myclabs / acl Goto Github PK

This seems to be a bug with Doctrine: http://www.doctrine-project.org/jira/browse/DBAL-864

The AuthorizationRepository gets an error when trying to insert a FALSE value (which seems to get casted to an empty string):

Incorrect integer value: '' for column 'cascadable'

Table names are autogenerated for now, this is not good.

Given the following DQL query:

SELECT article FROM Blog\Article article
INNER JOIN MyCLabs\ACL\Model\Authorization authorization
    WITH authorization.entityId = article.id
WHERE authorization.entityClass = 'Blog\\Article'
    AND authorization.securityIdentity = :user
    AND authorization.actions.edit = true

If a user has redundant authorizations to a resource (because he has several roles), will entities be returned twice or more? If so, is SELECT DISTINCT necessary? This needs a test.

Possibility to support custom actions on top of view, edit, …

Example of a hierarchical model with cascading:

• Account (uses CascadingResource) cascades to Project
• Project (uses ResourceGraphTraverser) cascades to Item
• Item

The SimpleCascadeStrategy will not use the ResourceGraphTraverser after going through a CascadingResource.

As a result, authorizations given at Account level will not cascade to Item.

All tests in this repo grant a role and then revoke the same role. This works fine, because the role is already in memory I think. How do I lookup the role for a use which is associated with some resource x.

Right now I'm getting:

Entity has to be managed or scheduled for removal for single computation

for

$this->acl->revoke($user, new LocationManager($user, $location));

Example:

Role -> authorization           -> Category
     -> inherited authorization -> SubCategory

If we delete SubCategory, Role will not be deleted because it is associated to Category.

As a consequence, inherited authorization will not be deleted.

Authorizations that are inserted as "not cascadable" (i.e. shouldn't be cascaded) are cascaded.

The fix is coming with more tests and better code coverage.

Hello,

This is not really an issue but more of a question.
I am very enthusiastic about your ACL solution, but I have a question about the filtering queries solution. You say it is much more efficient to do filtering at query level. But how does it work with the return values? If I would do an isAllowed call and the result is false I would normally return a 405 (Method Not Allowed) status. With the ACL filtering queries I get no result from the query if the user is not allowed to access the resource and the logical response from a empty result set would be 404 (Not found). How can I let my client know if it was because of ACL restrictions or because of querying a non existent resource. This difference is significant. Is there way to deal with this?

Thanks in advance,
Wilt

In the documentation you talk about how a base role could be created:

Here the association targets ArticleEditorRole, but if you have several roles that apply to articles, you might want to have an abstract BaseArticleRole that you can reference in your Doctrine association."""

Could you maybe give me an example how this would work?

How many extra tables would be created?

Hi,

I've tried to generate db shema "php vendor/bin/doctrine orm:schema-tool:update" but no luck,

[Doctrine\Common\Persistence\Mapping\MappingException]
Class 'MyCLabs\ACL\Model\SecurityIdentityInterface' does not exist

There is problem processing Interface with class_exists ;> any idea?

Possibility to allow while not cascading this authorization:

public function allow($role, $actions, $resource, $cascade = true)

Great job, just some suggestions.

For consistency I think it would be good to take a look at the ZF2 interfaces for Acl. Like for example the AclInterface. The ZF2 isAllowed method from the interface has the arguments in the following order: role, resource, privilege. I think it would be a small effort to stick to these defaults by implementing the interfaces as provided in Zend\Permissions\Acl.

It would be worth considering to support role inheritance by self referencing to the parent role like in bjyoungblood his BjyAuthorize : https://github.com/bjyoungblood/BjyAuthorize/blob/master/src/BjyAuthorize/Acl/Role.php
https://github.com/bjyoungblood/BjyAuthorize/blob/master/src/BjyAuthorize/Provider/Role/ObjectRepositoryProvider.php
There are also role interfaces available in Zend\Permissions\Acl.

https://github.com/libracms/zendframework-minimal/blob/master/library/Zend/Permissions/Acl/AclInterface.php