Reputation: 4223
Interpret Symfony's ACL's schema
I'm migrating a system from symfony2 to node. Most of it is going fine, but I've had some trouble understanding how ACL works. I've got an idea now, but looking at the mysql schema, I see that I have 2 columns with the actual permissions, ace_order and mask. Can someone please tell me why are there 2 fields instead of only one and/or how to interpret them so I can translate to a simpler schema.
CREATE TABLE `acl_entries` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`class_id` int(10) unsigned NOT NULL,
`object_identity_id` int(10) unsigned DEFAULT NULL,
`security_identity_id` int(10) unsigned NOT NULL,
`field_name` varchar(50) COLLATE utf8_unicode_ci DEFAULT NULL,
`ace_order` smallint(5) unsigned NOT NULL, <== first col
`mask` int(11) NOT NULL, <== second col
`granting` tinyint(1) NOT NULL,
`granting_strategy` varchar(30) COLLATE utf8_unicode_ci NOT NULL,
`audit_success` tinyint(1) NOT NULL,
`audit_failure` tinyint(1) NOT NULL,
PRIMARY KEY (`id`),
... other key stuff ...
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci ROW_FORMAT=COMPACT;
Edit:
I'm mostly interested on how ace_order affects the permissions.
Upvotes: 0
Views: 258
Answers (1)
Reputation: 21817
There is only one column that contains the actual permissions, and that is mask. This column contains a bitmask, which is called the "permission mask", which is stored as an integer, which represents the cumulative permissions in the ACE.
Other columns can influence if permission is granted:
ace_order is used to determine which ACE is checked first. If the ACE's is applicable, it will be used to grant (or deny) permission. If not, the next ACE is checked.
The order is determined by the order of adding ACE's: The last ACE added will have order 0, the first will have the highest number. As a general rule you should add ACE's from least specific to most specific, meaning the most specific one will be checked first.
granting is a boolean (stored as integer) that specifies if the permissions in the ACE are granted or denied.
granting_strategy specifies how the permissions you ask for are compared with the ones in the ACE. In other words: if the ACE is applicable. You can find an explanation in the source of PermissionGrantingStrategy.
Upvotes: 2
Related Questions
- ACL grants access to all Users in Symfony?
- Symfony parent ACL (objects acces rights inheritance)
- Symfony 2 ACL and Role Hierarchy
- how to use ACL in Symfony2
- How does acl in security.yml mean in symfony?
- How ACL is maintaned internally by Symfony2?
- Symfony2 ACL problems
- How to make advanced ACL in Symfony2?
- Symfony2 ACL combined with another criteria
- Building a generic OO ACL using Doctrine