Symfony Security ACL Component
Home Page: https://symfony.com/components/Security
License: MIT License
Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. It is inspired by the Java Spring framework.
Documentation:
https://github.com/symfony/acl-bundle/blob/main/src/Resources/doc/index.rst
You can run the unit tests with the following command:
$ cd path/to/Symfony/Component/Security/Acl/
$ composer.phar install --dev
$ phpunit
Hello,
We reached a scalability issue when persisting the following entities:
1 Parent
X Children
Each children has Y grand children
X*Y = 100+ setParentAcl calls
When we run this on standard (5-5-5 for instance), we get 4000 executeQuery call.
Each query individually is less than 10ms, but because there are so many of them, we reach 5s. Way above the 2s limit we want for an API response.
Is this a known limitation of Acl that it works for a few entities, but it doesn't scale well for 100+ entities ?
We thought a lot of possible optimization. But all these executeQuery have a specific purpose and need to be run to ensure Acl is properly set.
We've read all the source code of MutableAclProvider.
I don't believe combining 4000 executeQuery calls into 10 would actually make it faster.
https://dba.stackexchange.com/questions/76973/what-is-faster-one-big-query-or-many-small-queries
There isn't much information about acl performance online or in the documentation.
Do you have any clue ? We're really open to any solution.
Thank you.
del
There is a check in constructor of Symfony\Component\Security\Acl\Domain:
if ($role instanceof Role) {
$role = $role->getRole();
}
I think it is better to check on Symfony\Component\Security\Core\Role\RoleInterface instead of Symfony\Component\Security\Core\Role\Role class
Pull request: #17
There is a dev requirement for doctrine/common:~2.2, so tests pass correctly. However, there is no non-dev requirement or conflict with doctrine/common:~3.0, so this package can be installed alongside an incompatible version.
This appeared while adding doctrine/common:~3.0 support to sonata-project/admin-bundle (see sonata-project/SonataAdminBundle#6127) as there are errors in tests as follows:
Error: Interface 'Doctrine\Common\NotifyPropertyChanged' not found
/home/travis/build/sonata-project/SonataAdminBundle/vendor/symfony/security-acl/Domain/Acl.php:36
…
I started digging into Symfony2 ACL system. I have created an ACL for entity and added two aces to it - one for UserSecurityIdentity and one for RoleSecurityIdentity
$aclProvider = $this->get('security.acl.provider');
$object = $this->getRepository()->find(...);
$objectIdentity = ObjectIdentity::fromDomainObject($object);
$identities = array(
UserSecurityIdentity::fromAccount($this->getUser()),
new RoleSecurityIdentity('ROLE_POWER_USER')
);
$acl = $aclProvider->createAcl($objectIdentity);
foreach ($identities as $securityIdentity) {
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_EDIT);
}
$aclProvider->updateAcl($acl);
The $acl->getObjectAces() returns array, with two ACES as expected
private 'objectAces' =>
array (size=2)
0 =>
object(Symfony\Component\Security\Acl\Domain\Entry)[738]
private 'acl' =>
&object(Symfony\Component\Security\Acl\Domain\Acl)[736]
private 'mask' => int 4
private 'id' => int 6
private 'securityIdentity' =>
object(Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity)[737]
...
1 =>
object(Symfony\Component\Security\Acl\Domain\Entry)[740]
private 'acl' =>
&object(Symfony\Component\Security\Acl\Domain\Acl)[736]
private 'mask' => int 4
private 'id' => int 7
private 'securityIdentity' =>
object(Symfony\Component\Security\Acl\Domain\UserSecurityIdentity)[739]
...
Now I am working on a scenario where I want to delete ACE for a specific security identity. In this case, the UserSecurityIdentity, which was added to the ACL
$acl = $aclProvider->findAcl($objectIdentity);
$securityIdentity = UserSecurityIdentity::fromAccount($this->getUser());
$aces = $acl->getObjectAces();
foreach ($aces as $index => $ace) {
$aceSecurityIdentity = $ace->getSecurityIdentity();
if ($aceSecurityIdentity->equals($securityIdentity)) {
$acl->deleteObjectAce($index);
}
}
$aclProvider->updateAcl($acl);
But I get this this ContextErrorException with message Notice: Undefined offset: 1 in Symfony/Component/Security/Acl/Domain/Acl.php line 413
What can cause this? Am I missing something?
If you upgrade doctrine/dbal to version 2.13.0, you can get this error
Argument 1 passed to Symfony\Component\Security\Acl\Dbal\AclProvider::hydrateObjectIdentities() must implement interface Doctrine\DBAL\Driver\Statement, instance of Doctrine\DBAL\ForwardCompatibility\Result given, called in /srv/www-manager/vendor/symfony/security-acl/Dbal/AclProvider.php on line 468
Cause doctrine/dbal#4555
currently, this package ships an implementation using doctrine/cache, but that library is being deprecated.
