symfony - Symfony2: creating a new SecurityIdentity -


i'm using acl in symfony 2.1, , need create new securityidentity, acl can set in function of sort of groups.

picture following situation: there groups users (with different roles) each have user information. in group 1, users role_admin can't edit other users same group's information, in group 2, users role_admin can edit others information.

so acl vary in function of group user in.

i thought i'd start solving problem creation of new "groupsecurityidentity". class doesn't suffice, exception when use it:

$sid must either instance of usersecurityidentity, or rolesecurityidentity.

my question is: how "register" new securityidentity can use rolesecurityidentity , usersecurityidentity?

what better ways there implement system similar want do?

2 years ago went down path, turned out bad decision. modifying acl system difficult , might cause problems when updating symfony. there @ least 2 better solutions. i'll list them can decide best suits needs.

new security identity

i'm using groupinterface fosuserbundle, guess use own too. following files need added:

next up: rewire dependency injection container providing following parameters: 

<parameter key="security.acl.dbal.provider.class">     acme\bundle\demobundle\security\acl\dbal\mutableaclprovider </parameter> <parameter key="security.acl.security_identity_retrieval_strategy.class">     acme\bundle\demobundle\security\acl\domain\securityidentityretrievalstrategy </parameter>

time cross fingers , see whether works. since old code might have forgotten something.

use roles groups

the idea have group names correspond roles.

a simple way have user entity re-implement userinterface::getroles:

public function getroles() {     $roles = parent::getroles();      // can cached should there performance issues     // highly doubt there be.     foreach ($this->getgroups() $group) {         // groupinterface::getrole() have use         // canonical name `role_group_name_of_group`         $roles[] = $group->getrole();     }      return $roles; }

a possible implementation of groupinterface::getrole():

public function getrole() {     $name = $this->getnamecanonical();      return 'role_group_'.mb_convert_case($name, mb_case_upper, 'utf-8'); }

it's matter of creating required ace-s written in cookbook article.

create voter

finally, use custom voters check presence of specific groups , whether user has access said object. possible implementation:

<?php  namespace acme\bundle\demobundle\authorization\voter;  use symfony\component\security\core\authentication\token\tokeninterface; use symfony\component\security\core\authorization\voter\voterinterface;  class mysecureobjectvoter implements voterinterface {     /**      * {@inheritdoc}      */     public function supportsattribute($attribute)     {         $supported = array('view');          return in_array($attribute, $supported);     }      /**      * {@inheritdoc}      */     public function supportsclass($class)     {         return $class instanceof groupableinterface;     }      /**      * {@inheritdoc}      */     public function vote(tokeninterface $token, $object, array $attributes)     {         $result = voterinterface::access_abstain;          if (!$object instanceof mysecureobject) {             return voterinterface::access_abstain;         }          foreach ($attributes $attribute) {             if (!$this->supportsattribute($attribute)) {                 continue;             }              // access granted, if user , object have @ least 1             // group in common.             if ('view' === $attribute) {                 $objgroups = $object->getgroups();                 $usergroups = $token->getuser()->getgroups();                  foreach ($usergroups $usergroup) {                     foreach ($objgroups $objgroup) {                         if ($usergroup->equals($objgroup)) {                             return voterinterface::access_granted;                         }                     }                 }                  return voterinterface::access_denied;             }         }     } }

for more details on voters please refer cookbook example.

i avoid creating custom security identity. use 2 other methods provided. second solution works best, if having lots of records , each of them must have different access settings. voters used setting simple access granting logic (which smaller systems seem fall under) or when flexibility necessary.


Comments

Post a Comment

Popular posts from this blog

Why does Ruby on Rails generate add a blank line to the end of a file? -

running rails generate controller foo home results in: class foocontroller < application controller def home end end (there's nothing on line in actual file, blank line) is there purpose blank line? it's common use newline indicate end of line, last line. many editors (like vi, use) add in newline silently. consensus text files (especially in unix world) should end in newline, , there have been problems historically if wasn't present. why should text files end newline? the tool used count lines in file "wc" counts newlines in file, without trailing newline show 3 instead of 4. it improves readability of templates used in generator. consider: https://github.com/rails/rails/blob/master/railties/lib/rails/generators/rails/controller/templates/controller.rb to remove trailing newline, template have last line of: end<% end -%> instead of: end <% end -%> that seems less readable me. the discussion below refers ...
Read more

keyboard - Smiles and long press feature in Android -

i've created android keyboard. how add features inserting smilies, , using long keypresses display symbols? to create long-press behavior allows select several options pop-up menu, follow guide (specifically pop-up menu section): http://developer.android.com/guide/topics/ui/menus.html smileys (also known emoticons) combination of keys, understood programs , parsed same way. have do, when clicks smiley face on keyboard, simulate pressing of key combination matching emoticon. example, when clicks smiley, should simulate key presses ':' , ')' :). here's list of emoticons: http://en.wikipedia.org/wiki/list_of_emoticons
Read more

node.js - Bad Request - node js ajax post -

i'm using express 3.0 , node v0.11.0. have button submits form , i'm using ajax post data json object node server. client code is: $('#contact').submit(function(e) { console.log('submit called'); var formdata = json.stringify($('form').serializeobject()); console.log(formdata); $.ajax({ url: "http://localhost:3000/savedata/", type: "post", datatype: 'json', data: {objectdata: formdata}, contenttype: "application/json", complete: function() { console.log('process complete'); }, success: function(data) { console.log('process sucess'); }, error: function() { console.log('process error'); }, }); return false; }); then on server: var express = require('express'); var app = express(); app.set('views', __dirname + '/views'); app.set('view engine', 'jade'); app.use(express.bodyparser());...
Read more