Symfony2: Access Control Lists (ACLs)


Well this thing is being a little bitch to understand… anyway, this is what i get so far:

First you need to tell the ACL system which connection will use, because it uses a database to create a bunch of tables that needs to create this relations between objects and entities.

# app/config/security.yml security: acl: connection: default
Then, to let the system create the required tables for this thing to work, you have to execute this command:
php app/console init:acl
Now you have 5 new tables in your database, which will relate each object with their respective entities and relations.
When you use ACLs you basically create Access Lists for ObjectIdentityInterfaces, each of this object will have a list of the UserSecurityIdentities that can have some type of access to this entities. For example, one User might be able to delete an entity while other might just be able to read this entity ( view it ), so this lists hold the permissions that each User has over them.
To create an ACL for an object (we do this just one time if non exits) you do this:
        // creating the ACL
        $aclProvider = $this->container->get('security.acl.provider');
        $objectIdentity = ObjectIdentity::fromDomainObject($comment);
        $acl = $aclProvider->createAcl($objectIdentity);
We first took our object and created an ObjectEntity from it, then created the ACL for this entity. Or if its already created you do:
$acl = $aclProvider->findAcl($objectIdentity);
Now, at this point we have an ACL, to write something in it, you will need to get the user in which you want to assign permissions, generally this is the currently logged user:
// retrieving the security identity of the currently logged-in user
        $securityContext = $this->container->get('security.context');
        $user = $securityContext->getToken()->;getUser();
        $securityIdentity = UserSecurityIdentity::fromAccount($user);
Now we have our user ( UserInterface object ) turned into a SecurityEntity, we can now start doing the thing for which this ACL is made for:
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
 $aclProvider->updateAcl($acl);
Here we are saying to the ACL , if i understood correctly, that for this specific object, the current user will have OWNER access over it. This is just for this object.
So in this case, the control entity will rule for just that object. I didnt test it, but according to the docs, you can also set control access for ALL instances of the object, of for just a field of the object, and other options.  Check out the ACL class for all the things you can do on an ACL.
Ok, now that we know how to get an ACL, to check for the permissions of an user we just do:
$acl->isGranted( array(MaskBuilder::MASK_OWNER), array( $securityIdentity) ); //has this user OWNER rights over this object??

Someone correct me if i’m mistaken, im just learning this stuff myself.

Advertisements