@nicolas-grekas Do you happen to have a .travis.yml up your sleeve which you can add here?
I will also need one for symfony/AclBundle if you happen to have a copy/paste ready.
/cc @fabpot can you this repository and symfony/AclBundle to Travis?
symfony/acl-bundle#1 has a todo for travis as well.
Symfony ACL defines its Schema with the option "autoincrement" => "auto" on all ID columns. But "autoincrement" is a boolean option, taking only true/false. Doctrine DBAL 2.9.0 uses stricter type checking (i.e. === instead of ==). This causes the schema diff function to always generate a diff for all ACL "id" columns, because "auto" !== true.
Basically, schema migrations are now broken for any version of Symfony ACL in combination with DBAL 2.9.0.
See also doctrine/dbal#3389
Hi,
I'm getting the error message below when I build symfony using the last security-acl release with symfony 6.4
PHP Version :
8.2
Used packages:
"symfony/security-core": "6.4.0"
"symfony/security-acl": "3.3.3"
Thank you.
igor
According to composer.json, this package is compatible with 5.5.9+
But 744c6d5 introduce 7.1+ code
Running test suite with 5.6
PHP Parse error: syntax error, unexpected ':', expecting ';' or '{' in /builddir/build/BUILDROOT/php-symfony-security-acl-3.0.3-1.el7.remi.x86_64/usr/share/php/Symfony/Component/Security/Acl/Domain/SecurityIdentityRetrievalStrategy.php on line 88
Would it be possible to extend MaskBuilder to support more than 32 permission masks? Or are there any limitations? I know that acl_entries table has 'mask' defined as INT(11) but I can change it to bigint but don't know if this has any effect on acl?
Using the ObjectIdentity triggers a deprecated message. It looks like this is due to:
https://github.com/symfony/security-acl/blob/master/Domain/ObjectIdentity.php#L14
However Symfony\Component\Security\Acl\Util\ClassUtils seems not to work at this point.
Initial issue described here symfony/symfony#12875 by @alipek
Here's updated description:
Try to check field: is_granted('VIEW', nameClass, 'fooFieldName')
application throw error:
Fatal Error: Argument 1 passed to Symfony\Component\Security\Acl\Domain\UserSecurityIdentity::equals() must implement interface Symfony\Component\Security\Acl\Model\SecurityIdentityInterface, instance of Symfony\Component\Security\Acl\Domain\FieldEntry given
or, if sid is Role:
Catchable Fatal Error: Argument 1 passed to Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity::equals() must implement interface Symfony\Component\Security\Acl\Model\SecurityIdentityInterface,
instance of Symfony\Component\Security\Acl\Domain\FieldEntry given,
called in ... custom class ("$sid->equals($ace->getSecurityIdentity());") ... and defined in vendor/symfony/symfony/src/Symfony/Component/Security/Acl/Domain/RoleSecurityIdentity.php on line 53
This is problem with serializaton of FieldEntry and Entry types.
serialization working when Acl have only one object of FieldEntry, but when is more that failed
@alipek showed this with test in pull request symfony/symfony#12873, that was closed by @fabpot due to acl component was moved into this repository,
so here's new PR with test to demonstrate bug: #8
Update: Here's serialized data from the example test (difference between two ACEs highlighted):
a:1:{i:0;a:2:{s:8:"fieldOne";a:1:{i:0;C:48:"Symfony\Component\Security\Acl\Domain\FieldEntry":312:{a:2:{i:0;s:3:"foo";i:1;s:279:"a:7:{i:0;i:123456;i:1;i:123;i:2;**O:39:"Mock_SecurityIdentityInterface_54ceb335":2:{s:67:"Mock_SecurityIdentityInterface_54ceb335__phpunit_invocationMocker";N;s:65:"Mock_SecurityIdentityInterface_54ceb335__phpunit_originalObject";N;}**i:3;s:8:"foostrat";i:4;b:0;i:5;b:1;i:6;b:1;}";}}}s:8:"fieldTwo";a:1:{i:0;C:48:"Symfony\Component\Security\Acl\Domain\FieldEntry":112:{a:2:{i:0;s:3:"foo";i:1;s:80:"a:7:{i:0;i:123456;i:1;i:123;i:2;**r:8;**i:3;s:8:"foostrat";i:4;b:0;i:5;b:1;i:6;b:1;}";}}}}}
First FieldEntry has SecurityIdentityInterface mock,
second FieldEntry has "r8", that is somehow restored to first FieldEntry.
PHP 5.5.26
Not exactly the same, but similar serialize/unserialize issue: https://3v4l.org/sSL6F
Another example provided by @alsma https://3v4l.org/viORV
Running acl:init against MSSQL Server throws this exception. I am using last pdo_sqlsrv and sqlsrv version available for PHP ^7.4, Microsoft SQl Server 19 Developer Edition and Symfony 5.4
Temporary solution I will try now is setup an SQLite connection just for the ACL.
