Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deviation: classAce not connected to object identity #9

Open
Narretz opened this issue Dec 6, 2012 · 4 comments
Open

Deviation: classAce not connected to object identity #9

Narretz opened this issue Dec 6, 2012 · 4 comments

Comments

@Narretz
Copy link

Narretz commented Dec 6, 2012

Using MongoDB, $acl->insertClassAce($securityIdentity, MaskBuilder::MASK_OWNER); etc. results in an acl_entity that is disconnected from the class object identity. Result is, that the aclProvider does not get the classAces if you pass an $object to ->isGranted.

Using ->insertobjectAce, the reference to the oid is saved in the ace. Missing altogether is a way to identify an ace as being of type class.

Using mysql, this is done by setting object_identity_id to NULL, and I guess the reference is then established with the class_id (type in MongoDB).

Mongodbacl deviation
@aborjesson-zz
Copy link

I have the same problem. Any new on this?

@iampersistent
Copy link
Contributor

Unfortunately, I haven't looked into this yet.

@aborjesson-zz
Copy link

I did look in to this. if instead of:
$acl->insertClassAce($securityIdentity, MaskBuilder::MASK_OWNER);
does $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
You will have the reference between acl_entry and o_id, but however the Permission Flow doesn't work. If no objectAce exists, it should normally fall back on classAce. But since we do not use classAce it will of course fail.

Why it isn't set for classAce: (MutableAclProvider)
1.
$objectIdentityId = $name === 'classAces' ? null : $ace->getAcl()->getId();
2.
$aceId = (string)$this->insertAccessControlEntry($objectIdentityId, null, $i, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure());
3.
if (isset($objectIdentityId)) {
$criteria['objectIdentity'] = array(
'$ref' => $this->options['oid_collection'],
'$id' => new \MongoId($objectIdentityId),
);
}

The objectIdentity property will not be set in DB.

@Narretz
Copy link
Author

Narretz commented Feb 8, 2013

aborjessen pointed out one part of the problem: In updateAclProperty, no objectIdentity or other reference is set for classAces.

Later, when checking access, the AclProvider will try to get all acl_entries associated with the acl_oid in lookupObjectIdentities with this query:

$entryQuery = array('objectIdentity.$id' => array('$in' => $oids));
$entryCursor = $this->connection->selectCollection($this->options['entry_collection'])->find($entryQuery);

Now the query can obviously not get any aces that do not have an objectIdentity set.

So we need two things
a) Association of classAce with its class in the db
b) A way to query for these class Aces that doesn't have to much overhead

One option is to add a class field to the Ace (always or only if it actually is a classAce), and query for that additionally .

@Narretz Narretz mentioned this issue Feb 11, 2013
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@iampersistent @Narretz @aborjesson-zz