Checking ACL class scope and object scope at the same time

Question

I want to model my access control in Symfony2 with Access Control lists. Users have different roles which allow class scope access, but they can also have object scope access. Default example: admin role can edit all comments, and a user can edit his own comments.

Now the problem is checking the permissions: at the moment it is only checked for either class or object scope:

$securityContext->isGranted('EDIT', $identity)

where identity is either

new ObjectIdentity('class', 'Acme\\BlogBundle\\Document\\Comment')

or the comment object itself.

I thought the voter would check both class scope and object scope access, based on the fact that a comment object obviously provides its own class. Now how would I go about implementing this? Create a custom voter? Or am I missing something else entirely?

e: The docs say: "The PermissionGrantingStrategy first checks all your object-scope ACEs if none is applicable, the class-scope ACEs will be checked": http://symfony.com/doc/current/cookbook/security/acl_advanced.html

So that apparently means if there is an object scope, the class scope is not considered at all. :(

Answer 1

Well, creating a class scope, I should have used

$acl->insertClassAce($securityIdentity, MaskBuilder::MASK_OWNER);

instead of ->insertObjectAce(...

This makes it work in the standard MySQL implementation, but the IamPersistent/MongoDBAclBundle has a bug where there is no link between the acl_entry and the class scope acl_oid, which causes the class scopes to never appear in the $acl during voting.