{"message":"Error thrown while running command \"acl:init\". Message: \"An exception occurred while executing a query: SQLSTATE[42000]: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Introducing FOREIGN KEY constraint 'FK_825DE299C671CEA1' on table 'acl_object_identity_ancestors' may cause cycles or multiple cascade paths. Specify ON DELETE NO ACTION or ON UPDATE NO ACTION, or modify other FOREIGN KEY constraints.\"","context":{"exception":{"class":"Doctrine\\DBAL\\Exception\\DriverException","message":"An exception occurred while executing a query: SQLSTATE[42000]: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Introducing FOREIGN KEY constraint 'FK_825DE299C671CEA1' on table 'acl_object_identity_ancestors' may cause cycles or multiple cascade paths. Specify ON DELETE NO ACTION or ON UPDATE NO ACTION, or modify other FOREIGN KEY constraints.","code":1785,"file":"/var/www/isg/package-development/vendor/doctrine/dbal/src/Driver/API/SQLSrv/ExceptionConverter.php:67","previous":{"class":"Doctrine\\DBAL\\Driver\\PDO\\Exception","message":"SQLSTATE[42000]: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Introducing FOREIGN KEY constraint 'FK_825DE299C671CEA1' on table 'acl_object_identity_ancestors' may cause cycles or multiple cascade paths. Specify ON DELETE NO ACTION or ON UPDATE NO ACTION, or modify other FOREIGN KEY constraints.","code":1785,"file":"/var/www/isg/package-development/vendor/doctrine/dbal/src/Driver/PDO/Exception.php:26","previous":{"class":"PDOException","message":"SQLSTATE[42000]: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Introducing FOREIGN KEY constraint 'FK_825DE299C671CEA1' on table 'acl_object_identity_ancestors' may cause cycles or multiple cascade paths. Specify ON DELETE NO ACTION or ON UPDATE NO ACTION, or modify other FOREIGN KEY constraints.","code":42000,"file":"/var/www/isg/package-development/vendor/doctrine/dbal/src/Driver/PDO/Connection.php:34"}}},"command":"acl:init","message":"An exception occurred while executing a query: SQLSTATE[42000]: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Introducing FOREIGN KEY constraint 'FK_825DE299C671CEA1' on table 'acl_object_identity_ancestors' may cause cycles or multiple cascade paths. Specify ON DELETE NO ACTION or ON UPDATE NO ACTION, or modify other FOREIGN KEY constraints."},"level":500,"level_name":"CRITICAL","channel":"console","datetime":"2022-01-20T10:38:44.865413-05:00","extra":{}}
10:38:44 CRITICAL [console] Error thrown while running command "acl:init". Message: "An exception occurred while executing a query: SQLSTATE[42000]: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Introducing FOREIGN KEY constraint 'FK_825DE299C671CEA1' on table 'acl_object_identity_ancestors' may cause cycles or multiple cascade paths. Specify ON DELETE NO ACTION or ON UPDATE NO ACTION, or modify other FOREIGN KEY constraints." ["exception" => Doctrine\DBAL\Exception\DriverException { …},"command" => "acl:init","message" => "An exception occurred while executing a query: SQLSTATE[42000]: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Introducing FOREIGN KEY constraint 'FK_825DE299C671CEA1' on table 'acl_object_identity_ancestors' may cause cycles or multiple cascade paths. Specify ON DELETE NO ACTION or ON UPDATE NO ACTION, or modify other FOREIGN KEY constraints."]
{"message":"Command \"acl:init\" exited with code \"1785\"","context":{"command":"acl:init","code":1785},"level":100,"level_name":"DEBUG","channel":"console","datetime":"2022-01-20T10:38:44.877416-05:00","extra":{}}
Is possible to replace the default AclVoter (Symfony\Component\Security\Acl\Voter\AclVoter)?
Otherwise is possible to disable default AclVoter?
Thanks
I am sorry, this is likely a question than an issue report. An answer will actually help me to understand things.
On several places like this,
security-acl/Dbal/MutableAclProvider.php
Line 563 in f24881e
symfony/symfony#15723 follow up
Indeed, when $this->connection->quote is used on the classType, Oracle adds two back-slashes.
I've found a simple fix that is to stripcslashes($classType) on hydrateObjectIdentities. But this should only apply when the $classType contains more than one \.
Thoughts?
Uncaught PHP Exception Symfony\Component\Debug\Exception\FatalThrowableError: "Call to a member function getParentAcl() on boolean vendor/symfony/security-acl/Domain/DoctrineAclCache.php line 157
https://github.com/symfony/security-acl/blob/master/Domain/DoctrineAclCache.php#L112
https://github.com/symfony/security-acl/blob/master/Domain/DoctrineAclCache.php#L125
Environment: Redis with allkeys-lru configuration, so cache key removed at some point
Hello guys, I'm using symfony 2.8 and ACL in order to check the permissions for all users in every action in my application. I have a problem with Mutable ACL provider. My problem is in some please I'm trying to remove the user permissions and I'm using the method deleteClassAce in the ACL using the respective index for the specific user after executed the method and try the update ACL the ACL response "Notice: Undefined offset: 4". Looking in the ACL class I saw in the deleteAce method you are executing an unset in the aces arrey "unset($aces[$index]);" and this deleted the element in the array but not reset the array positions and the index in the array are lost for example.
Before executed the deleteClassAce I have these index (0,1,2,3,4), after execute deleteClassAce using index 2 the new index are (0,1,3,4) instead of (0,1,2,3) it's normal because it is a typical behavior in the php arrays the problem is, after executed the deleteClassAce I need to give other permissions in the ACL I'm using and in MutableAclProvider you have this code in updateOldAceProperty method.
for ($i = 0, $c = count($new); $i < $c; ++$i) {
$ace = $new[$i];
if (null !== $ace->getId()) {
$currentIds[$ace->getId()] = true;
}
}
for ($i = 0, $c = count($old); $i < $c; ++$i) {
$ace = $old[$i];
if (!isset($currentIds[$ace->getId()])) {
$this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));
unset($this->loadedAces[$ace->getId()]);
}
}
As you can see you are iterating the array using index and I have in my $old ACL the index (0,1,3,4). the for loop create incremental index and the index 2 is generated after increase variable $i in the array and in the $ace asignation of cource if $i = 2 the index $old[$i] not exist at this point and where it where the notice is throw.
In my local server I tested the foreach loop instead of for loop and the ACL works fine this is the code I change in the method.
The original method looks like this.
private function updateOldAceProperty($name, array $changes)
{
list($old, $new) = $changes;
$currentIds = array();
for ($i = 0, $c = count($new); $i < $c; ++$i) {
$ace = $new[$i];
if (null !== $ace->getId()) {
$currentIds[$ace->getId()] = true;
}
}
for ($i = 0, $c = count($old); $i < $c; ++$i) {
$ace = $old[$i];
if (!isset($currentIds[$ace->getId()])) {
$this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));
unset($this->loadedAces[$ace->getId()]);
}
}
}
and my method looks like this
private function updateOldAceProperty($name, array $changes)
{
list($old, $new) = $changes;
$currentIds = array();
foreach($new as $key => $ace){
if (null !== $ace->getId()) {
$currentIds[$ace->getId()] = true;
}
}
foreach($old as $key => $ace){
if (!isset($currentIds[$ace->getId()])) {
$this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));
unset($this->loadedAces[$ace->getId()]);
}
}
}
and it works for me.
Is it the solution or exist other problem for user foreach loop instead of for loop?
[Doctrine\DBAL\Exception\DriverException] An exception occurred while executing 'CREATE TABLE acl_classes (id INT UNSIGNED AUTO_INCREMENT NOT NULL, class_typ e VARCHAR(200) NOT NULL, UNIQUE INDEX UNIQ_69DD750638A36066 (class_type), PRIMARY KEY(id)) DEFAULT CHARACTER SET ut f8mb4 COLLATE utf8mb4_general_ci ENGINE = InnoDB': SQLSTATE[42000]: Syntax error or access violation: 1071 Specified key was too long; max key length is 767 bytes
It worked after setting VARCHAR length to 191 in Dbal/Schema.php:
In function addClassTable() set class_type length to 191.
In function addSecurityIdentitiesTable() set identifier length to 191.
Is there a better way ?
Hello,
I am getting the exact same problem as the one described here:
It has been working fine until I ran composer update today. But now:
$ bin/console doctrine:schema:validate
Mapping
-------
[OK] The mapping files are correct.
Database
--------
[ERROR] The database schema is not in sync with the current mapping file.
$ bin/console doctrine:schema:update --force --dump-sql
The following SQL statements will be executed:
ALTER TABLE acl_classes CHANGE id id INT UNSIGNED AUTO_INCREMENT NOT NULL;
ALTER TABLE acl_security_identities CHANGE id id INT UNSIGNED AUTO_INCREMENT NOT NULL;
ALTER TABLE acl_object_identities CHANGE id id INT UNSIGNED AUTO_INCREMENT NOT NULL;
ALTER TABLE acl_entries CHANGE id id INT UNSIGNED AUTO_INCREMENT NOT NULL;
Updating database schema...
4 queries were executed
[OK] Database schema updated successfully!
Playing those two command another time each will result in the same output.
I found that the current security-acl bundle actually implements the same specific unsigned integer in its https://github.com/symfony/security-acl/blob/master/Dbal/Schema.php which were causing symfony/symfony#5108 and were removed in daFish/symfony@57694aa and which led to a merge by FabPot back... in 2012.
Dropping / recreating the DB as well as a fresh composer install did not fix the problem.
More details:
Running within Laragon for Windows 7 with:
DB encoding is utf8_unicode_ci. Tried encoding latin1_swedish_ci with the same issue.
Updating dependencies (including require-dev)
Finished: success: 0, skipped: 0, failure: 75, total: 75
Package operations: 93 installs, 0 updates, 0 removals
- Installing symfony/polyfill-ctype (v1.10.0): Downloading (100%)
- Installing symfony/polyfill-mbstring (v1.10.0): Downloading (100%)
- Installing twig/twig (v2.5.0): Downloading (100%)
- Installing paragonie/random_compat (v2.0.17): Downloading (100%)
- Installing symfony/polyfill-php70 (v1.10.0): Downloading (100%)
- Installing symfony/polyfill-util (v1.10.0): Downloading (100%)
- Installing symfony/polyfill-php56 (v1.10.0): Downloading (100%)
- Installing symfony/symfony (v3.4.19): Loading from cache
- Installing symfony/polyfill-intl-icu (v1.10.0): Downloading (100%)
- Installing symfony/polyfill-apcu (v1.10.0): Downloading (100%)
- Installing psr/simple-cache (1.0.1): Downloading (100%)
- Installing psr/log (1.1.0): Downloading (100%)
- Installing psr/link (1.0.0): Downloading (100%)
- Installing psr/container (1.0.0): Downloading (100%)
- Installing psr/cache (1.0.1): Downloading (100%)
- Installing fig/link-util (1.0.0): Downloading (100%)
- Installing doctrine/lexer (v1.0.1): Downloading (100%)
- Installing doctrine/annotations (v1.6.0): Downloading (100%)
- Installing doctrine/reflection (v1.0.0): Downloading (100%)
- Installing doctrine/event-manager (v1.0.0): Downloading (100%)
- Installing doctrine/collections (v1.5.0): Downloading (100%)
- Installing doctrine/cache (v1.8.0): Downloading (100%)
- Installing doctrine/persistence (v1.1.0): Downloading (100%)
- Installing doctrine/inflector (v1.3.0): Downloading (100%)
- Installing doctrine/common (v2.10.0): Downloading (100%)
- Installing symfony/security-acl (v3.0.1): Downloading (100%)
- Installing ajgl/csv-rfc (0.1.0): Downloading (100%)
- Installing ajgl/csv (0.4.0): Downloading (100%)
- Installing ajgl/csv-bundle (dev-master a6b4873): Cloning a6b487335b from cache
- Installing friendsofsymfony/ckeditor-bundle (1.1.0): Downloading (100%)
- Installing monolog/monolog (1.24.0): Loading from cache
- Installing symfony/monolog-bundle (v3.3.1): Loading from cache
- Installing sensio/framework-extra-bundle (v5.2.2): Downloading (100%)
- Installing composer/ca-bundle (1.1.3): Loading from cache
- Installing sensiolabs/security-checker (v5.0.1): Loading from cache
- Installing sensio/distribution-bundle (v5.0.23): Loading from cache
- Installing ramsey/uuid (3.8.0): Loading from cache
- Installing chadsikorra/php-simple-enum (1.0.0): Loading from cache
- Installing ldaptools/ldaptools (v0.25.2): Loading from cache
- Installing ldaptools/ldaptools-bundle (0.9.2): Loading from cache
- Installing incenteev/composer-parameter-handler (v2.1.3): Loading from cache
- Installing doctrine/instantiator (1.1.0): Loading from cache
- Installing doctrine/dbal (v2.9.0): Downloading (100%)
- Installing doctrine/orm (v2.6.3): Loading from cache
- Installing doctrine/doctrine-cache-bundle (1.3.5): Loading from cache
- Installing jdorn/sql-formatter (v1.2.17): Loading from cache
- Installing doctrine/doctrine-bundle (1.10.0): Downloading (100%)
- Installing maix-si/connexion (0.6.3): Cloning f1f6a70c31 from cache
- Installing sonata-project/exporter (1.9.1): Downloading (100%)
- Installing twig/extensions (v1.5.4): Downloading (100%)
- Installing sonata-project/datagrid-bundle (2.4.0): Downloading (100%)
- Installing cocur/slugify (v3.1): Downloading (100%)
- Installing sonata-project/core-bundle (3.11.2): Downloading (100%)
- Installing sonata-project/cache (2.0.1): Downloading (100%)
- Installing sonata-project/block-bundle (3.12.1): Downloading (100%)
- Installing knplabs/knp-menu (2.3.0): Downloading (100%)
- Installing knplabs/knp-menu-bundle (v2.2.1): Downloading (100%)
- Installing sonata-project/admin-bundle (3.38.3): Downloading (100%)
- Installing sonata-project/doctrine-orm-admin-bundle (3.6.1): Downloading (100%)
- Installing michelf/php-markdown (1.8.0): Downloading (100%)
- Installing knplabs/knp-markdown-bundle (1.7.0): Downloading (100%)
- Installing egeloen/json-builder (3.0.0): Downloading (100%)
- Installing egeloen/ckeditor-bundle (6.0.1): Downloading (100%)
- Installing sonata-project/formatter-bundle (3.5.0): Downloading (100%)
- Installing sonata-project/intl-bundle (2.5.0): Downloading (100%)
- Installing sonata-project/easy-extends-bundle (2.5.0): Downloading (100%)
- Installing sonata-project/doctrine-extensions (1.1.2): Downloading (100%)
