLs have been extracted from Symfony 3.0, the library has not updated since 1 year now.
Some issues and pull requests have been created since, but no response or merging has been made about bugs.
Examples:
Hence my question: is this library officially abandoned?
Thanks
The text was updated successfully, but these errors were encountered: