I'm using Symfony acls, and I've noticed that when an class acl is created for the first time, a acl_object_identities is also created with object_identifier = class
But if you insert an ace class, (acl_entries), object_identity_id is set to NULL. I wonder why acl_object_identity previously created is not used ?
table acl_class : 6 xxxxxxxx/myclass
table acl_object_identities 63 NULL 6 class 1
table acl_entries 199 6 NULL 1 NULL 3 1073741823 1 all 0 0
Should'nt be this ? 199 6 63 1 NULL 3 1073741823 1 all 0 0
I don't understand why a identity objet class is created and not use with classes entries.
This is my code, maybe there is something wrong :
//find or create acl
$classIdentity = new ObjectIdentity('class', ClassUtils::getRealClass($class));
$aclProvider = $this->getService('security.acl.provider');
try {
$acl = $aclProvider->findAcl($classIdentity);
} catch (AclNotFoundException $e) {
$acl = $aclProvider->createAcl($classIdentity);
}
//insert class aces
$maskBuilder = new MaskBuilder(128);
$securityId = new RoleSecurityIdentity('ROLE_ADMIN');
$acl->insertClassAce($securityId, $maskBuilder->get());
$aclProvider->updateAcl($acl);
Thanks
I hope I've read your question correctly.
The acl_object_identities table contains just that: object identities. Even when you create an class-scoped based ACE, you must provide a valid object identity and you do so by using a "dummy" identifier named class. Theoretically, this could have been anything except NULL or an empty string. Using class is a common convention in these cases).
Remember that ACLs could theoretically have a mix of object scope ACEs and global scope ACEs (even with or without fields). Without the (dummy) object identity present in the acl_object_identities table, you cannot use the ACL directly, for instance for updating, deleting.
Another reason why you would want to access such an ACL directly is when checking for permissions when there are no objects present:
$objectIdentity = new ObjectIdentity('class', 'The\Namespaced\Class');
if ($context->isGranted('CREATE', $objectIdentity)) {
... // seems you are allowed to create objects of this class
}
This would come in handy to check against "global" CREATE permissions for a class.
The acl_entries table consists of all ACEs, both object-scope and class scope ACEs. When the object_identity_id is set to NULL the entry is a class-scope ACE, otherwise it's a object-scope ACE. The class-scope ACEs only need to know which class is used and don't really care about object identities, which is why this field can be empty. The class_id field is used in those cases to figure out the class type.
Theoretically, they could have removed the class_id column from the acl_entries and always used the object_identity_id instead, because that table also has a link to the class_id. However, that would require an extra join, and we still need to add somewhere in the ace_table whether the entry is a class-scope ACE or an object-scope ACE.
Keep in mind that a lot of things about the ACLs are written for efficiency and speed reasons, which degrades readability on occasion.