- Installing ralouphie/getallheaders (2.0.5): Loading from cache
- Installing psr/http-message (1.0.1): Downloading (100%)
- Installing guzzlehttp/psr7 (1.5.2): Downloading (100%)
- Installing kriswallsmith/buzz (v0.16.1): Downloading (100%)
- Installing knplabs/gaufrette (v0.6.0): Downloading (100%)
- Installing phpoption/phpoption (1.5.0): Downloading (100%)
- Installing phpcollection/phpcollection (0.5.0): Downloading (100%)
- Installing jms/parser-lib (1.0.0): Downloading (100%)
- Installing jms/metadata (1.7.0): Downloading (100%)
- Installing jms/serializer (1.13.0): Downloading (100%)
- Installing jms/serializer-bundle (2.4.2): Downloading (100%)
- Installing imagine/imagine (v0.7.1): Downloading (100%)
- Installing symfony/phpunit-bridge (v3.4.19): Downloading (100%)
- Installing sonata-project/media-bundle (3.15.0): Downloading (100%)
- Installing zendframework/zenddiagnostics (v1.3.1): Downloading (100%)
- Installing sonata-project/notification-bundle (3.5.1): Downloading (100%)
- Installing swiftmailer/swiftmailer (v5.4.12): Downloading (100%)
- Installing friendsofsymfony/user-bundle (v2.1.2): Downloading (100%)
- Installing sonata-project/user-bundle (4.2.3): Downloading (100%)
- Installing symfony/acl-bundle (v1.0.0): Downloading (100%)
- Installing symfony/swiftmailer-bundle (v2.6.7): Downloading (100%)
- Installing sensio/generator-bundle (v3.1.7): Downloading (100%)
- Installing doctrine/data-fixtures (v1.3.1): Downloading (100%)
- Installing doctrine/doctrine-fixtures-bundle (3.0.4): Downloading (100%)
- Installing willdurand/jsonp-callback-validator (v1.1.0): Downloading (100%)
- Installing friendsofsymfony/jsrouting-bundle (2.2.2): Loading from cache
(...suggestions)
Writing lock file
Generating autoload files
> Incenteev\ParameterHandler\ScriptHandler::buildParameters
Updating the "app/config/parameters.yml" file
> Sensio\Bundle\DistributionBundle\Composer\ScriptHandler::buildBootstrap
> Sensio\Bundle\DistributionBundle\Composer\ScriptHandler::clearCache
// Clearing the cache for the dev environment with debug
// true
[OK] Cache for the "dev" environment (debug=true) was successfully cleared.
> Sensio\Bundle\DistributionBundle\Composer\ScriptHandler::installAssets
Trying to install assets as relative symbolic links.
(...copy)
[OK] All assets were successfully installed.
> Sensio\Bundle\DistributionBundle\Composer\ScriptHandler::installRequirementsFile
> Sensio\Bundle\DistributionBundle\Composer\ScriptHandler::prepareDeploymentTarget
My composer.json might help:
{
"name": "name",
"license": "license",
"type": "project",
"description": "description",
"autoload": {
"psr-4": {
"AppBundle\\": "src/AppBundle",
"Application\\Sonata\\": "src/Application/Sonata"
},
"classmap": [ "app/AppKernel.php", "app/AppCache.php" ]
},
"autoload-dev": {
"psr-4": { "Tests\\": "tests/" },
"files": [ "vendor/symfony/symfony/src/Symfony/Component/VarDumper/Resources/functions/dump.php" ]
},
"require": {
"php": ">=5.5.9",
"ext-json": "*",
"ext-mbstring": "*",
"ajgl/csv-bundle": "dev-master as 0.5.x-dev",
"doctrine/doctrine-bundle": "^1.6",
"doctrine/doctrine-fixtures-bundle": "^3.0",
"doctrine/orm": "^2.5",
"friendsofsymfony/ckeditor-bundle": "1.1",
"friendsofsymfony/jsrouting-bundle": "^2.2",
"incenteev/composer-parameter-handler": "^2.0",
"owner/project": "0.6.3",
"sensio/distribution-bundle": "^5.0.19",
"sensio/framework-extra-bundle": "^5.0.0",
"sonata-project/admin-bundle": "3.38.3",
"sonata-project/block-bundle": "3.12.1",
"sonata-project/core-bundle": "3.11.2",
"sonata-project/doctrine-orm-admin-bundle": "3.6.1",
"sonata-project/easy-extends-bundle": "2.5.0",
"sonata-project/formatter-bundle": "3.5.0",
"sonata-project/intl-bundle": "2.5.0",
"sonata-project/media-bundle": "3.15.0",
"sonata-project/notification-bundle": "3.5.1",
"sonata-project/user-bundle": "4.2.3",
"symfony/acl-bundle": "1.0",
"symfony/monolog-bundle": "^3.1.0",
"symfony/polyfill-apcu": "^1.0",
"symfony/swiftmailer-bundle": "^2.6.4",
"symfony/symfony": "3.4.*",
"twig/twig": "^1.0||^2.0"
},
"require-dev": {
"sensio/generator-bundle": "^3.0",
"symfony/phpunit-bridge": "^3.0"
},
"scripts": {
"symfony-scripts": [
"Incenteev\\ParameterHandler\\ScriptHandler::buildParameters",
"Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::buildBootstrap",
"Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::clearCache",
"Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::installAssets",
"Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::installRequirementsFile",
"Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::prepareDeploymentTarget"
],
"post-install-cmd": [
"@symfony-scripts"
],
"post-update-cmd": [
"@symfony-scripts"
]
},
"config": {
"platform": {
"php": "7.2"
},
"sort-packages": true
},
"extra": {
"symfony-app-dir": "app",
"symfony-bin-dir": "bin",
"symfony-var-dir": "var",
"symfony-web-dir": "web",
"symfony-tests-dir": "tests",
"symfony-assets-install": "relative",
"incenteev-parameters": {
"file": "app/config/parameters.yml"
},
"branch-alias": {
"dev-master": "3.4-dev"
}
},
"repositories": [
{
"type": "git",
"url": "[email protected]:owner/project.git"
}
]
}
I cannot tell if this has any effect on ACL since I have not yet implemented it.
Anything to do?
Regards
Tests on the main branch currently fail with Symfony 6:
AuthenticationTrustResolverInterface::isAnonymous() is called, but that class has been removed in Symfony 6.AnonymousToken class which has also been removed.AuthenticatedVoter::IS_AUTHENTICATED_ANONYMOUSLY is accessed. Gone as well.see symfony/symfony#14560 for the previous discussion
I'm in the process of converting our database from 'utf8' to 'utf8mb4' to support 4-byte unicode chars (emojis for example) and running the conversion queries a problem shows up with the length of some unique keys in the ACL schema which I can't control myself (well, of course I can but then in every migration I make afterwards these will come up and try to revert any ALTER TABLE I make to these tables)
mysql> ALTER TABLE acl_security_identities CONVERT TO CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_unicode_ci';
ERROR 1709 (HY000): Index column size too large. The maximum column size is 767 bytes.
By default InnoDB can have a maximum index size of 767 bytes. With utf8 encoding, which uses at most 3 bytes per char, you get 255 characters. But in utf8mb4 you now can only index string columns with at most 191 characters. This InnoDB setting can be changed but you have to change all the database and table file formats (see http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/).
So my question would be if the default string lengths of 200 chars that the acl_security_identities and acl_classes unique keys have could be tuned to 191 chars, it's only 9 chars less, I guess it would not be a big problem.
Thanks!
[InvalidArgumentException]
Could not find package symfony/security-acl in a version matching ^4.1
Hi guys!
We've extracted this from the core, will there be a release? I haven't followed the issue tracker closely, are we still pending items that need to be done?
Thans!
Recently I started to look at ACL tables and noticed that all the existing entries are still there even after deleting objects or security identities.
So I looked up and found the two methods that do exactly that. In MutableAclProvider.php
deleteSecurityIdentity() and deleteAcl()
Now deleting ACL is easy and works great when removing a user. However I also want to remove the security identity as well to prevent the issue when someone sign ups with the same user name later and managed to get the same permissions as the previous user.
The problem:
Deleting security identity leaves object ace indexes not in order [0, 1, 3, 4] etc.
This causes issue when trying to modify the ACL for objects that were affected by security identity delete. The method updateOldAceProperty() is called and causes the undefined index notice to be thrown due to the for loop expecting correctly ordered indexes.
MutableAclProvider.php Line 980
for ($i = 0, $c = count($old); $i < $c; ++$i) {
$ace = $old[$i];
if (!isset($currentIds[$ace->getId()])) {
$this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));
unset($this->loadedAces[$ace->getId()]);
}
}Looking at it, all it does is tries to delete the old ace, that was already deleted by by deleteSecurityIdentity() method.
A simple solution would be to transform for loop to foreach, that would fix the index issues
foreach ($old as $ace) {
if (!isset($currentIds[$ace->getId()])) {
$this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));
unset($this->loadedAces[$ace->getId()]);
}
}Let me know if I have wrong approach to this or it seems ok and could be changed in the main repository
When you delete a security identity with MutableAclProvider::deleteSecurityIdentity(), all ACL entries associated with this security identity are deleted (cascade).
There are 2 problems arising from this behavior:
First, we get an error when we add, modify or delete other ACL entries, if the deleted ACL entries are not the last (the PR #24 partially corrects this problem, but it missing the change to the methods MutableAclProvider::updateNewFieldAceProperty() and MutableAclProvider::updateOldFieldAceProperty().
Secondly, when you add another ACL entry for the same object identifier, sometimes the value of ACE Order is the same as another ACL entry. This happens when you delete a cascading ACL entry that is not the last in order of ACL entries.
Last, it is impossible to reproduce the bug in unit tests with SQLite, because removing cascade not working. The result is that the ACL entry has a security identity with a null value in the database, and that the method findAcls create a RoleSecurityIdentity instance with an empty role name "".
Example:
class MutableAclProviderTest extends \PHPUnit_Framework_TestCase
{
//...
public function testDeleteUserSecurityIdentity()
{
$provider = $this->getProvider();
$acl = $provider->createAcl(new ObjectIdentity(1, 'Foo'));
$sid = new UserSecurityIdentity('johannes', 'FooClass');
$sid2 = new UserSecurityIdentity('francois', 'FooClass');
$acl->setEntriesInheriting(!$acl->isEntriesInheriting());
$acl->insertObjectAce($sid, 1);
$acl->insertObjectAce($sid2, 2);
$acl->insertObjectAce($sid, 2);
$provider->updateAcl($acl);
$reloadProvider = $this->getProvider();
$reloadedAcl = $reloadProvider->findAcl(new ObjectIdentity(1, 'Foo'));
$this->assertCount(3, $reloadedAcl->getObjectAces());
$reloadProvider->deleteSecurityIdentity($sid2);
$reloadProviderEmpty = $this->getProvider();
$reloadedAclEmpty = $reloadProviderEmpty->findAcl(new ObjectIdentity(1, 'Foo'));
$this->assertNotSame($reloadProvider, $reloadedAclEmpty);
$this->assertCount(2, $reloadedAclEmpty->getObjectAces());
// Assert failed because count = 3
}
}It's really very disturbing in production.
Since the ACLs have been extracted from Symfony 3.0, the library has not updated since 1 year now.
Some issues and pull requests have been created since, but no response or merging has been made about bugs.
Examples:
Hence my question: is this library officially abandoned?
Thanks
Will you make a 4.x release to update composer.json so this can be installed with symfony 4?
If someone wants to help, one can help update the tests to modern PHPUnit. Right now, we still have some getMock() calls, and tests with no assertions.
In the Symfony 7 security bundle the VoterInterface::vote method signature has changed and this causes the following incompatibility error in AclVoter class:
Declaration of Symfony\Component\Security\Acl\Voter\AclVoter::vote(Symfony\Component\Security\Core\Authentication\Token\TokenInterface $token, $subject, array $attributes) must be compatible with Symfony\Component\Security\Core\Authorization\Voter\VoterInterface::vote(Symfony\Component\Security\Core\Authentication\Token\TokenInterface $token, mixed $subject, array $attributes): int in /var/www/html/vendor/symfony/security-acl/Voter/AclVoter.php on line 54
The signature should be changed in AclVoter, too:
public function vote(TokenInterface $token, mixed $subject, array $attributes): int
I use the latest version of symfony: 3.0+, when i tried to enable the acl on my project, but i got the error message:
[Symfony\Component\Console\Exception\CommandNotFoundException]
There are no commands defined in the "init" namespace.
i checked the security-acl has been installed into my project and run composer update command.
it is still.
so, what's happened?
I get the following security identities from $securityIdentityRetrievalStrategy->getSecurityIdentities($token):
array (size=5)
0 =>
object(Symfony\Component\Security\Acl\Domain\UserSecurityIdentity)[769]
private 'username' => string 'Username' (length=14)
private 'class' => string 'AppBundle\Entity\User' (length=31)
1 =>
object(Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity)[775]
private 'role' => string 'ROLE_USER' (length=9)
2 =>
object(Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity)[780]
private 'role' => string 'IS_AUTHENTICATED_FULLY' (length=22)
3 =>
object(Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity)[781]
private 'role' => string 'IS_AUTHENTICATED_REMEMBERED' (length=27)
4 =>
object(Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity)[779]
private 'role' => string 'IS_AUTHENTICATED_ANONYMOUSLY' (length=28)
When I call $aclProvider->findAcl($objectIdentity, $securityIdentities) and iterate over the ACES, there are still aces fetched from DB with other security identities, that are not in the list of user security identities.
Does the findAcl method filter (or is supposed to) ACES according to passed security identities?
I use symfony this with doctrine fixtures bundle. I created acl tables using php bin/console init:acl command, also I could created them using php bin/console doctrine:schema:update --force command.
I load fixtures using php bin/console doctrine:fixtures:load command. If I use this command it truncates all tables except the acl_* tables (acl_classes, acl_entries, acl_object_identities, acl_object_identity_ancestors, acl_security_identities) before executing. Why does it happen and how to make this command to truncate all DB tables?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.